Deals with external .cds files

.github/workflows/code_scanning.yml

@@ -12,7 +12,7 @@ on:
 
 env:
   LGTM_INDEX_XML_MODE: all
-  LGTM_INDEX_FILETYPES: ".json:JSON"
+  LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
 
 jobs:
   analyze-javascript:
@@ -52,7 +52,8 @@ jobs:
           echo "I am compiling $cds_file"
           cds compile $cds_file \
             -2 json \
-            -o "$cds_file.json"
+            -o "$cds_file.json" \
+            --locations
         done
 
     - name: Extract CodeQL bundle version from qlt.conf.json
@@ -66,7 +67,7 @@ jobs:
         config-file: ./.github/codeql/codeql-config.yaml
         tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
         debug: true
-
+    
     - name: Perform CodeQL Analysis
       id: analyze
       uses: github/codeql-action/analyze@v3

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -92,7 +92,8 @@ jobs:
             echo "I am compiling $cds_file"
             cds compile $cds_file \
               -2 json \
-              -o "$cds_file.json"
+              -o "$cds_file.json" \
+              --locations
           done
 
       - name: Run test suites

javascript/frameworks/cap/ext/qlpack.yml

@@ -3,5 +3,4 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 0.3.0
 extensionTargets:
-  codeql/javascript-all: "^1.1.1"
-  codeql/javascript-queries: "^1.1.0"
+  codeql/javascript-all: "^2.0.0"

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll

@@ -5,6 +5,24 @@
 import javascript
 import advanced_security.javascript.frameworks.cap.CDS
 
+abstract class CdlObject extends JsonObject {
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    exists(Location loc, JsonValue locValue |
+      loc = this.getLocation() and
+      locValue = this.getPropValue("$location") and
+      path =
+        any(File f |
+          f.getAbsolutePath()
+              .matches("%" + locValue.getPropValue("file").getStringValue() + ".json")
+        ).getAbsolutePath().regexpReplaceAll("\\.json$", "") and
+      sl = locValue.getPropValue("line").getIntValue() and
+      sc = locValue.getPropValue("col").getIntValue() and
+      el = sl + 1 and
+      ec = 1
+    )
+  }
+}
+
 private newtype CdlKind =
   CdlServiceKind(string value) { value = "service" } or
   CdlEntityKind(string value) { value = "entity" } or
@@ -15,15 +33,15 @@ private newtype CdlKind =
 /**
  * Any CDL element, including entities, event, actions, and more.
  */
-class CdlDefinition extends JsonObject {
+class CdlDefinition extends CdlObject {
   CdlDefinition() { exists(JsonObject root | this = root.getPropValue("definitions")) }
 
   JsonObject getElement(string elementName) { result = this.getPropValue(elementName) }
 
   JsonObject getAnElement() { result = this.getElement(_) }
 }
 
-abstract class CdlElement extends JsonObject {
+abstract class CdlElement extends CdlObject {
   CdlKind kind;
   string name;
 
@@ -190,7 +208,7 @@ class CdlFunction extends CdlElement {
   }
 }
 
-class CdlAttribute extends JsonObject {
+class CdlAttribute extends CdlObject {
   string name;
 
   CdlAttribute() {
@@ -207,7 +225,7 @@ class CdlAttribute extends JsonObject {
 /**
  * a `CdlEntity` that is declared in a namespace
  */
-class NamespacedEntity extends JsonObject instanceof CdlEntity {
+class NamespacedEntity extends CdlObject instanceof CdlEntity {
   string namespace;
 
   NamespacedEntity() { this.getParent+().getPropValue("namespace").getStringValue() = namespace }
@@ -218,7 +236,7 @@ class NamespacedEntity extends JsonObject instanceof CdlEntity {
 /**
  * any `JsonValue` that has a `PersonalData` like annotation above it
  */
-abstract class SensitiveAnnotatedElement extends JsonValue {
+abstract class SensitiveAnnotatedElement extends CdlObject {
   abstract string getName();
 }
 
@@ -295,7 +313,7 @@ class RestrictAnnotation extends CdlAnnotation, JsonArray {
   RestrictCondition getARestrictCondition() { result = this.getElementValue(_) }
 }
 
-class RestrictCondition extends JsonObject {
+class RestrictCondition extends CdlObject {
   RestrictCondition() { exists(RestrictAnnotation restrict | this = restrict.getElementValue(_)) }
 
   predicate grants(string eventName) {

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.0.4
+    version: 1.1.2
   codeql/javascript-all:
-    version: 1.1.1
+    version: 2.0.0
   codeql/mad:
-    version: 1.0.4
+    version: 1.0.8
   codeql/regex:
-    version: 1.0.4
+    version: 1.0.8
   codeql/ssa:
-    version: 1.0.4
+    version: 1.0.8
   codeql/tutorial:
-    version: 1.0.4
+    version: 1.0.8
   codeql/typetracking:
-    version: 1.0.4
+    version: 1.0.8
   codeql/util:
-    version: 1.0.4
+    version: 1.0.8
   codeql/xml:
-    version: 1.0.4
+    version: 1.0.8
   codeql/yaml:
-    version: 1.0.4
+    version: 1.0.8
 compiled: false

javascript/frameworks/cap/lib/qlpack.yml

@@ -5,5 +5,5 @@ version: 0.3.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^1.1.1"
+  codeql/javascript-all: "^2.0.0"
   advanced-security/javascript-sap-cap-models: "^0.3.0"

javascript/frameworks/cap/src/bad-authn-authz/DefaultUserIsPrivileged/DefaultUserIsPrivileged.ql

@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 6
  * @precision high
- * @id js/default-user-is-privileged
+ * @id js/cap-default-user-is-privileged
  * @tags security
  */
 

javascript/frameworks/cap/src/bad-authn-authz/EntityExposedWithoutAuthn/EntityExposedWithoutAuthn.ql

@@ -6,27 +6,26 @@
  * @problem.severity warning
  * @security-severity 6
  * @precision high
- * @id js/entity-exposed-without-authentication
+ * @id js/cap-entity-exposed-without-authentication
  * @tags security
  */
 
 import advanced_security.javascript.frameworks.cap.CAPNoAuthzQuery
 
-/*
- * TODO: Revamp this predicate after we start to natively support CDS.
- * string getClickableText(CdlElement cdlElement) {
- *  cdlElement instanceof CdlService and result = "CDS service"
- *  or
- *  cdlElement instanceof CdlEntity and result = "CDS entity"
- *  or
- *  cdlElement instanceof CdlAction and result = "CDS action"
- *  or
- *  cdlElement instanceof CdlFunction and result = "CDS function"
- * }
- */
+string getClickableText(CdlElement cdlElement) {
+  cdlElement instanceof CdlService and result = "CDS service"
+  or
+  cdlElement instanceof CdlEntity and result = "CDS entity"
+  or
+  cdlElement instanceof CdlAction and result = "CDS action"
+  or
+  cdlElement instanceof CdlFunction and result = "CDS function"
+}
 
 from CdlElement cdlElement
 where
   cdlElement instanceof CdlElementWithoutJsAuthn and
   cdlElement instanceof CdlElementWithoutCdsAuthn
-select cdlElement, "This CDS definition is exposed without any authentication."
+select cdlElement,
+  "The " + getClickableText(cdlElement) + " `" + cdlElement.getName() +
+    "` is exposed without any authentication."

javascript/frameworks/cap/src/bad-authn-authz/UnnecessarilyGrantedPrivilegedAccessRights/UnnecessarilyGrantedPrivilegedAccessRights.ql

@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 6
  * @precision high
- * @id js/unnecessarily-granted-privileged-access-rights
+ * @id js/cap-unnecessarily-granted-privileged-access-rights
  * @tags security
  */
 

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.0.4
+    version: 1.1.2
   codeql/javascript-all:
-    version: 1.1.1
+    version: 2.0.0
   codeql/mad:
-    version: 1.0.4
+    version: 1.0.8
   codeql/regex:
-    version: 1.0.4
+    version: 1.0.8
   codeql/ssa:
-    version: 1.0.4
+    version: 1.0.8
   codeql/tutorial:
-    version: 1.0.4
+    version: 1.0.8
   codeql/typetracking:
-    version: 1.0.4
+    version: 1.0.8
   codeql/util:
-    version: 1.0.4
+    version: 1.0.8
   codeql/xml:
-    version: 1.0.4
+    version: 1.0.8
   codeql/yaml:
-    version: 1.0.4
+    version: 1.0.8
 compiled: false

javascript/frameworks/cap/src/qlpack.yml

@@ -5,7 +5,7 @@ version: 0.3.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^1.1.1"
+  codeql/javascript-all: "^2.0.0"
   advanced-security/javascript-sap-cap-models: "^0.3.0"
   advanced-security/javascript-sap-cap-all: "^0.3.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.ql

@@ -6,7 +6,7 @@
  * @problem.severity warning
  * @security-severity 7.5
  * @precision medium
- * @id js/sensitive-log
+ * @id js/cap-sensitive-log
  * @tags security
  *       external/cwe/cwe-532
  */
@@ -43,6 +43,8 @@ class SensitiveExposureFieldSource extends DataFlow::Node {
     //and the namespace is the same (fully qualified id match)
     entity.(NamespacedEntity).getNamespace() = namespace
   }
+
+  SensitiveAnnotatedAttribute getCdsField() { result = cdsField }
 }
 
 class SensitiveLogExposureConfig extends TaintTracking::Configuration {
@@ -57,4 +59,7 @@ class SensitiveLogExposureConfig extends TaintTracking::Configuration {
 
 from SensitiveLogExposureConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink, source, sink, "Log entry depends on a potentially sensitive piece of information."
+select sink, source, sink,
+  "Log entry depends on the $@ field which is annotated as potentially sensitive.",
+  source.getNode().(SensitiveExposureFieldSource).getCdsField(),
+  source.getNode().(SensitiveExposureFieldSource).getCdsField().getName()

javascript/frameworks/cap/test/codeql-pack.lock.yml

@@ -2,29 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.0.4
+    version: 1.1.2
   codeql/javascript-all:
-    version: 1.1.1
-  codeql/javascript-queries:
-    version: 1.1.0
+    version: 2.0.0
   codeql/mad:
-    version: 1.0.4
+    version: 1.0.8
   codeql/regex:
-    version: 1.0.4
+    version: 1.0.8
   codeql/ssa:
-    version: 1.0.4
-  codeql/suite-helpers:
-    version: 1.0.4
+    version: 1.0.8
   codeql/tutorial:
-    version: 1.0.4
+    version: 1.0.8
   codeql/typetracking:
-    version: 1.0.4
-  codeql/typos:
-    version: 1.0.4
+    version: 1.0.8
   codeql/util:
-    version: 1.0.4
+    version: 1.0.8
   codeql/xml:
-    version: 1.0.4
+    version: 1.0.8
   codeql/yaml:
-    version: 1.0.4
+    version: 1.0.8
 compiled: false

javascript/frameworks/cap/test/qlpack.yml

@@ -3,8 +3,7 @@ name: advanced-security/javascript-sap-cap-queries-tests
 version: 0.3.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^1.1.1"
-  codeql/javascript-queries: "^1.1.0"
+  codeql/javascript-all: "^2.0.0"
   advanced-security/javascript-sap-cap-queries: "^0.3.0"
   advanced-security/javascript-sap-cap-models: "^0.3.0"
   advanced-security/javascript-sap-cap-all: "^0.3.0"

javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/entities-exposed-with-no-authz.expected

@@ -1,6 +1,6 @@
-| srv/service1.cds.json:3:17:7:5 | {\\n      ... "\\n    } | This CDS definition is exposed without any authentication. |
-| srv/service1.cds.json:8:32:26:5 | {\\n      ... }\\n    } | This CDS definition is exposed without any authentication. |
-| srv/service1.cds.json:27:23:37:5 | {\\n      ... }\\n    } | This CDS definition is exposed without any authentication. |
-| srv/service2.cds.json:3:17:7:5 | {\\n      ... "\\n    } | This CDS definition is exposed without any authentication. |
-| srv/service2.cds.json:8:32:26:5 | {\\n      ... }\\n    } | This CDS definition is exposed without any authentication. |
-| srv/service2.cds.json:27:23:37:5 | {\\n      ... }\\n    } | This CDS definition is exposed without any authentication. |
+| srv/service1.cds:3:9:4:1 | {\\n      ... }\\n    } | The CDS service `Service1` is exposed without any authentication. |
+| srv/service1.cds:5:10:6:1 | {\\n      ... }\\n    } | The CDS entity `Service1.Service1Entity` is exposed without any authentication. |
+| srv/service1.cds:8:10:9:1 | {\\n      ... }\\n    } | The CDS action `Service1.send1` is exposed without any authentication. |
+| srv/service2.cds:3:9:4:1 | {\\n      ... }\\n    } | The CDS service `Service2` is exposed without any authentication. |
+| srv/service2.cds:5:10:6:1 | {\\n      ... }\\n    } | The CDS entity `Service2.Service2Entity` is exposed without any authentication. |
+| srv/service2.cds:8:10:9:1 | {\\n      ... }\\n    } | The CDS action `Service2.send2` is exposed without any authentication. |

javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/show-me-the-cwd.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-(cd $CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE && pwd && for cds_file in $(find . -type f \( -iname '*.cds' \) -print  ); do cds compile $cds_file -2 json -o "$(dirname $cds_file)/$(basename $cds_file .cds).json"; done)
+(cd $CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE && pwd && for cds_file in $(find . -type f \( -iname '*.cds' \) -print  ); do cds compile $cds_file -2 json -o "$(dirname $cds_file)/$(basename $cds_file .cds).json" --locations; done)

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected

@@ -1,8 +1,8 @@
 nodes
-| sensitive-exposure.js:10:32:10:42 | Sample.name |
-| sensitive-exposure.js:10:32:10:42 | Sample.name |
-| sensitive-exposure.js:10:32:10:42 | Sample.name |
+| sensitive-exposure.js:9:32:9:42 | Sample.name |
+| sensitive-exposure.js:9:32:9:42 | Sample.name |
+| sensitive-exposure.js:9:32:9:42 | Sample.name |
 edges
-| sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name |
+| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name |
 #select
-| sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name | Log entry depends on a potentially sensitive piece of information. |
+| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:5:1 | {\\n      ...       } | name |

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js

@@ -5,8 +5,7 @@ const { Sample } = cds.entities('advanced_security.log_exposure.sample_entities'
 
 class SampleVulnService extends cds.ApplicationService {
     init() {
-	/* A sensitive info log sink. */
-
+        /* A sensitive info log sink. */
         LOG.info("Received: ", Sample.name); // CAP log exposure alert
     }
 

javascript/frameworks/ui5/ext/qlpack.yml

@@ -3,6 +3,6 @@ library: true
 name: advanced-security/javascript-sap-ui5-models
 version: 0.6.0
 extensionTargets:
-  codeql/javascript-all: "^1.1.1"
+  codeql/javascript-all: "^2.0.0"
 dataExtensions:
   - "*.model.yml"