advanced-security · mbaluda · Jul 19, 2024 · Jul 19, 2024 · Jul 19, 2024 · Jul 19, 2024
diff --git a/.github/actions/install-codeql/action.yml b/.github/actions/install-codeql/action.yml
@@ -0,0 +1,109 @@
+name: Fetch CodeQL CLI and queries
+description: |
+  Fetches a CodeQL CLI and a copy of the CodeQL standard libraries at the specified versions.
+inputs:
+  codeql-cli-version:
+    description: |
+      The version of the CodeQL CLI to be downloaded.
+    required: false
+    default: 'latest'
+
+  codeql-stdlib-version:
+    description: |
+      The tag or commit to use from the CodeQL Standard Library
+    required: false
+    default: 'latest'
+
+  add-to-path:
+    description: |
+      Add the CodeQL CLI to the system path
+    required: false
+    default: 'true'
+
+  codeql-home:
+    description: |
+      The directory to store the CodeQL CLI and Standard Library.
+      A fixed location can be used for caching the tooling.
+    required: false
+outputs:
+  codeql-home:
+    description: 'The directory containing the CodeQL CLI and CodeQL Standard Library'
+    value: ${{ steps.install-codeql.outputs.codeql-home }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install CodeQL
+      id: install-codeql
+      env:
+        RUNNER_OS: ${{ runner.os }}
+        RUNNER_TEMP: ${{ runner.temp }}
+        CODEQL_CLI_VERSION: ${{ inputs.codeql-cli-version }}
+        CODEQL_STDLIB_VERSION: ${{ inputs.codeql-stdlib-version }}
+        GITHUB_TOKEN: ${{ github.token }}
+        ADD_TO_PATH: ${{ inputs.add-to-path }}
+        CODEQL_HOME: ${{ inputs.codeql-home }}
+      shell: bash
+      run: |
+        echo "::debug::Determining CodeQL release for $RUNNER_OS"
+        case $RUNNER_OS in
+          "Linux")
+            RELEASE_PATTERN="codeql-linux64.zip"
+            ;;
+          "macOS")
+            RELEASE_PATTERN="codeql-osx64.zip"
+            ;;
+          "Windows")
+            RELEASE_PATTERN="codeql-win64.zip"
+            ;;
+          *)
+            echo "::error::Unsupported runner operating system $RUNNER_OS"
+            exit 1
+            ;;
+        esac
+        echo "::debug::Selected $RELEASE_PATTERN"
+
+        if [ "$CODEQL_HOME" == "" ]
+        then
+          echo "::debug::Creating temporary CodeQL home"
+          CODEQL_HOME=$(mktemp -d -p $RUNNER_TEMP codeql-home-XXXXXXXXXX)
+        else
+          echo "::debug::Creating CodeQL home at $CODEQL_HOME"
+          mkdir -p $CODEQL_HOME
+        fi
+
+        echo "::debug::Changing directory to $CODEQL_HOME"
+        pushd $CODEQL_HOME
+
+        echo "::debug::Downloading CodeQL CLI version $CODEQL_CLI_VERSION"
+        if [ "$CODEQL_CLI_VERSION" == "latest" ]
+        then
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern $RELEASE_PATTERN
+        else
+          gh release download "v${CODEQL_CLI_VERSION}" --repo https://github.com/github/codeql-cli-binaries --pattern $RELEASE_PATTERN
+        fi
+        echo "::debug::Unpacking CodeQL CLI"
+        unzip -q $RELEASE_PATTERN
+
+        echo "::debug::Cloning CodeQL standard library"
+        git clone https://github.com/github/codeql.git codeql-stdlib
+
+        if [ "$CODEQL_STDLIB_VERSION" != "latest" ]
+        then
+          pushd codeql-stdlib
+          echo "::debug::Switching to revision $CODEQL_STDLIB_VERSION"
+          git checkout $CODEQL_STDLIB_VERSION
+          popd
+        fi
+
+        if [ "$ADD_TO_PATH" == "true" ]
+        then
+          echo "::debug::Adding CodeQL CLI path '$(pwd)/codeql' to system path"
+          echo "$(pwd)/codeql" >> $GITHUB_PATH
+        fi
+
+        echo "::debug::Setting output parameter codeql-home to $(pwd)"
+        echo "codeql-home=$(pwd)" >> $GITHUB_OUTPUT
+
+        popd
+        echo "::debug::Done."
diff --git a/.github/actions/install-qlt/action.yml b/.github/actions/install-qlt/action.yml
@@ -0,0 +1,86 @@
+name: Fetch and Install QLT
+description: |
+  Fetches and installs QLT. 
+inputs:
+  qlt-version:
+    description: |
+      The version of QLT to be downloaded.
+    required: false
+    default: 'latest'
+
+  add-to-path:
+    description: |
+      Add QLT to the system path
+    required: false
+    default: 'true'
+
+  token:
+    description: |
+      Token to use for auth
+    required: true
+
+outputs:
+  qlt-home:
+    description: 'The directory containing the QLT installation'
+    value: ${{ steps.install-qlt.outputs.qlt-home }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install QLT
+      id: install-qlt
+      env:
+        RUNNER_OS: ${{ runner.os }}
+        RUNNER_TEMP: ${{ runner.temp }}
+        GITHUB_TOKEN: ${{ github.token }}
+        ADD_TO_PATH: ${{ inputs.add-to-path }}
+        QLT_VERSION: ${{ inputs.qlt-version }}
+        QLT_HOME: ${{ inputs.qlt-home }}
+      shell: bash
+      run: |
+        echo -e "\e[0;32m[QLT]\e[0m Determining QLT release for $RUNNER_OS"
+        case $RUNNER_OS in
+          "Linux")
+            RELEASE_PATTERN="qlt-linux-x86_64.zip"
+            ;;
+          *)
+            echo "::error::Unsupported runner operating system $RUNNER_OS"
+            exit 1
+            ;;
+        esac
+        echo -e "\e[0;32m[QLT]\e[0m Selected $RELEASE_PATTERN"
+
+        if [ "$QLT_HOME" == "" ]
+        then
+          echo -e "\e[0;32m[QLT]\e[0m Creating temporary QLT home"
+          QLT_HOME=$(mktemp -d -p $RUNNER_TEMP qlt-home-XXXXXXXXXX)
+        else
+          echo -e "\e[0;32m[QLT]\e[0m Creating CodeQL home at $QLT_HOME"
+          mkdir -p $QLT_HOME
+        fi
+
+        echo -e "\e[0;32m[QLT]\e[0m Changing directory to $QLT_HOME"
+        pushd $QLT_HOME
+
+        echo -e "\e[0;32m[QLT]\e[0m Downloading QLT version $QLT_VERSION"
+        if [ "$QLT_VERSION" == "latest" ]
+        then
+          # download the actual bundle 
+          gh release download -R advanced-security/codeql-development-toolkit --pattern "$RELEASE_PATTERN"
+        else
+          gh release download "$QLT_VERSION" -R advanced-security/codeql-development-toolkit --pattern "$RELEASE_PATTERN"
+        fi
+        echo -e "\e[0;32m[QLT]\e[0m Unpacking QLT"
+        unzip $RELEASE_PATTERN
+
+        if [ "$ADD_TO_PATH" == "true" ]
+        then
+          echo -e "\e[0;32m[QLT]\e[0m Adding QLT '$(pwd)/qlt' to system path"
+          echo "$(pwd)" >> $GITHUB_PATH
+        fi
+
+        echo -e "\e[0;32m[QLT]\e[0m Setting output parameter qlt-home to $(pwd)"
+        echo "qlt-home=$(pwd)" >> $GITHUB_OUTPUT
+
+        popd
+        echo -e "\e[0;32m[QLT]\e[0m Done."
diff --git a/.github/codeql/codeql-config.yaml b/.github/codeql/codeql-config.yaml
@@ -2,9 +2,9 @@ name: "My CodeQL config"
 
 queries:
   - uses: security-extended
+  # for ui5/cap queries
   - uses: ./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls
   - uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
-  - uses: ./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls
 
 paths-ignore:
   - "**/frameworks/*/test/models"
diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml
@@ -2,12 +2,12 @@ name: "Code Scanning"
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches: ["main"]
   schedule:
-    - cron: '39 12 * * 2'
+    - cron: "39 12 * * 2"
   workflow_dispatch:
 
 env:
@@ -17,91 +17,88 @@ env:
 jobs:
   analyze-javascript:
     name: Analyze
-    runs-on: 'ubuntu-latest'
+    runs-on: "ubuntu-latest"
     permissions:
       actions: read
       contents: read
       security-events: write
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-    - name: Prepare local CodeQL model packs
-      run: |
-        mkdir -p .github/codeql/extensions
-        for ext in $(find . -name 'qlpack.yml' -exec fgrep -l dataExtensions {} \;); do
-          dir=$(dirname $ext)
-          echo "Moving $ext to .github/codeql/extensions/$dir"
-          mkdir -p .github/codeql/extensions/$dir
-          mv $dir .github/codeql/extensions/$dir
-        done
+      - name: Prepare local CodeQL model packs
+        run: |
+          mkdir -p .github/codeql/extensions
+          for ext in $(find . -name 'qlpack.yml' -exec fgrep -l dataExtensions {} \;); do
+            dir=$(dirname $ext)
+            echo "Moving $ext to .github/codeql/extensions/$dir"
+            mkdir -p .github/codeql/extensions/$dir
+            mv $dir .github/codeql/extensions/$dir
+          done
 
-    - name: Ensure presence of cds shell command
-      run: |
-        if ! command -v cds &> /dev/null
-        then
-          npm install -g @sap/cds-dk
-        fi
+      - name: Install tree-sitter-cli locally
+        run: |
+          npm i tree-sitter-cli @cap-js-community/tree-sitter-cds
 
-    # Compile .cds files to .cds.json files.
-    - name: Compile CAP CDS files
-      run: |
-        for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
-        do
-          echo "I am compiling $cds_file"
-          cds compile $cds_file \
-            -2 json \
-            -o "$cds_file.json"
-        done
+      # Parse .cds files to .cds.json files.
+      - name: Parse CAP CDS files
+        run: |
+          for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
+          do
+            echo "I am compiling $cds_file"
+            node_modules/tree-sitter-cli/tree-sitter parse -x \
+              --config-path .github/workflows/tree-sitter-config.json $cds_file \
+              > "$cds_file.t-s.xml"
+          done
 
-    - name: Extract CodeQL bundle version from qlt.conf.json
-      run: |
-        echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: javascript
-        config-file: ./.github/codeql/codeql-config.yaml
-        tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
-        debug: true
+      - name: Extract CodeQL bundle version from qlt.conf.json
+        run: |
+          echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
 
-    - name: Perform CodeQL Analysis
-      id: analyze
-      uses: github/codeql-action/analyze@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+          config-file: ./.github/codeql/codeql-config.yaml
+          tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
+          debug: true
 
-    - name: Setup Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: '3.10'
+      - name: Perform CodeQL Analysis
+        id: analyze
+        uses: github/codeql-action/analyze@v3
 
-    - uses: actions/cache@v4
-      with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
 
-    - name: Validate results
-      continue-on-error: true
-      id: validate
-      run: |
-        pip install sarif-tools
-        sarif --version
-        sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
-        cat sarif-diff.json
-        ! grep -q "[1-9]" sarif-diff.json
+      - uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip
 
-    - name: Upload sarif change
-      if: steps.validate.outcome != 'success'
-      uses: actions/upload-artifact@v4
-      with:
-        name: sarif
-        path: |
-          sarif-diff.json
-          ${{ steps.analyze.outputs.sarif-output }}
+      - name: Validate results
+        continue-on-error: true
+        id: validate
+        run: |
+          pip install sarif-tools
+          sarif --version
+          sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
+          cat sarif-diff.json
+          ! grep -q "[1-9]" sarif-diff.json
 
-    - name: Unexpected Code Scanning results
-      if: steps.validate.outcome != 'success'
-      run: |
-        cat sarif-diff.json
-        echo "::error::Unexpected Code Scanning results!" && exit 1
+      - name: Upload sarif change
+        if: steps.validate.outcome != 'success'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif
+          path: |
+            sarif-diff.json
+            ${{ steps.analyze.outputs.sarif-output }}
+
+      - name: Unexpected Code Scanning results
+        if: steps.validate.outcome != 'success'
+        run: |
+          cat sarif-diff.json
+          echo "::error::Unexpected Code Scanning results!" && exit 1
diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected