diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml index 357bdb5f3..5b9010a3a 100644 --- a/.github/workflows/code_scanning.yml +++ b/.github/workflows/code_scanning.yml @@ -47,7 +47,8 @@ jobs: languages: javascript config-file: ./.github/codeql/codeql-config.yaml db-location: ${{ runner.temp }}/codeql-database - tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz + # tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz + tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.22.1/codeql-bundle-linux64.tar.gz debug: true - name: Run CDS extractor @@ -56,6 +57,7 @@ jobs: export CODEQL_DIST="$(dirname "${{ steps.initialize-codeql.outputs.codeql-path }}")" export CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${{ runner.temp }}/codeql-database/javascript" ${{ github.workspace }}/scripts/compile-cds.sh + # ${{ github.workspace }}/extractors/cds/tools/workflow/cds-compilation-for-actions.sh - name: Perform CodeQL Analysis id: analyze diff --git a/javascript/frameworks/cap/lib/codeql-pack.lock.yml b/javascript/frameworks/cap/lib/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/cap/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/lib/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/cap/src/codeql-pack.lock.yml b/javascript/frameworks/cap/src/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/cap/src/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/src/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/cap/test/codeql-pack.lock.yml b/javascript/frameworks/cap/test/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/cap/test/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/test/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll index ffba729d3..94675378d 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll @@ -5,6 +5,7 @@ import advanced_security.javascript.frameworks.ui5.UI5View import advanced_security.javascript.frameworks.ui5.RemoteFlowSources import advanced_security.javascript.frameworks.ui5.dataflow.FlowSteps private import StdLibDataFlow::DataFlow::PathGraph as DataFlowPathGraph +private import PatchDataFlow /** * A statically visible part of a local model's content that has a binding path referring to it in a control declaration acting as an HTML injection sink. diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll new file mode 100644 index 000000000..b35427905 --- /dev/null +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll @@ -0,0 +1,77 @@ +/** + * This file patches an incompatibility introduced into the standard data flow library between + * class DataFlow::Configurations and `summmaryModels` added in models-as-data files, and likely + * introduced in this PR: https://github.com/github/codeql/pull/19445/files. + */ + +import javascript +import semmle.javascript.dataflow.internal.FlowSummaryPrivate +private import semmle.javascript.frameworks.data.internal.ApiGraphModels as Shared + +/** + * Holds if `path` is an input or output spec for a summary with the given `base` node. + */ +pragma[nomagic] +private predicate relevantInputOutputPath(API::InvokeNode base, AccessPath inputOrOutput) { + exists(string type, string input, string output, string path | + ModelOutput::resolvedSummaryBase(type, path, base) and + ModelOutput::relevantSummaryModel(type, path, input, output, _, _) and + inputOrOutput = [input, output] + ) +} + +/** + * Gets the API node for the first `n` tokens of the given input/output path, evaluated relative to `baseNode`. + */ +private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path, int n) { + relevantInputOutputPath(baseNode, path) and + ( + n = 1 and + result = Shared::getSuccessorFromInvoke(baseNode, path.getToken(0)) + or + result = + Shared::getSuccessorFromNode(getNodeFromInputOutputPath(baseNode, path, n - 1), + path.getToken(n - 1)) + ) +} + +/** + * Gets the API node for the given input/output path, evaluated relative to `baseNode`. + */ +private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path) { + result = getNodeFromInputOutputPath(baseNode, path, path.getNumToken()) +} + +private predicate summaryStep(API::Node pred, API::Node succ, string kind) { + exists(string type, string path, API::InvokeNode base, AccessPath input, AccessPath output | + ModelOutput::relevantSummaryModel(type, path, input, output, kind, _) and + ModelOutput::resolvedSummaryBase(type, path, base) and + pred = getNodeFromInputOutputPath(base, input) and + succ = getNodeFromInputOutputPath(base, output) + ) +} + +/** + * Like `ModelOutput::summaryStep` but with API nodes mapped to data-flow nodes. + */ +private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) { + exists(API::Node predNode, API::Node succNode | + summaryStep(predNode, succNode, kind) and + pred = predNode.asSink() and + succ = succNode.asSource() + ) +} + +/** Data flow steps induced by summary models of kind `value`. */ +private class DataFlowStepFromSummary extends DataFlow::SharedFlowStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + summaryStepNodes(pred, succ, "value") + } +} + +/** Taint steps induced by summary models of kind `taint`. */ +private class TaintStepFromSummary extends TaintTracking::SharedTaintStep { + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { + summaryStepNodes(pred, succ, "taint") + } +} diff --git a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/src/codeql-pack.lock.yml b/javascript/frameworks/ui5/src/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/ui5/src/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/src/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/test/codeql-pack.lock.yml b/javascript/frameworks/ui5/test/codeql-pack.lock.yml index 9dd6c6365..e45f447c6 100644 --- a/javascript/frameworks/ui5/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/test/codeql-pack.lock.yml @@ -1,32 +1,34 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/javascript-queries: - version: 1.4.0 + version: 2.0.0 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/suite-helpers: - version: 1.0.16 + version: 1.0.27 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/typos: - version: 1.0.16 + version: 1.0.27 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index c81393a00..924a16a90 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -3,7 +3,10 @@ version: 0.7.0 extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - codeql/javascript-queries: "^1.2.0" + # We use this dependency to run the standard Log Injection query to ensure that + # no overlap occurs with the SAP UI5 queries. We therefore allow any version + # greater than or equal to 1.2.0, as major breaking changes are not a concern. + codeql/javascript-queries: ">1.2.0" advanced-security/javascript-sap-ui5-queries: "^0.7.0" advanced-security/javascript-sap-ui5-models: "^0.7.0" advanced-security/javascript-sap-ui5-all: "^0.7.0" diff --git a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml index c39c17fe3..2c96a58ff 100644 --- a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml @@ -1,26 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 2.0.0 + version: 2.0.11 codeql/javascript-all: - version: 2.4.0 + version: 2.6.7 codeql/mad: - version: 1.0.16 + version: 1.0.27 codeql/regex: - version: 1.0.16 + version: 1.0.27 codeql/ssa: - version: 1.0.16 + version: 2.0.3 codeql/threat-models: - version: 1.0.16 + version: 1.0.27 codeql/tutorial: - version: 1.0.16 + version: 1.0.27 codeql/typetracking: - version: 2.0.0 + version: 2.0.11 codeql/util: - version: 2.0.3 + version: 2.0.14 codeql/xml: - version: 1.0.16 + version: 1.0.27 codeql/yaml: - version: 1.0.16 + version: 1.0.27 compiled: false diff --git a/javascript/heuristic-models/tests/codeql-pack.lock.yml b/javascript/heuristic-models/tests/codeql-pack.lock.yml index 9c7802785..2c96a58ff 100644 --- a/javascript/heuristic-models/tests/codeql-pack.lock.yml +++ b/javascript/heuristic-models/tests/codeql-pack.lock.yml @@ -1,24 +1,28 @@ --- lockVersion: 1.0.0 dependencies: + codeql/concepts: + version: 0.0.1 codeql/dataflow: - version: 0.2.7 + version: 2.0.11 codeql/javascript-all: - version: 0.9.1 + version: 2.6.7 codeql/mad: - version: 0.2.16 + version: 1.0.27 codeql/regex: - version: 0.2.16 + version: 1.0.27 codeql/ssa: - version: 0.2.16 + version: 2.0.3 + codeql/threat-models: + version: 1.0.27 codeql/tutorial: - version: 0.2.16 + version: 1.0.27 codeql/typetracking: - version: 0.2.16 + version: 2.0.11 codeql/util: - version: 0.2.16 + version: 2.0.14 codeql/xml: - version: 0.0.3 + version: 1.0.27 codeql/yaml: - version: 0.2.16 + version: 1.0.27 compiled: false diff --git a/qlt.conf.json b/qlt.conf.json index 552911a55..f2598893e 100644 --- a/qlt.conf.json +++ b/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.20.4", - "CodeQLStandardLibrary": "codeql-cli/v2.20.4", - "CodeQLCLIBundle": "codeql-bundle-v2.20.4" + "CodeQLCLI": "2.22.2", + "CodeQLStandardLibrary": "codeql-cli/v2.22.2", + "CodeQLCLIBundle": "codeql-bundle-v2.22.2" } \ No newline at end of file diff --git a/scripts/codeql-pack.lock.yml b/scripts/codeql-pack.lock.yml deleted file mode 100644 index 68a286eb2..000000000 --- a/scripts/codeql-pack.lock.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: - version: 2.0.0 - codeql/mad: - version: 1.0.8 - codeql/regex: - version: 1.0.8 - codeql/ssa: - version: 1.0.8 - codeql/tutorial: - version: 1.0.8 - codeql/typetracking: - version: 1.0.8 - codeql/util: - version: 1.0.8 - codeql/xml: - version: 1.0.8 - codeql/yaml: - version: 1.0.8 -compiled: false