merge main

.github/workflows/code_scanning.yml

@@ -12,7 +12,7 @@ on:
 
 env:
   LGTM_INDEX_XML_MODE: all
-  LGTM_INDEX_FILETYPES: ".json:JSON"
+  LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
 
 jobs:
   analyze-javascript:
@@ -52,7 +52,8 @@ jobs:
           echo "I am compiling $cds_file"
           cds compile $cds_file \
             -2 json \
-            -o "$cds_file.json"
+            -o "$cds_file.json" \
+            --locations
         done
 
     - name: Extract CodeQL bundle version from qlt.conf.json
@@ -66,7 +67,7 @@ jobs:
         config-file: ./.github/codeql/codeql-config.yaml
         tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
         debug: true
-
+    
     - name: Perform CodeQL Analysis
       id: analyze
       uses: github/codeql-action/analyze@v3

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -92,7 +92,8 @@ jobs:
             echo "I am compiling $cds_file"
             cds compile $cds_file \
               -2 json \
-              -o "$cds_file.json"
+              -o "$cds_file.json" \
+              --locations
           done
 
       - name: Run test suites

README.md

@@ -1,5 +1,92 @@
-# Overview
-[CodeQL](https://codeql.github.com/) models and queries for the SAP frameworks:
+# CodeQL: SAP JavaScript frameworks
+This repository contains [CodeQL](https://codeql.github.com/) models and queries for SAP JavaScript frameworks:
 - [CAP](javascript/frameworks/cap) (https://cap.cloud.sap/)
 - [UI5](javascript/frameworks/ui5) (https://sapui5.hana.ondemand.com/)
-- [XSJS](javascript/frameworks/xsjs) (https://www.npmjs.com/package/@sap/async-xsjs)
+- [XSJS](javascript/frameworks/xsjs) (https://www.npmjs.com/package/@sap/async-xsjs)
+
+### Published CodeQl packs
+- [advanced-security/javascript-sap-cap-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-cap-queries)
+- [advanced-security/javascript-sap-ui5-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-ui5-queries)
+- [advanced-security/javascript-sap-async-xsjs-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-async-xsjs-queries)
+
+## Usage 
+
+### Analyzing a repository with [Code Scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-query-packs)
+Example workflow file:
+```yaml
+jobs:
+  analyze-javascript:
+    name: Analyze
+    runs-on: 'ubuntu-latest'
+    permissions:
+      security-events: write
+
+    - name: Compile CDS files
+      run: |
+        npm install -g @sap/cds-dk
+        for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
+          do
+            cds compile $cds_file \
+              -2 json \
+              -o "$cds_file.json" \
+              --locations
+          done
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: javascript
+        config-file: .github/codeql/codeql-config.yaml
+
+    - name: Perform CodeQL Analysis
+      id: analyze
+      uses: github/codeql-action/analyze@v3
+```
+Example configuration file:
+```yaml
+name: "My CodeQL config"
+
+packs:
+  # Use these packs for JavaScript and TypeScript analysis
+  javascript:
+    - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls
+    - advanced-security/javascript-sap-async-xsjs-queries:codeql-suites/javascript-security-extended.qls
+    - advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls
+    - advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls
+
+paths-ignore:
+  - "**/node_modules"
+```
+### Building and analyzing the CodeQL database with the CodeQL CLI
+
+1. Include and index XML, JSON and CDS files by setting the necessary environment variables:
+```
+export LGTM_INDEX_XML_MODE='ALL'
+export LGTM_INDEX_FILETYPES=$'.json:JSON\n.cds:JSON'
+```
+2. Compile all the CDS files using the SAP cds toolkit
+```
+npm install -g @sap/cds-dk
+for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
+  do
+    cds compile $cds_file \
+      -2 json \
+      -o "$cds_file.json" \
+      --locations
+  done
+```
+3. Build the database [as usual](https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/database-create)
+```
+codeql database create <DB_NAME> --language=javascript
+```
+4. Analyze the database using one or more packs
+```
+codeql database analyze <DB_NAME> --format=sarif-latest --output=<OUTPUT_FILE> \
+  --download advanced-security/javascript-sap-cap-queries \
+             advanced-security/javascript-sap-ui5-queries \
+             advanced-security/javascript-sap-async-xsjs-queries
+```
+
+## License
+
+The code in this repository is licensed under the [MIT License](LICENSE) by [GitHub](https://github.com).

javascript/frameworks/cap/ext/qlpack.yml

@@ -3,5 +3,4 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 0.3.0
 extensionTargets:
-  codeql/javascript-all: "^1.1.1"
-  codeql/javascript-queries: "^1.1.0"
+  codeql/javascript-all: "^2.0.0"

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll

@@ -5,6 +5,24 @@
 import javascript
 import advanced_security.javascript.frameworks.cap.CDS
 
+abstract class CdlObject extends JsonObject {
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    exists(Location loc, JsonValue locValue |
+      loc = this.getLocation() and
+      locValue = this.getPropValue("$location") and
+      path =
+        any(File f |
+          f.getAbsolutePath()
+              .matches("%" + locValue.getPropValue("file").getStringValue() + ".json")
+        ).getAbsolutePath().regexpReplaceAll("\\.json$", "") and
+      sl = locValue.getPropValue("line").getIntValue() and
+      sc = locValue.getPropValue("col").getIntValue() and
+      el = sl + 1 and
+      ec = 1
+    )
+  }
+}
+
 private newtype CdlKind =
   CdlServiceKind(string value) { value = "service" } or
   CdlEntityKind(string value) { value = "entity" } or
@@ -15,15 +33,15 @@ private newtype CdlKind =
 /**
  * Any CDL element, including entities, event, actions, and more.
  */
-class CdlDefinition extends JsonObject {
+class CdlDefinition extends CdlObject {
   CdlDefinition() { exists(JsonObject root | this = root.getPropValue("definitions")) }
 
   JsonObject getElement(string elementName) { result = this.getPropValue(elementName) }
 
   JsonObject getAnElement() { result = this.getElement(_) }
 }
 
-abstract class CdlElement extends JsonObject {
+abstract class CdlElement extends CdlObject {
   CdlKind kind;
   string name;
 
@@ -190,7 +208,7 @@ class CdlFunction extends CdlElement {
   }
 }
 
-class CdlAttribute extends JsonObject {
+class CdlAttribute extends CdlObject {
   string name;
 
   CdlAttribute() {
@@ -207,7 +225,7 @@ class CdlAttribute extends JsonObject {
 /**
  * a `CdlEntity` that is declared in a namespace
  */
-class NamespacedEntity extends JsonObject instanceof CdlEntity {
+class NamespacedEntity extends CdlObject instanceof CdlEntity {
   string namespace;
 
   NamespacedEntity() { this.getParent+().getPropValue("namespace").getStringValue() = namespace }
@@ -218,7 +236,7 @@ class NamespacedEntity extends JsonObject instanceof CdlEntity {
 /**
  * any `JsonValue` that has a `PersonalData` like annotation above it
  */
-abstract class SensitiveAnnotatedElement extends JsonValue {
+abstract class SensitiveAnnotatedElement extends CdlObject {
   abstract string getName();
 }
 
@@ -295,7 +313,7 @@ class RestrictAnnotation extends CdlAnnotation, JsonArray {
   RestrictCondition getARestrictCondition() { result = this.getElementValue(_) }
 }
 
-class RestrictCondition extends JsonObject {
+class RestrictCondition extends CdlObject {
   RestrictCondition() { exists(RestrictAnnotation restrict | this = restrict.getElementValue(_)) }
 
   predicate grants(string eventName) {

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.0.4
+    version: 1.1.2
   codeql/javascript-all:
-    version: 1.1.1
+    version: 2.0.0
   codeql/mad:
-    version: 1.0.4
+    version: 1.0.8
   codeql/regex:
-    version: 1.0.4
+    version: 1.0.8
   codeql/ssa:
-    version: 1.0.4
+    version: 1.0.8
   codeql/tutorial:
-    version: 1.0.4
+    version: 1.0.8
   codeql/typetracking:
-    version: 1.0.4
+    version: 1.0.8
   codeql/util:
-    version: 1.0.4
+    version: 1.0.8
   codeql/xml:
-    version: 1.0.4
+    version: 1.0.8
   codeql/yaml:
-    version: 1.0.4
+    version: 1.0.8
 compiled: false

javascript/frameworks/cap/lib/qlpack.yml

@@ -5,5 +5,5 @@ version: 0.3.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^1.1.1"
+  codeql/javascript-all: "^2.0.0"
   advanced-security/javascript-sap-cap-models: "^0.3.0"

javascript/frameworks/cap/src/bad-authn-authz/DefaultUserIsPrivileged/DefaultUserIsPrivileged.ql

@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 6
  * @precision high
- * @id js/default-user-is-privileged
+ * @id js/cap-default-user-is-privileged
  * @tags security
  */
 

javascript/frameworks/cap/src/bad-authn-authz/EntityExposedWithoutAuthn/EntityExposedWithoutAuthn.ql

@@ -6,27 +6,26 @@
  * @problem.severity warning
  * @security-severity 6
  * @precision high
- * @id js/entity-exposed-without-authentication
+ * @id js/cap-entity-exposed-without-authentication
  * @tags security
  */
 
 import advanced_security.javascript.frameworks.cap.CAPNoAuthzQuery
 
-/*
- * TODO: Revamp this predicate after we start to natively support CDS.
- * string getClickableText(CdlElement cdlElement) {
- *  cdlElement instanceof CdlService and result = "CDS service"
- *  or
- *  cdlElement instanceof CdlEntity and result = "CDS entity"
- *  or
- *  cdlElement instanceof CdlAction and result = "CDS action"
- *  or
- *  cdlElement instanceof CdlFunction and result = "CDS function"
- * }
- */
+string getClickableText(CdlElement cdlElement) {
+  cdlElement instanceof CdlService and result = "CDS service"
+  or
+  cdlElement instanceof CdlEntity and result = "CDS entity"
+  or
+  cdlElement instanceof CdlAction and result = "CDS action"
+  or
+  cdlElement instanceof CdlFunction and result = "CDS function"
+}
 
 from CdlElement cdlElement
 where
   cdlElement instanceof CdlElementWithoutJsAuthn and
   cdlElement instanceof CdlElementWithoutCdsAuthn
-select cdlElement, "This CDS definition is exposed without any authentication."
+select cdlElement,
+  "The " + getClickableText(cdlElement) + " `" + cdlElement.getName() +
+    "` is exposed without any authentication."

javascript/frameworks/cap/src/bad-authn-authz/UnnecessarilyGrantedPrivilegedAccessRights/UnnecessarilyGrantedPrivilegedAccessRights.ql

@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 6
  * @precision high
- * @id js/unnecessarily-granted-privileged-access-rights
+ * @id js/cap-unnecessarily-granted-privileged-access-rights
  * @tags security
  */
 

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.0.4
+    version: 1.1.2
   codeql/javascript-all:
-    version: 1.1.1
+    version: 2.0.0
   codeql/mad:
-    version: 1.0.4
+    version: 1.0.8
   codeql/regex:
-    version: 1.0.4
+    version: 1.0.8
   codeql/ssa:
-    version: 1.0.4
+    version: 1.0.8
   codeql/tutorial:
-    version: 1.0.4
+    version: 1.0.8
   codeql/typetracking:
-    version: 1.0.4
+    version: 1.0.8
   codeql/util:
-    version: 1.0.4
+    version: 1.0.8
   codeql/xml:
-    version: 1.0.4
+    version: 1.0.8
   codeql/yaml:
-    version: 1.0.4
+    version: 1.0.8
 compiled: false

javascript/frameworks/cap/src/qlpack.yml

@@ -5,7 +5,7 @@ version: 0.3.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^1.1.1"
+  codeql/javascript-all: "^2.0.0"
   advanced-security/javascript-sap-cap-models: "^0.3.0"
   advanced-security/javascript-sap-cap-all: "^0.3.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.ql

@@ -6,7 +6,7 @@
  * @problem.severity warning
  * @security-severity 7.5
  * @precision medium
- * @id js/sensitive-log
+ * @id js/cap-sensitive-log
  * @tags security
  *       external/cwe/cwe-532
  */
@@ -43,6 +43,8 @@ class SensitiveExposureFieldSource extends DataFlow::Node {
     //and the namespace is the same (fully qualified id match)
     entity.(NamespacedEntity).getNamespace() = namespace
   }
+
+  SensitiveAnnotatedAttribute getCdsField() { result = cdsField }
 }
 
 class SensitiveLogExposureConfig extends TaintTracking::Configuration {
@@ -57,4 +59,7 @@ class SensitiveLogExposureConfig extends TaintTracking::Configuration {
 
 from SensitiveLogExposureConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink, source, sink, "Log entry depends on a potentially sensitive piece of information."
+select sink, source, sink,
+  "Log entry depends on the $@ field which is annotated as potentially sensitive.",
+  source.getNode().(SensitiveExposureFieldSource).getCdsField(),
+  source.getNode().(SensitiveExposureFieldSource).getCdsField().getName()