Merge pull request #210 from advanced-security/lcartey/update-dependencies

Update the dependencies to CodeQL CLI 2.22.2.

Author: jeongsoolee09

.github/workflows/code_scanning.yml

@@ -10,6 +10,9 @@ on:
     - cron: '39 12 * * 2'
   workflow_dispatch:
 
+env:
+  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+
 jobs:
   analyze-javascript:
     name: Analyze

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -1,26 +1,28 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/concepts:
+    version: 0.0.1
   codeql/dataflow:
-    version: 2.0.0
+    version: 2.0.11
   codeql/javascript-all:
-    version: 2.4.0
+    version: 2.6.7
   codeql/mad:
-    version: 1.0.16
+    version: 1.0.27
   codeql/regex:
-    version: 1.0.16
+    version: 1.0.27
   codeql/ssa:
-    version: 1.0.16
+    version: 2.0.3
   codeql/threat-models:
-    version: 1.0.16
+    version: 1.0.27
   codeql/tutorial:
-    version: 1.0.16
+    version: 1.0.27
   codeql/typetracking:
-    version: 2.0.0
+    version: 2.0.11
   codeql/util:
-    version: 2.0.3
+    version: 2.0.14
   codeql/xml:
-    version: 1.0.16
+    version: 1.0.27
   codeql/yaml:
-    version: 1.0.16
+    version: 1.0.27
 compiled: false

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -1,26 +1,28 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/concepts:
+    version: 0.0.1
   codeql/dataflow:
-    version: 2.0.0
+    version: 2.0.11
   codeql/javascript-all:
-    version: 2.4.0
+    version: 2.6.7
   codeql/mad:
-    version: 1.0.16
+    version: 1.0.27
   codeql/regex:
-    version: 1.0.16
+    version: 1.0.27
   codeql/ssa:
-    version: 1.0.16
+    version: 2.0.3
   codeql/threat-models:
-    version: 1.0.16
+    version: 1.0.27
   codeql/tutorial:
-    version: 1.0.16
+    version: 1.0.27
   codeql/typetracking:
-    version: 2.0.0
+    version: 2.0.11
   codeql/util:
-    version: 2.0.3
+    version: 2.0.14
   codeql/xml:
-    version: 1.0.16
+    version: 1.0.27
   codeql/yaml:
-    version: 1.0.16
+    version: 1.0.27
 compiled: false

javascript/frameworks/cap/test/codeql-pack.lock.yml

@@ -1,26 +1,28 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/concepts:
+    version: 0.0.1
   codeql/dataflow:
-    version: 2.0.0
+    version: 2.0.11
   codeql/javascript-all:
-    version: 2.4.0
+    version: 2.6.7
   codeql/mad:
-    version: 1.0.16
+    version: 1.0.27
   codeql/regex:
-    version: 1.0.16
+    version: 1.0.27
   codeql/ssa:
-    version: 1.0.16
+    version: 2.0.3
   codeql/threat-models:
-    version: 1.0.16
+    version: 1.0.27
   codeql/tutorial:
-    version: 1.0.16
+    version: 1.0.27
   codeql/typetracking:
-    version: 2.0.0
+    version: 2.0.11
   codeql/util:
-    version: 2.0.3
+    version: 2.0.14
   codeql/xml:
-    version: 1.0.16
+    version: 1.0.27
   codeql/yaml:
-    version: 1.0.16
+    version: 1.0.27
 compiled: false

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll

@@ -5,6 +5,7 @@ import advanced_security.javascript.frameworks.ui5.UI5View
 import advanced_security.javascript.frameworks.ui5.RemoteFlowSources
 import advanced_security.javascript.frameworks.ui5.dataflow.FlowSteps
 private import StdLibDataFlow::DataFlow::PathGraph as DataFlowPathGraph
+private import PatchDataFlow
 
 /**
  * A statically visible part of a local model's content that has a binding path referring to it in a control declaration acting as an HTML injection sink.

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll

@@ -0,0 +1,77 @@
+/**
+ * This file patches an incompatibility introduced into the standard data flow library between
+ * class DataFlow::Configurations and `summmaryModels` added in models-as-data files, and likely
+ * introduced in this PR: https://github.com/github/codeql/pull/19445/files.
+ */
+
+import javascript
+import semmle.javascript.dataflow.internal.FlowSummaryPrivate
+private import semmle.javascript.frameworks.data.internal.ApiGraphModels as Shared
+
+/**
+ * Holds if `path` is an input or output spec for a summary with the given `base` node.
+ */
+pragma[nomagic]
+private predicate relevantInputOutputPath(API::InvokeNode base, AccessPath inputOrOutput) {
+  exists(string type, string input, string output, string path |
+    ModelOutput::resolvedSummaryBase(type, path, base) and
+    ModelOutput::relevantSummaryModel(type, path, input, output, _, _) and
+    inputOrOutput = [input, output]
+  )
+}
+
+/**
+ * Gets the API node for the first `n` tokens of the given input/output path, evaluated relative to `baseNode`.
+ */
+private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path, int n) {
+  relevantInputOutputPath(baseNode, path) and
+  (
+    n = 1 and
+    result = Shared::getSuccessorFromInvoke(baseNode, path.getToken(0))
+    or
+    result =
+      Shared::getSuccessorFromNode(getNodeFromInputOutputPath(baseNode, path, n - 1),
+        path.getToken(n - 1))
+  )
+}
+
+/**
+ * Gets the API node for the given input/output path, evaluated relative to `baseNode`.
+ */
+private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path) {
+  result = getNodeFromInputOutputPath(baseNode, path, path.getNumToken())
+}
+
+private predicate summaryStep(API::Node pred, API::Node succ, string kind) {
+  exists(string type, string path, API::InvokeNode base, AccessPath input, AccessPath output |
+    ModelOutput::relevantSummaryModel(type, path, input, output, kind, _) and
+    ModelOutput::resolvedSummaryBase(type, path, base) and
+    pred = getNodeFromInputOutputPath(base, input) and
+    succ = getNodeFromInputOutputPath(base, output)
+  )
+}
+
+/**
+ * Like `ModelOutput::summaryStep` but with API nodes mapped to data-flow nodes.
+ */
+private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) {
+  exists(API::Node predNode, API::Node succNode |
+    summaryStep(predNode, succNode, kind) and
+    pred = predNode.asSink() and
+    succ = succNode.asSource()
+  )
+}
+
+/** Data flow steps induced by summary models of kind `value`. */
+private class DataFlowStepFromSummary extends DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    summaryStepNodes(pred, succ, "value")
+  }
+}
+
+/** Taint steps induced by summary models of kind `taint`. */
+private class TaintStepFromSummary extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    summaryStepNodes(pred, succ, "taint")
+  }
+}

javascript/frameworks/ui5/lib/codeql-pack.lock.yml

@@ -1,26 +1,28 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/concepts:
+    version: 0.0.1
   codeql/dataflow:
-    version: 2.0.0
+    version: 2.0.11
   codeql/javascript-all:
-    version: 2.4.0
+    version: 2.6.7
   codeql/mad:
-    version: 1.0.16
+    version: 1.0.27
   codeql/regex:
-    version: 1.0.16
+    version: 1.0.27
   codeql/ssa:
-    version: 1.0.16
+    version: 2.0.3
   codeql/threat-models:
-    version: 1.0.16
+    version: 1.0.27
   codeql/tutorial:
-    version: 1.0.16
+    version: 1.0.27
   codeql/typetracking:
-    version: 2.0.0
+    version: 2.0.11
   codeql/util:
-    version: 2.0.3
+    version: 2.0.14
   codeql/xml:
-    version: 1.0.16
+    version: 1.0.27
   codeql/yaml:
-    version: 1.0.16
+    version: 1.0.27
 compiled: false

javascript/frameworks/ui5/src/codeql-pack.lock.yml

@@ -1,26 +1,28 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/concepts:
+    version: 0.0.1
   codeql/dataflow:
-    version: 2.0.0
+    version: 2.0.11
   codeql/javascript-all:
-    version: 2.4.0
+    version: 2.6.7
   codeql/mad:
-    version: 1.0.16
+    version: 1.0.27
   codeql/regex:
-    version: 1.0.16
+    version: 1.0.27
   codeql/ssa:
-    version: 1.0.16
+    version: 2.0.3
   codeql/threat-models:
-    version: 1.0.16
+    version: 1.0.27
   codeql/tutorial:
-    version: 1.0.16
+    version: 1.0.27
   codeql/typetracking:
-    version: 2.0.0
+    version: 2.0.11
   codeql/util:
-    version: 2.0.3
+    version: 2.0.14
   codeql/xml:
-    version: 1.0.16
+    version: 1.0.27
   codeql/yaml:
-    version: 1.0.16
+    version: 1.0.27
 compiled: false

javascript/frameworks/ui5/test/codeql-pack.lock.yml

@@ -1,32 +1,34 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/concepts:
+    version: 0.0.1
   codeql/dataflow:
-    version: 2.0.0
+    version: 2.0.11
   codeql/javascript-all:
-    version: 2.4.0
+    version: 2.6.7
   codeql/javascript-queries:
-    version: 1.4.0
+    version: 2.0.0
   codeql/mad:
-    version: 1.0.16
+    version: 1.0.27
   codeql/regex:
-    version: 1.0.16
+    version: 1.0.27
   codeql/ssa:
-    version: 1.0.16
+    version: 2.0.3
   codeql/suite-helpers:
-    version: 1.0.16
+    version: 1.0.27
   codeql/threat-models:
-    version: 1.0.16
+    version: 1.0.27
   codeql/tutorial:
-    version: 1.0.16
+    version: 1.0.27
   codeql/typetracking:
-    version: 2.0.0
+    version: 2.0.11
   codeql/typos:
-    version: 1.0.16
+    version: 1.0.27
   codeql/util:
-    version: 2.0.3
+    version: 2.0.14
   codeql/xml:
-    version: 1.0.16
+    version: 1.0.27
   codeql/yaml:
-    version: 1.0.16
+    version: 1.0.27
 compiled: false

javascript/frameworks/ui5/test/qlpack.yml

@@ -3,7 +3,10 @@ version: 0.7.0
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.4.0"
-  codeql/javascript-queries: "^1.2.0"
+  # We use this dependency to run the standard Log Injection query to ensure that
+  # no overlap occurs with the SAP UI5 queries. We therefore allow any version
+  # greater than or equal to 1.2.0, as major breaking changes are not a concern.
+  codeql/javascript-queries: ">1.2.0"
   advanced-security/javascript-sap-ui5-queries: "^0.7.0"
   advanced-security/javascript-sap-ui5-models: "^0.7.0"
   advanced-security/javascript-sap-ui5-all: "^0.7.0"