From 4229a974a2f88f69b493bf187d9170b557c5689d Mon Sep 17 00:00:00 2001 From: Luke Cartey Date: Wed, 30 Jul 2025 16:41:42 +0100 Subject: [PATCH 1/5] Update the dependencies to CodeQL CLI 2.22.2. --- .../frameworks/cap/lib/codeql-pack.lock.yml | 24 ++++++++------- .../frameworks/cap/src/codeql-pack.lock.yml | 24 ++++++++------- .../frameworks/cap/test/codeql-pack.lock.yml | 24 ++++++++------- .../frameworks/ui5/lib/codeql-pack.lock.yml | 24 ++++++++------- .../frameworks/ui5/src/codeql-pack.lock.yml | 24 ++++++++------- .../frameworks/ui5/test/codeql-pack.lock.yml | 30 ++++++++----------- javascript/frameworks/ui5/test/qlpack.yml | 1 - .../frameworks/xsjs/lib/codeql-pack.lock.yml | 24 ++++++++------- .../frameworks/xsjs/src/codeql-pack.lock.yml | 24 ++++++++------- .../frameworks/xsjs/test/codeql-pack.lock.yml | 24 ++++++++------- .../tests/codeql-pack.lock.yml | 24 ++++++++------- scripts/codeql-pack.lock.yml | 24 --------------- 12 files changed, 131 insertions(+), 140 deletions(-) delete mode 100644 scripts/codeql-pack.lock.yml diff --git a/javascript/frameworks/cap/lib/codeql-pack.lock.yml b/javascript/frameworks/cap/lib/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/cap/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/lib/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/cap/src/codeql-pack.lock.yml b/javascript/frameworks/cap/src/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/cap/src/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/src/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/cap/test/codeql-pack.lock.yml b/javascript/frameworks/cap/test/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/cap/test/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/test/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/src/codeql-pack.lock.yml b/javascript/frameworks/ui5/src/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/ui5/src/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/src/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/test/codeql-pack.lock.yml b/javascript/frameworks/ui5/test/codeql-pack.lock.yml index 9dd6c6365..2c96a58ff 100644 --- a/javascript/frameworks/ui5/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/test/codeql-pack.lock.yml @@ -1,32 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 - codeql/javascript-queries: - version: 1.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 - codeql/suite-helpers: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 - codeql/typos: - version: 1.0.16 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index c81393a00..6f571795d 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -3,7 +3,6 @@ version: 0.7.0 extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - codeql/javascript-queries: "^1.2.0" advanced-security/javascript-sap-ui5-queries: "^0.7.0" advanced-security/javascript-sap-ui5-models: "^0.7.0" advanced-security/javascript-sap-ui5-all: "^0.7.0" diff --git a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/heuristic-models/tests/codeql-pack.lock.yml b/javascript/heuristic-models/tests/codeql-pack.lock.yml index 9c7802785..2c96a58ff 100644 --- a/javascript/heuristic-models/tests/codeql-pack.lock.yml +++ b/javascript/heuristic-models/tests/codeql-pack.lock.yml @@ -1,24 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 0.2.7 + version: 2.0.11 codeql/javascript-all: - version: 0.9.1 + version: 2.6.7 codeql/mad: - version: 0.2.16 + version: 1.0.27 codeql/regex: - version: 0.2.16 + version: 1.0.27 codeql/ssa: - version: 0.2.16 + version: 2.0.3 + codeql/threat-models: + version: 1.0.27 codeql/tutorial: - version: 0.2.16 + version: 1.0.27 codeql/typetracking: - version: 0.2.16 + version: 2.0.11 codeql/util: - version: 0.2.16 + version: 2.0.14 codeql/xml: - version: 0.0.3 + version: 1.0.27 codeql/yaml: - version: 0.2.16 + version: 1.0.27 compiled: false diff --git a/scripts/codeql-pack.lock.yml b/scripts/codeql-pack.lock.yml deleted file mode 100644 index 68a286eb2..000000000 --- a/scripts/codeql-pack.lock.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: - version: 2.0.0 - codeql/mad: - version: 1.0.8 - codeql/regex: - version: 1.0.8 - codeql/ssa: - version: 1.0.8 - codeql/tutorial: - version: 1.0.8 - codeql/typetracking: - version: 1.0.8 - codeql/util: - version: 1.0.8 - codeql/xml: - version: 1.0.8 - codeql/yaml: - version: 1.0.8 -compiled: false From 6f1567c045e897af992a208371c97d5b8e4b0a4a Mon Sep 17 00:00:00 2001 From: Luke Cartey Date: Wed, 30 Jul 2025 17:01:29 +0100 Subject: [PATCH 2/5] Update UI5 test dependencies --- javascript/frameworks/ui5/test/codeql-pack.lock.yml | 6 ++++++ javascript/frameworks/ui5/test/qlpack.yml | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/javascript/frameworks/ui5/test/codeql-pack.lock.yml b/javascript/frameworks/ui5/test/codeql-pack.lock.yml index 2c96a58ff..e45f447c6 100644 --- a/javascript/frameworks/ui5/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/test/codeql-pack.lock.yml @@ -7,18 +7,24 @@ dependencies: version: 2.0.11 codeql/javascript-all: version: 2.6.7 + codeql/javascript-queries: + version: 2.0.0 codeql/mad: version: 1.0.27 codeql/regex: version: 1.0.27 codeql/ssa: version: 2.0.3 + codeql/suite-helpers: + version: 1.0.27 codeql/threat-models: version: 1.0.27 codeql/tutorial: version: 1.0.27 codeql/typetracking: version: 2.0.11 + codeql/typos: + version: 1.0.27 codeql/util: version: 2.0.14 codeql/xml: diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index 6f571795d..924a16a90 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -3,6 +3,10 @@ version: 0.7.0 extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" + # We use this dependency to run the standard Log Injection query to ensure that + # no overlap occurs with the SAP UI5 queries. We therefore allow any version + # greater than or equal to 1.2.0, as major breaking changes are not a concern. + codeql/javascript-queries: ">1.2.0" advanced-security/javascript-sap-ui5-queries: "^0.7.0" advanced-security/javascript-sap-ui5-models: "^0.7.0" advanced-security/javascript-sap-ui5-all: "^0.7.0" From 6ca2c51864189bc872f17995e62556342a18468b Mon Sep 17 00:00:00 2001 From: Luke Cartey Date: Wed, 30 Jul 2025 17:35:15 +0100 Subject: [PATCH 3/5] Update qlt.conf.json to 2.22.2 --- qlt.conf.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/qlt.conf.json b/qlt.conf.json index 552911a55..f2598893e 100644 --- a/qlt.conf.json +++ b/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.20.4", - "CodeQLStandardLibrary": "codeql-cli/v2.20.4", - "CodeQLCLIBundle": "codeql-bundle-v2.20.4" + "CodeQLCLI": "2.22.2", + "CodeQLStandardLibrary": "codeql-cli/v2.22.2", + "CodeQLCLIBundle": "codeql-bundle-v2.22.2" } \ No newline at end of file From 2f48d3c7afbf2bfac21ce8a1b04498851dad761f Mon Sep 17 00:00:00 2001 From: Luke Cartey Date: Sat, 2 Aug 2025 00:14:03 +0100 Subject: [PATCH 4/5] Address incompatibility introduced in CodeQL PR #19445. SummarizedCallables appear not to work with class Configurations. --- .../frameworks/ui5/dataflow/DataFlow.qll | 1 + .../frameworks/ui5/dataflow/PatchDataFlow.qll | 77 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll index ffba729d3..94675378d 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll @@ -5,6 +5,7 @@ import advanced_security.javascript.frameworks.ui5.UI5View import advanced_security.javascript.frameworks.ui5.RemoteFlowSources import advanced_security.javascript.frameworks.ui5.dataflow.FlowSteps private import StdLibDataFlow::DataFlow::PathGraph as DataFlowPathGraph +private import PatchDataFlow /** * A statically visible part of a local model's content that has a binding path referring to it in a control declaration acting as an HTML injection sink. diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll new file mode 100644 index 000000000..b35427905 --- /dev/null +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll @@ -0,0 +1,77 @@ +/** + * This file patches an incompatibility introduced into the standard data flow library between + * class DataFlow::Configurations and `summmaryModels` added in models-as-data files, and likely + * introduced in this PR: https://github.com/github/codeql/pull/19445/files. + */ + +import javascript +import semmle.javascript.dataflow.internal.FlowSummaryPrivate +private import semmle.javascript.frameworks.data.internal.ApiGraphModels as Shared + +/** + * Holds if `path` is an input or output spec for a summary with the given `base` node. + */ +pragma[nomagic] +private predicate relevantInputOutputPath(API::InvokeNode base, AccessPath inputOrOutput) { + exists(string type, string input, string output, string path | + ModelOutput::resolvedSummaryBase(type, path, base) and + ModelOutput::relevantSummaryModel(type, path, input, output, _, _) and + inputOrOutput = [input, output] + ) +} + +/** + * Gets the API node for the first `n` tokens of the given input/output path, evaluated relative to `baseNode`. + */ +private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path, int n) { + relevantInputOutputPath(baseNode, path) and + ( + n = 1 and + result = Shared::getSuccessorFromInvoke(baseNode, path.getToken(0)) + or + result = + Shared::getSuccessorFromNode(getNodeFromInputOutputPath(baseNode, path, n - 1), + path.getToken(n - 1)) + ) +} + +/** + * Gets the API node for the given input/output path, evaluated relative to `baseNode`. + */ +private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path) { + result = getNodeFromInputOutputPath(baseNode, path, path.getNumToken()) +} + +private predicate summaryStep(API::Node pred, API::Node succ, string kind) { + exists(string type, string path, API::InvokeNode base, AccessPath input, AccessPath output | + ModelOutput::relevantSummaryModel(type, path, input, output, kind, _) and + ModelOutput::resolvedSummaryBase(type, path, base) and + pred = getNodeFromInputOutputPath(base, input) and + succ = getNodeFromInputOutputPath(base, output) + ) +} + +/** + * Like `ModelOutput::summaryStep` but with API nodes mapped to data-flow nodes. + */ +private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) { + exists(API::Node predNode, API::Node succNode | + summaryStep(predNode, succNode, kind) and + pred = predNode.asSink() and + succ = succNode.asSource() + ) +} + +/** Data flow steps induced by summary models of kind `value`. */ +private class DataFlowStepFromSummary extends DataFlow::SharedFlowStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + summaryStepNodes(pred, succ, "value") + } +} + +/** Taint steps induced by summary models of kind `taint`. */ +private class TaintStepFromSummary extends TaintTracking::SharedTaintStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + summaryStepNodes(pred, succ, "taint") + } +} From d3780d3defa155f3723d8440b977362a6a3c1f51 Mon Sep 17 00:00:00 2001 From: Luke Cartey Date: Tue, 12 Aug 2025 09:50:43 +0100 Subject: [PATCH 5/5] Disable diff informed queries for this workflow --- .github/workflows/code_scanning.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml index 357bdb5f3..459af6ddc 100644 --- a/.github/workflows/code_scanning.yml +++ b/.github/workflows/code_scanning.yml @@ -10,6 +10,9 @@ on: - cron: '39 12 * * 2' workflow_dispatch: +env: + CODEQL_ACTION_DIFF_INFORMED_QUERIES: false + jobs: analyze-javascript: name: Analyze