Merge pull request #119 from advanced-security/mbaluda-fixed-codeql

CodeQL version from `qlt.conf.json`

Author: jeongsoolee09

.github/workflows/code_scanning.yml

@@ -56,11 +56,18 @@ jobs:
         done
 
     # Initializes the CodeQL tools for scanning.
+    - name: Extract version from qlt.conf.json
+      uses: sergeysova/jq-action@v2
+      id: version
+      with:
+        cmd: 'jq .CodeQLCLIBundle qlt.conf.json -r'
+            
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
         languages: javascript
         config-file: ./.github/codeql/codeql-config.yaml
+        tools: https://github.com/github/codeql-action/releases/download/${{steps.version.outputs.value}}/codeql-bundle-linux64.tar.gz
         debug: true
 
     - name: Perform CodeQL Analysis

.github/workflows/javascript.sarif.expected

@@ -3,7 +3,7 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 0.2.0
 extensionTargets:
-  codeql/javascript-all: "^0.8.7"
-  codeql/javascript-queries: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-queries: "^0.8.16"
 dataExtensions:
-  - "*.model.yml"
+  - "*.model.yml"

javascript/frameworks/cap/ext/qlpack.yml

@@ -2,21 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -5,5 +5,5 @@ version: 0.2.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
   advanced-security/javascript-sap-cap-models: "^0.2.0"

javascript/frameworks/cap/lib/qlpack.yml

@@ -2,21 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -5,7 +5,7 @@ version: 0.2.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
   advanced-security/javascript-sap-cap-models: "^0.2.0"
   advanced-security/javascript-sap-cap-all: "^0.2.0"
-default-suite-file: codeql-suites/javascript-code-scanning.qls
+default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/src/qlpack.yml

@@ -2,27 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/javascript-queries:
-    version: 0.8.7
+    version: 0.8.16
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/suite-helpers:
-    version: 0.7.7
+    version: 0.7.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typos:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/cap/test/codeql-pack.lock.yml

@@ -1,10 +1,10 @@
 ---
 name: advanced-security/javascript-sap-cap-queries-tests
-version: 0.1.0
+version: 0.2.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
-  codeql/javascript-queries: "^0.8.7"
-  advanced-security/javascript-sap-cap-queries: "^0.1.0"
-  advanced-security/javascript-sap-cap-models: "^0.1.0"
-  advanced-security/javascript-sap-cap-all: "^0.1.0"
+  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-queries: "^0.8.16"
+  advanced-security/javascript-sap-cap-queries: "^0.2.0"
+  advanced-security/javascript-sap-cap-models: "^0.2.0"
+  advanced-security/javascript-sap-cap-all: "^0.2.0"

javascript/frameworks/cap/test/qlpack.yml

@@ -3,6 +3,6 @@ library: true
 name: advanced-security/javascript-sap-ui5-models
 version: 0.6.0
 extensionTargets:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
 dataExtensions:
   - "*.model.yml"

javascript/frameworks/ui5/ext/qlpack.yml

@@ -2,7 +2,8 @@ import javascript as stdlib
 
 signature class BindingStringReaderSig {
   string getBindingString();
-  stdlib::Location getLocation();
+
+  stdlib::DbLocation getLocation();
 
   // Get a dataflow node associated with the binding string, if any.
   // Note that not all location from which we can obtain a binding string
@@ -51,7 +52,8 @@ module BindingStringParser<BindingStringReaderSig BindingStringReader> {
       value = ":"
     } or
     MkNumberToken(int begin, int end, string value, BindingStringReader reader) {
-      value = reader.getBindingString().regexpFind("-?[1-9]\\d*(\\.\\d+)?((e|E)?(\\+|-)?\\d+)?", _, begin) and
+      value =
+        reader.getBindingString().regexpFind("-?[1-9]\\d*(\\.\\d+)?((e|E)?(\\+|-)?\\d+)?", _, begin) and
       begin + value.length() - 1 = end
     } or
     MkStringToken(int begin, int end, string value, BindingStringReader reader) {
@@ -95,9 +97,9 @@ module BindingStringParser<BindingStringReaderSig BindingStringReader> {
             .getBindingString()
             .regexpFind("(?:#|#@)?(?:[a-zA-Z][a-zA-Z0-9_]*|[a-zA-Z0-9][a-zA-Z0-9_]:[a-zA-Z0-9_]+)(?:\\([^\\)]*\\))?",
               _, begin) and
-      begin + value.length() - 1 = end
+      begin + value.length() - 1 = end and
       // exclude keyword
-      and not value in ["true", "false", "null"]
+      not value in ["true", "false", "null"]
     } or
     MkGreaterThanToken(int begin, int end, string value, BindingStringReader reader) {
       begin = reader.getBindingString().indexOf(">") and

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll

@@ -60,7 +60,7 @@ private class BindingStringReader extends TBindingString {
     )
   }
 
-  Location getLocation() {
+  DbLocation getLocation() {
     exists(StringLiteral stringLiteral |
       this = TBindingStringFromLiteral(stringLiteral) and
       result = stringLiteral.getLocation()
@@ -221,10 +221,10 @@ private predicate earlyPropertyBinding(
   or
   // Composite binding https://ui5.sap.com/#/topic/a2fe8e763014477e87990ff50657a0d0
   exists(
-    DataFlow::ObjectLiteralNode objectLiteral,
-    DataFlow::ObjectLiteralNode valueLiteral, DataFlow::PropWrite partWrite,
-    DataFlow::ArrayLiteralNode partsArray, DataFlow::ObjectLiteralNode partsElement,
-    DataFlow::PropWrite pathWrite, DataFlow::ValueNode pathValue
+    DataFlow::ObjectLiteralNode objectLiteral, DataFlow::ObjectLiteralNode valueLiteral,
+    DataFlow::PropWrite partWrite, DataFlow::ArrayLiteralNode partsArray,
+    DataFlow::ObjectLiteralNode partsElement, DataFlow::PropWrite pathWrite,
+    DataFlow::ValueNode pathValue
   |
     objectLiteral.getAPropertyWrite() = bindingTarget and
     bindingTarget.writes(_, "value", binding) and

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll

@@ -2,21 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/ui5/lib/codeql-pack.lock.yml

@@ -5,5 +5,5 @@ version: 0.6.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
   advanced-security/javascript-sap-ui5-models: "^0.6.0"

javascript/frameworks/ui5/lib/qlpack.yml

@@ -2,21 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/ui5/src/codeql-pack.lock.yml

@@ -5,7 +5,7 @@ version: 0.6.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
   advanced-security/javascript-sap-ui5-models: "^0.6.0"
   advanced-security/javascript-sap-ui5-all: "^0.6.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/ui5/src/qlpack.yml

@@ -2,27 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/javascript-queries:
-    version: 0.8.7
+    version: 0.8.16
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/suite-helpers:
-    version: 0.7.7
+    version: 0.7.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typos:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/ui5/test/codeql-pack.lock.yml

@@ -3,22 +3,14 @@ import advanced_security.javascript.frameworks.ui5.Bindings
 import advanced_security.javascript.frameworks.ui5.BindingStringParser as Make
 
 class BindingStringReader extends StringLiteral {
-    BindingStringReader() {
-        this.getValue().matches("{%}")
-    }
+  BindingStringReader() { this.getValue().matches("{%}") }
 
-    string getBindingString() {
-        result = this.getValue()
-    }
-    
-    DataFlow::Node getANode() {
-        result.asExpr() = this
-    } 
+  string getBindingString() { result = this.getValue() }
+
+  DataFlow::Node getANode() { result.asExpr() = this }
 }
 
 module BindingStringParser = Make::BindingStringParser<BindingStringReader>;
 
 from BindingStringParser::Binding binding
 select binding
-
-

javascript/frameworks/ui5/test/lib/BindingStringParser/BindingStringParser.ql

@@ -1,4 +1,4 @@
 import javascript
 import advanced_security.javascript.frameworks.ui5.Bindings
 
-select any(Binding b)
+select any(Binding b)