XSJS queries and CodeQL update

.github/codeql/codeql-config.yaml

@@ -2,9 +2,9 @@ name: "My CodeQL config"
 
 queries:
   - uses: security-extended
-  # for ui5/cap queries
   - uses: ./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls
   - uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
+  - uses: ./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls
 
 paths-ignore:
   - "**/frameworks/*/test/models"

README.md

@@ -1,38 +1,5 @@
-# SAP UI5 with CodeQL
-
-CodeQL queries and supporting models for the SAP UI5 JavaScript framework
-
-### Queries
-- [XSS](javascript/frameworks/UI5/src/UI5Xss/UI5Xss.ql)
-- [Log Injection](javascript/frameworks/UI5/src/UI5LogInjection/UI5LogInjection.ql)
-- [Clickjacking](javascript/frameworks/UI5/src/UI5Clickjacking/UI5Clickjacking.ql)
-
-### Modeled UI5 framework elements
- - UI5 AMD-style components (also via jQuery)
- - MVC elements: 
-    - UI5 Controllers and Data Models (literal/external JSON models)
-    - UI5 [declarative Views](DeclarativeApp.png) (XML/JSON/HTML/JS)
-    - Library/custom UI5 Controls
-    - Project naming conventions (e.g. Control-Renderer)
-  - Source/Sink definition via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97)
-  - Controls inheritance via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L42-L59)
-
-### Supported Features with tests
-The following tables list the main supported features with corresponding test cases
-#### Detecting XSS and Log injection vulnerabilities
-|test | library controls | [MaD sources sinks](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97) | custom controls | UI5View | JS dataflow | HTML APIs | sanitizer | acc.path via handler |
-| - | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
-| [xss-html-control](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1033) | ✅︎ | ✅︎ | | XMLView |
-| [xss-custom-control-api1](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1051)| ✅︎ | ✅︎ | ✅︎ | XMLView | | classic |
-| [xss-custom-control-api2](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/250)| ✅︎ | ✅︎ | ✅︎ | XMLView | | DOM |
-| [xss-json-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/247)<br/>[xss-html-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/245)<br/>[xss-js-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/246) | ✅︎ | ✅︎ | | JsonView<br/>HTMLView<br/>JSView |
-| [log-html-control-df](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/275) | ✅︎ | ✅︎ | |XMLView| ✅︎ |
-| [sanitized](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/277)| ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ | DOM | ✅︎ |
-| [xss-event-handlers](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/335)| ✅︎ | ✅︎ | ✅︎ | XMLView | | | | ✅︎ |
-
-#### Detecting Clickjacking vulnerabilities
-| test | secure | insecure frameOptions | missing frameOptions |
-| - | :-: | :-: | :-: |
-| [clickjacking-deny-all](javascript/frameworks/UI5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html#L10) | ✅︎ | |
-| [clickjacking-allow-all:l9](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/240)<br/>[clickjacking-allow-all:l28](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/241) | | ✅︎ |
-| [clickjacking-default-all](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/330) | | | ✅︎ |
+# Overview
+[CodeQL](https://codeql.github.com/) models and queries for the SAP frameworks:
+- [CAP](javascript/frameworks/cap) (https://cap.cloud.sap/)
+- [UI5](javascript/frameworks/ui5) (https://sapui5.hana.ondemand.com/)
+- [XSJS](javascript/frameworks/xsjs) (https://www.npmjs.com/package/@sap/async-xsjs)

javascript/frameworks/cap/ext/qlpack.yml

@@ -3,7 +3,7 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 0.2.0
 extensionTargets:
-  codeql/javascript-all: "^0.9.1"
-  codeql/javascript-queries: "^0.8.16"
+  codeql/javascript-all: "^1.1.0"
+  codeql/javascript-queries: "^1.0.3"
 dataExtensions:
   - "*.model.yml"

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.2.7
+    version: 1.0.3
   codeql/javascript-all:
-    version: 0.9.1
+    version: 1.1.0
   codeql/mad:
-    version: 0.2.16
+    version: 1.0.3
   codeql/regex:
-    version: 0.2.16
+    version: 1.0.3
   codeql/ssa:
-    version: 0.2.16
+    version: 1.0.3
   codeql/tutorial:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typetracking:
-    version: 0.2.16
+    version: 1.0.3
   codeql/util:
-    version: 0.2.16
+    version: 1.0.3
   codeql/xml:
-    version: 0.0.3
+    version: 1.0.3
   codeql/yaml:
-    version: 0.2.16
+    version: 1.0.3
 compiled: false

javascript/frameworks/cap/lib/qlpack.yml

@@ -5,5 +5,5 @@ version: 0.2.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-all: "^1.1.0"
   advanced-security/javascript-sap-cap-models: "^0.2.0"

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.2.7
+    version: 1.0.3
   codeql/javascript-all:
-    version: 0.9.1
+    version: 1.1.0
   codeql/mad:
-    version: 0.2.16
+    version: 1.0.3
   codeql/regex:
-    version: 0.2.16
+    version: 1.0.3
   codeql/ssa:
-    version: 0.2.16
+    version: 1.0.3
   codeql/tutorial:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typetracking:
-    version: 0.2.16
+    version: 1.0.3
   codeql/util:
-    version: 0.2.16
+    version: 1.0.3
   codeql/xml:
-    version: 0.0.3
+    version: 1.0.3
   codeql/yaml:
-    version: 0.2.16
+    version: 1.0.3
 compiled: false

javascript/frameworks/cap/src/qlpack.yml

@@ -5,7 +5,7 @@ version: 0.2.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-all: "^1.1.0"
   advanced-security/javascript-sap-cap-models: "^0.2.0"
   advanced-security/javascript-sap-cap-all: "^0.2.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/test/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.2.7
+    version: 1.0.3
   codeql/javascript-all:
-    version: 0.9.1
+    version: 1.1.0
   codeql/javascript-queries:
-    version: 0.8.16
+    version: 1.0.3
   codeql/mad:
-    version: 0.2.16
+    version: 1.0.3
   codeql/regex:
-    version: 0.2.16
+    version: 1.0.3
   codeql/ssa:
-    version: 0.2.16
+    version: 1.0.3
   codeql/suite-helpers:
-    version: 0.7.16
+    version: 1.0.3
   codeql/tutorial:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typetracking:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typos:
-    version: 0.2.16
+    version: 1.0.3
   codeql/util:
-    version: 0.2.16
+    version: 1.0.3
   codeql/xml:
-    version: 0.0.3
+    version: 1.0.3
   codeql/yaml:
-    version: 0.2.16
+    version: 1.0.3
 compiled: false

javascript/frameworks/cap/test/qlpack.yml

@@ -3,8 +3,8 @@ name: advanced-security/javascript-sap-cap-queries-tests
 version: 0.2.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.9.1"
-  codeql/javascript-queries: "^0.8.16"
+  codeql/javascript-all: "^1.1.0"
+  codeql/javascript-queries: "^1.0.3"
   advanced-security/javascript-sap-cap-queries: "^0.2.0"
   advanced-security/javascript-sap-cap-models: "^0.2.0"
   advanced-security/javascript-sap-cap-all: "^0.2.0"

javascript/frameworks/ui5/README.md

@@ -0,0 +1,38 @@
+# SAP UI5 with CodeQL
+
+CodeQL queries and supporting models for the SAP UI5 JavaScript framework
+
+### Queries
+- [XSS](src/UI5Xss/UI5Xss.ql)
+- [Log Injection](src/UI5LogInjection/UI5LogInjection.ql)
+- [Clickjacking](src/UI5Clickjacking/UI5Clickjacking.ql)
+
+### Modeled UI5 framework elements
+ - UI5 AMD-style components (also via jQuery)
+ - MVC elements: 
+    - UI5 Controllers and Data Models (literal/external JSON models)
+    - UI5 [declarative Views](DeclarativeApp.png) (XML/JSON/HTML/JS)
+    - Library/custom UI5 Controls
+    - Project naming conventions (e.g. Control-Renderer)
+  - Source/Sink definition via [ModelAsData extensions](ext/ui5.model.yml#L61-L97)
+  - Controls inheritance via [ModelAsData extensions](ext/ui5.model.yml#L42-L59)
+
+### Supported Features with tests
+The following tables list the main supported features with corresponding test cases
+#### Detecting XSS and Log injection vulnerabilities
+|test | library controls | [MaD sources sinks](ext/ui5.model.yml#L61-L97) | custom controls | UI5View | JS dataflow | HTML APIs | sanitizer | acc.path via handler |
+| - | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
+| [xss-html-control](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1033) | ✅︎ | ✅︎ | | XMLView |
+| [xss-custom-control-api1](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1051)| ✅︎ | ✅︎ | ✅︎ | XMLView | | classic |
+| [xss-custom-control-api2](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/250)| ✅︎ | ✅︎ | ✅︎ | XMLView | | DOM |
+| [xss-json-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/247)<br/>[xss-html-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/245)<br/>[xss-js-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/246) | ✅︎ | ✅︎ | | JsonView<br/>HTMLView<br/>JSView |
+| [log-html-control-df](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/275) | ✅︎ | ✅︎ | |XMLView| ✅︎ |
+| [sanitized](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/277)| ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ | DOM | ✅︎ |
+| [xss-event-handlers](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/335)| ✅︎ | ✅︎ | ✅︎ | XMLView | | | | ✅︎ |
+
+#### Detecting Clickjacking vulnerabilities
+| test | secure | insecure frameOptions | missing frameOptions |
+| - | :-: | :-: | :-: |
+| [clickjacking-deny-all](test/queries/UI5Clickjacking/clickjacking-deny-all/index.html#L10) | ✅︎ | |
+| [clickjacking-allow-all:l9](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/240)<br/>[clickjacking-allow-all:l28](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/241) | | ✅︎ |
+| [clickjacking-default-all](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/330) | | | ✅︎ |

javascript/frameworks/ui5/ext/qlpack.yml

@@ -3,6 +3,6 @@ library: true
 name: advanced-security/javascript-sap-ui5-models
 version: 0.6.0
 extensionTargets:
-  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-all: "^1.1.0"
 dataExtensions:
   - "*.model.yml"

javascript/frameworks/ui5/lib/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.2.7
+    version: 1.0.3
   codeql/javascript-all:
-    version: 0.9.1
+    version: 1.1.0
   codeql/mad:
-    version: 0.2.16
+    version: 1.0.3
   codeql/regex:
-    version: 0.2.16
+    version: 1.0.3
   codeql/ssa:
-    version: 0.2.16
+    version: 1.0.3
   codeql/tutorial:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typetracking:
-    version: 0.2.16
+    version: 1.0.3
   codeql/util:
-    version: 0.2.16
+    version: 1.0.3
   codeql/xml:
-    version: 0.0.3
+    version: 1.0.3
   codeql/yaml:
-    version: 0.2.16
+    version: 1.0.3
 compiled: false

javascript/frameworks/ui5/lib/qlpack.yml

@@ -5,5 +5,5 @@ version: 0.6.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-all: "^1.1.0"
   advanced-security/javascript-sap-ui5-models: "^0.6.0"

javascript/frameworks/ui5/src/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.2.7
+    version: 1.0.3
   codeql/javascript-all:
-    version: 0.9.1
+    version: 1.1.0
   codeql/mad:
-    version: 0.2.16
+    version: 1.0.3
   codeql/regex:
-    version: 0.2.16
+    version: 1.0.3
   codeql/ssa:
-    version: 0.2.16
+    version: 1.0.3
   codeql/tutorial:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typetracking:
-    version: 0.2.16
+    version: 1.0.3
   codeql/util:
-    version: 0.2.16
+    version: 1.0.3
   codeql/xml:
-    version: 0.0.3
+    version: 1.0.3
   codeql/yaml:
-    version: 0.2.16
+    version: 1.0.3
 compiled: false

javascript/frameworks/ui5/src/qlpack.yml

@@ -5,7 +5,7 @@ version: 0.6.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-all: "^1.1.0"
   advanced-security/javascript-sap-ui5-models: "^0.6.0"
   advanced-security/javascript-sap-ui5-all: "^0.6.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/ui5/test/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.2.7
+    version: 1.0.3
   codeql/javascript-all:
-    version: 0.9.1
+    version: 1.1.0
   codeql/javascript-queries:
-    version: 0.8.16
+    version: 1.0.3
   codeql/mad:
-    version: 0.2.16
+    version: 1.0.3
   codeql/regex:
-    version: 0.2.16
+    version: 1.0.3
   codeql/ssa:
-    version: 0.2.16
+    version: 1.0.3
   codeql/suite-helpers:
-    version: 0.7.16
+    version: 1.0.3
   codeql/tutorial:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typetracking:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typos:
-    version: 0.2.16
+    version: 1.0.3
   codeql/util:
-    version: 0.2.16
+    version: 1.0.3
   codeql/xml:
-    version: 0.0.3
+    version: 1.0.3
   codeql/yaml:
-    version: 0.2.16
+    version: 1.0.3
 compiled: false

javascript/frameworks/ui5/test/qlpack.yml

@@ -2,8 +2,8 @@ name: advanced-security/javascript-sap-ui5-queries-tests
 version: 0.6.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.9.1"
-  codeql/javascript-queries: "^0.8.16"
+  codeql/javascript-all: "^1.1.0"
+  codeql/javascript-queries: "^1.0.3"
   advanced-security/javascript-sap-ui5-queries: "^0.6.0"
   advanced-security/javascript-sap-ui5-models: "^0.6.0"
   advanced-security/javascript-sap-ui5-all: "^0.6.0"

javascript/frameworks/xsjs/ext/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false