advanced-security
diff --git a/‎.github/workflows/update-codeql.yml
Lines changed: 111 additions & 0 deletions b/‎.github/workflows/update-codeql.yml
Lines changed: 111 additions & 0 deletions
diff --git a/‎javascript/frameworks/cap/lib/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions b/‎javascript/frameworks/cap/lib/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions
diff --git a/‎javascript/frameworks/cap/src/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions b/‎javascript/frameworks/cap/src/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions
diff --git a/‎javascript/frameworks/cap/test/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions b/‎javascript/frameworks/cap/test/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions
diff --git a/‎javascript/frameworks/ui5/lib/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions b/‎javascript/frameworks/ui5/lib/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions
diff --git a/‎javascript/frameworks/ui5/src/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions b/‎javascript/frameworks/ui5/src/codeql-pack.lock.yml
Lines changed: 12 additions & 12 deletions
diff --git a/‎javascript/frameworks/ui5/test/codeql-pack.lock.yml
Lines changed: 15 additions & 15 deletions b/‎javascript/frameworks/ui5/test/codeql-pack.lock.yml
Lines changed: 15 additions & 15 deletions
@@ -0,0 +1,111 @@
+name: "Update the CodeQL CLI dependencies"
+
+on:
+    workflow_dispatch:
+    # nightly runs to update the CodeQL CLI dependencies
+    schedule:
+      - cron: '30 0 * * *'
+
+permissions:
+    contents: write
+    pull-requests: write
+
+jobs:
+    update-codeql:
+        name: Update CodeQL CLI dependencies
+        runs-on: ubuntu-latest
+
+        steps:
+        - name: Checkout repository
+          uses: actions/checkout@v4
+
+        - name: Check latest CodeQL CLI version and update qlt.conf.json
+          id: check-version
+          env:
+            GH_TOKEN: ${{ github.token }}
+          run: |
+            echo "Checking latest CodeQL CLI version"
+            current_version=$(jq .CodeQLCLI qlt.conf.json -r)
+            latest_version=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')
+            echo "Current CodeQL CLI version: $current_version"
+            echo "Latest CodeQL CLI version: $latest_version"
+
+            # Remove 'v' prefix if present for comparison with current version
+            latest_clean=$(echo "$latest_version" | sed 's/^v//')
+
+            if [ "$latest_clean" != "$current_version" ]; then
+              echo "Updating CodeQL CLI from $current_version to $latest_clean"
+              echo "update_needed=true" >> $GITHUB_OUTPUT
+              echo "latest_version=$latest_clean" >> $GITHUB_OUTPUT
+              echo "latest_version_tag=$latest_version" >> $GITHUB_OUTPUT
+
+              # Update qlt.conf.json with all properties
+              echo "Updating qlt.conf.json with all properties for version $latest_clean"
+              jq --arg cli_version "$latest_clean" \
+                 --arg std_lib "codeql-cli/$latest_version" \
+                 --arg bundle "codeql-bundle-$latest_version" \
+                 '.CodeQLCLI = $cli_version | .CodeQLStandardLibrary = $std_lib | .CodeQLCLIBundle = $bundle' \
+                 qlt.conf.json > qlt.conf.json.tmp && mv qlt.conf.json.tmp qlt.conf.json
+
+              echo "Updated qlt.conf.json contents:"
+              cat qlt.conf.json
+            else
+              echo "CodeQL CLI is already up-to-date at version $current_version."
+              echo "update_needed=false" >> $GITHUB_OUTPUT
+            fi
+
+        - name: Install QLT
+          if: steps.check-version.outputs.update_needed == 'true'
+          id: install-qlt
+          uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
+          with:
+            qlt-version: 'latest'
+            add-to-path: true
+
+        - name: Install CodeQL
+          if: steps.check-version.outputs.update_needed == 'true'
+          id: install-codeql
+          shell: bash
+          run: |
+            echo "Installing CodeQL"
+            qlt codeql run install
+            echo "-----------------------------"
+            echo "CodeQL Home: $QLT_CODEQL_HOME"
+            echo "CodeQL Binary: $QLT_CODEQL_PATH"
+
+        - name: Upgrade CodeQL pack lock files
+          if: steps.check-version.outputs.update_needed == 'true'
+          shell: bash
+          run: |
+            echo "Upgrading CodeQL pack lock files"
+            echo "Finding all directories with qlpack.yml files..."
+
+            # Find all directories containing qlpack.yml files
+            find . -name "qlpack.yml" -type f | while read -r qlpack_file; do
+              pack_dir=$(dirname "$qlpack_file")
+              echo "Upgrading pack in directory: $pack_dir"
+
+              # Change to the directory and run codeql pack upgrade
+              cd "$pack_dir"
+              $QLT_CODEQL_PATH pack upgrade
+              cd - > /dev/null
+            done
+
+            echo "Finished upgrading all CodeQL pack lock files"
+
+        - name: Create Pull Request
+          if: steps.check-version.outputs.update_needed == 'true'
+          uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+          with:
+            title: "Upgrade CodeQL CLI dependency to ${{ steps.check-version.outputs.latest_version_tag }}"
+            body: |
+                This PR upgrades the CodeQL CLI version to ${{ steps.check-version.outputs.latest_version_tag }}.
+
+                **Changes made:**
+                - Updated `CodeQLCLI` to `${{ steps.check-version.outputs.latest_version }}`
+                - Updated `CodeQLStandardLibrary` to `codeql-cli/${{ steps.check-version.outputs.latest_version_tag }}`
+                - Updated `CodeQLCLIBundle` to `codeql-bundle-${{ steps.check-version.outputs.latest_version_tag }}`
+                - Upgraded all CodeQL pack lock files using `codeql pack upgrade`
+            commit-message: "Upgrade CodeQL CLI dependency to ${{ steps.check-version.outputs.latest_version_tag }}"
+            delete-branch: true
+            branch: "codeql/upgrade-to-${{ steps.check-version.outputs.latest_version_tag }}"
@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.1
+    version: 0.0.2
   codeql/dataflow:
-    version: 2.0.11
+    version: 2.0.12
   codeql/javascript-all:
-    version: 2.6.7
+    version: 2.6.8
   codeql/mad:
-    version: 1.0.27
+    version: 1.0.28
   codeql/regex:
-    version: 1.0.27
+    version: 1.0.28
   codeql/ssa:
-    version: 2.0.3
+    version: 2.0.4
   codeql/threat-models:
-    version: 1.0.27
+    version: 1.0.28
   codeql/tutorial:
-    version: 1.0.27
+    version: 1.0.28
   codeql/typetracking:
-    version: 2.0.11
+    version: 2.0.12
   codeql/util:
-    version: 2.0.14
+    version: 2.0.15
   codeql/xml:
-    version: 1.0.27
+    version: 1.0.28
   codeql/yaml:
-    version: 1.0.27
+    version: 1.0.28
 compiled: false
@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.1
+    version: 0.0.2
   codeql/dataflow:
-    version: 2.0.11
+    version: 2.0.12
   codeql/javascript-all:
-    version: 2.6.7
+    version: 2.6.8
   codeql/mad:
-    version: 1.0.27
+    version: 1.0.28
   codeql/regex:
-    version: 1.0.27
+    version: 1.0.28
   codeql/ssa:
-    version: 2.0.3
+    version: 2.0.4
   codeql/threat-models:
-    version: 1.0.27
+    version: 1.0.28
   codeql/tutorial:
-    version: 1.0.27
+    version: 1.0.28
   codeql/typetracking:
-    version: 2.0.11
+    version: 2.0.12
   codeql/util:
-    version: 2.0.14
+    version: 2.0.15
   codeql/xml:
-    version: 1.0.27
+    version: 1.0.28
   codeql/yaml:
-    version: 1.0.27
+    version: 1.0.28
 compiled: false
@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.1
+    version: 0.0.2
   codeql/dataflow:
-    version: 2.0.11
+    version: 2.0.12
   codeql/javascript-all:
-    version: 2.6.7
+    version: 2.6.8
   codeql/mad:
-    version: 1.0.27
+    version: 1.0.28
   codeql/regex:
-    version: 1.0.27
+    version: 1.0.28
   codeql/ssa:
-    version: 2.0.3
+    version: 2.0.4
   codeql/threat-models:
-    version: 1.0.27
+    version: 1.0.28
   codeql/tutorial:
-    version: 1.0.27
+    version: 1.0.28
   codeql/typetracking:
-    version: 2.0.11
+    version: 2.0.12
   codeql/util:
-    version: 2.0.14
+    version: 2.0.15
   codeql/xml:
-    version: 1.0.27
+    version: 1.0.28
   codeql/yaml:
-    version: 1.0.27
+    version: 1.0.28
 compiled: false
@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.1
+    version: 0.0.2
   codeql/dataflow:
-    version: 2.0.11
+    version: 2.0.12
   codeql/javascript-all:
-    version: 2.6.7
+    version: 2.6.8
   codeql/mad:
-    version: 1.0.27
+    version: 1.0.28
   codeql/regex:
-    version: 1.0.27
+    version: 1.0.28
   codeql/ssa:
-    version: 2.0.3
+    version: 2.0.4
   codeql/threat-models:
-    version: 1.0.27
+    version: 1.0.28
   codeql/tutorial:
-    version: 1.0.27
+    version: 1.0.28
   codeql/typetracking:
-    version: 2.0.11
+    version: 2.0.12
   codeql/util:
-    version: 2.0.14
+    version: 2.0.15
   codeql/xml:
-    version: 1.0.27
+    version: 1.0.28
   codeql/yaml:
-    version: 1.0.27
+    version: 1.0.28
 compiled: false
@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.1
+    version: 0.0.2
   codeql/dataflow:
-    version: 2.0.11
+    version: 2.0.12
   codeql/javascript-all:
-    version: 2.6.7
+    version: 2.6.8
   codeql/mad:
-    version: 1.0.27
+    version: 1.0.28
   codeql/regex:
-    version: 1.0.27
+    version: 1.0.28
   codeql/ssa:
-    version: 2.0.3
+    version: 2.0.4
   codeql/threat-models:
-    version: 1.0.27
+    version: 1.0.28
   codeql/tutorial:
-    version: 1.0.27
+    version: 1.0.28
   codeql/typetracking:
-    version: 2.0.11
+    version: 2.0.12
   codeql/util:
-    version: 2.0.14
+    version: 2.0.15
   codeql/xml:
-    version: 1.0.27
+    version: 1.0.28
   codeql/yaml:
-    version: 1.0.27
+    version: 1.0.28
 compiled: false
@@ -2,33 +2,33 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.1
+    version: 0.0.2
   codeql/dataflow:
-    version: 2.0.11
+    version: 2.0.12
   codeql/javascript-all:
-    version: 2.6.7
+    version: 2.6.8
   codeql/javascript-queries:
-    version: 2.0.0
+    version: 2.0.1
   codeql/mad:
-    version: 1.0.27
+    version: 1.0.28
   codeql/regex:
-    version: 1.0.27
+    version: 1.0.28
   codeql/ssa:
-    version: 2.0.3
+    version: 2.0.4
   codeql/suite-helpers:
-    version: 1.0.27
+    version: 1.0.28
   codeql/threat-models:
-    version: 1.0.27
+    version: 1.0.28
   codeql/tutorial:
-    version: 1.0.27
+    version: 1.0.28
   codeql/typetracking:
-    version: 2.0.11
+    version: 2.0.12
   codeql/typos:
-    version: 1.0.27
+    version: 1.0.28
   codeql/util:
-    version: 2.0.14
+    version: 2.0.15
   codeql/xml:
-    version: 1.0.27
+    version: 1.0.28
   codeql/yaml:
-    version: 1.0.27
+    version: 1.0.28
 compiled: false