Support security-experimental as a well-known suite

.github/codeql/codeql-config.yml

@@ -4,11 +4,13 @@ queries:
     uses: ./queries
   # Run all extra query suites, both because we want to
   # and because it'll act as extra testing. This is why
-  # we include both even though one is a superset of the
-  # other, because we're testing the parsing logic and
-  # that the suites exist in the codeql bundle.
+  # we include all three even though security-and-quality
+  # and security-experimental are supersets of
+  # security-extended, because we're testing the parsing 
+  # logic and that the suites exist in the codeql bundle.
   - uses: security-extended
   - uses: security-and-quality
+  - uses: security-experimental
 paths-ignore:
   - tests
   - lib

src/codeql.ts

@@ -278,6 +278,11 @@ export const CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
  */
 export const CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
 
+/**
+ * Versions 2.11.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for each language.
+ */
+export const CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
+
 /**
  * Set up CodeQL CLI access.
  *

src/config-utils.test.ts

@@ -1993,7 +1993,7 @@ test(
   process.platform === "win32" ? undefined : "~0.1.0"
 );
 // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
-// `security-extended` or `security-and-quality` query suite.
+//  `security-extended`, `security-and-quality`, or `security-experimental` query suite.
 test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
 // Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
 // versions of the CodeQL CLI prior to 2.9.0.
@@ -2074,7 +2074,6 @@ test(
   "security-extended",
   "~0.4.0"
 );
-
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.11.3+.
 test(
@@ -2085,6 +2084,16 @@ test(
   "security-and-quality",
   "~0.4.0"
 );
+// Test that ML-powered queries are run on all platforms running `security-experimental` on CodeQL
+// CLI 2.12.1+.
+test(
+  mlPoweredQueriesMacro,
+  "2.12.1",
+  true,
+  undefined,
+  "security-experimental",
+  "~0.4.0"
+);
 
 const calculateAugmentationMacro = test.macro({
   exec: async (

src/config-utils.ts

@@ -10,6 +10,7 @@ import {
   CodeQL,
   CODEQL_VERSION_GHES_PACK_DOWNLOAD,
   CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS,
+  CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE,
   ResolveQueriesOutput,
 } from "./codeql";
 import * as externalQueries from "./external-queries";
@@ -380,7 +381,11 @@ async function addDefaultQueries(
 }
 
 // The set of acceptable values for built-in suites from the codeql bundle
-const builtinSuites = ["security-extended", "security-and-quality"] as const;
+const builtinSuites = [
+  "security-experimental",
+  "security-extended",
+  "security-and-quality",
+] as const;
 
 /**
  * Determine the set of queries associated with suiteName's suites and add them to resultMap.
@@ -401,6 +406,17 @@ async function addBuiltinSuiteQueries(
   if (!found) {
     throw new Error(getQueryUsesInvalid(configFile, suiteName));
   }
+  if (
+    suiteName === "security-experimental" &&
+    !(await codeQlVersionAbove(
+      codeQL,
+      CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE
+    ))
+  ) {
+    throw new Error(
+      `The 'security-experimental' suite is not supported on CodeQL CLI versions earlier than ${CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE}. Please upgrade to CodeQL CLI version ${CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE} or later.`
+    );
+  }
 
   // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
   // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
@@ -413,7 +429,9 @@ async function addBuiltinSuiteQueries(
         CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS
       ))) &&
     languages.includes("javascript") &&
-    (found === "security-extended" || found === "security-and-quality") &&
+    (found === "security-experimental" ||
+      found === "security-extended" ||
+      found === "security-and-quality") &&
     !packs.javascript?.some(isMlPoweredJsQueriesPack) &&
     (await featureEnablement.getValue(Feature.MlPoweredQueriesEnabled, codeQL))
   ) {