Overlay: Check database metadata for overlayBaseSpecifier

[kaspersv]

This PR adds an additional validity check for overlay-base databases before uploading an overlay-base to the actions cache or using an overlay-base for overlay analysis. The additional check consists of running codeql resolve database and checking for the existence of an overlayBaseSpecifier key.

Risk assessment

For internal use only. Please select the risk level of this change:

• Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

• Advanced setup - Impacts users who have custom CodeQL workflows.
• Managed - Impacts users with dynamic workflows (Default Setup, CCR, ...).

Products:

• Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
• Code Quality - The changes impact analyses when analysis-kinds: code-quality.

Environments:

• Dotcom - Impacts CodeQL workflows on github.com.

How did/will you validate this change?

• Test repository - This change will be tested on a test repository before merging.
• Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

• Feature flags - All new or changed code paths can be fully disabled with corresponding feature flags.
• Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

• Telemetry - I rely on existing telemetry or have made changes to the telemetry.
  • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
  • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

• No special considerations - This change can be merged at any time.
• Special considerations - This change should only be merged once certain preconditions are met. Please provide details of those or link to this PR from an internal issue.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Consider adding a changelog entry for this change.
• Confirm the readme and docs have been updated if necessary.

[kaspersv]

The failing Code-Scanning config CLI tests appear to be unrelated to this PR and the same failure has been observed on an unrelated dependabot PR.

[Copilot]

Pull request overview

This PR adds an additional validation check for overlay-base databases by running codeql resolve database and verifying the presence of an overlayBaseSpecifier key in the database metadata. This check helps ensure that only valid overlay-base databases are uploaded to the cache or used for overlay analysis.

Key changes:

• New resolveDatabase method added to the CodeQL CLI interface that runs codeql resolve database --format=json
• Enhanced checkOverlayBaseDatabase function to validate the overlayBaseSpecifier metadata for each language
• Test coverage added for the new validation scenario where overlayBaseSpecifier is missing

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/codeql.ts	Added resolveDatabase method and ResolveDatabaseOutput interface to support querying database metadata
src/overlay-database-utils.ts	Enhanced overlay-base database validation to check for overlayBaseSpecifier using codeql resolve database
src/overlay-database-utils.test.ts	Added test case for missing overlayBaseSpecifier and updated test infrastructure to mock resolveDatabase
src/testing-utils.ts	Changed default language in createTestConfig from empty array to [KnownLanguage.java] to support tests that iterate over languages
lib/*.js	Auto-generated JavaScript files reflecting the TypeScript changes

[Copilot]

The logging level here should be logger.warning instead of logger.info to be consistent with line 189 where a similar validation failure is logged as a warning. Validation failures that cause the function to return false should be warnings so they're visible in the logs.

Suggested change

	logger.info(`${warningPrefix}: no overlayBaseSpecifier defined`);
	logger.warning(`${warningPrefix}: no overlayBaseSpecifier defined`);

[kaspersv]

The info log-level is intentional. The extractor is allowed to decide not to produce an overlay-base. This will for instance happen for Go if the extractor is asked to produce an overlay-base for a traced build. In that case the Go extractor will decide not to produce an overlay-base and we shouldn't generate a warning for that case.

[kaspersv]

Rebased on top of #3341.