diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 898e4ee..a6d3cae 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,6 +19,8 @@ jobs: steps: - name: "Checkout" uses: actions/checkout@v5 + with: + submodules: true - name: "Check for changes" uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -67,24 +69,82 @@ jobs: run: | ./scripts/run-tests.sh "ql/test/${{ matrix.test-folders }}" - docs: + scanning: runs-on: ubuntu-latest + needs: [tests] + + strategy: + matrix: + project: ["hashicorp/terraform-guides", "akamai/terraform-examples", "aws-samples/aws-sam-terraform-examples"] + steps: - - uses: actions/checkout@v5 - - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 - id: changes + - name: "Checkout" + uses: actions/checkout@v5 + with: + submodules: true + + - name: "Checkout" + uses: actions/checkout@v5 + with: + repository: ${{ matrix.project }} + path: project + + - name: "Check for changes" + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + id: extractor-changes with: filters: | src: - - '**.md' - # lint markdown - - name: "Lint Markdown" - if: steps.changes.outputs.src == 'true' + - 'extractor/**' + - 'rust-toolchain.toml' + - 'Cargo.*' + + - name: "Download Extracter" + if: steps.extractor-changes.outputs.src == 'false' + env: + GH_TOKEN: ${{ github.token }} run: | - npm install -g markdownlint-cli - markdownlint '**.md' --ignore node_modules --disable MD013 + set -e + gh release list -L 1 -R "advanced-security/codeql-extractor-iac" + + gh release download \ + -R "advanced-security/codeql-extractor-iac" \ + --clobber \ + --pattern 'extractor-iac.tar.gz' + + tar -zxf extractor-iac.tar.gz + + - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable + if: steps.extractor-changes.outputs.src == 'true' + + - name: "Build Extractor" + if: steps.extractor-changes.outputs.src == 'true' + env: + GH_TOKEN: ${{ github.token }} + run: | + set -e + gh extensions install github/gh-codeql + gh codeql set-version latest + + ./scripts/create-extractor-pack.sh + + gh codeql resolve languages --format=json --search-path ./extractor-pack - action: + - name: "Run CodeQL Analysis" + env: + GH_TOKEN: ${{ github.token }} + PROJECT_REPO: ${{ matrix.project }} + run: | + set -e + gh extensions install github/gh-codeql + gh codeql set-version latest + + gh codeql database create iac-db --language=iac --source-root=./project --search-path ./extractor-pack + + gh codeql database analyze iac-db "advanced-security/iac-queries" --format=sarifv2.1.0 --output="iac-${PROJECT_REPO}.sarif" + + + docs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 @@ -93,11 +153,10 @@ jobs: with: filters: | src: - - '.github/action/**' - - 'action.yml' - - - name: Run action + - '**.md' + # lint markdown + - name: "Lint Markdown" if: steps.changes.outputs.src == 'true' - uses: ./ - with: - extractor-version: latest + run: | + npm install -g markdownlint-cli + markdownlint '**.md' --ignore node_modules --disable MD013 diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..5ea495d --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "extractor/tree-sitter-hcl"] + path = extractor/tree-sitter-hcl + url = https://github.com/GeekMasher/tree-sitter-hcl +[submodule "extractor/tree-sitter-dockerfile"] + path = extractor/tree-sitter-dockerfile + url = https://github.com/GeekMasher/tree-sitter-dockerfile diff --git a/Cargo.lock b/Cargo.lock index 539457d..f50ee8a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,12 +1,12 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -version = 3 +version = 4 [[package]] name = "adler2" -version = "2.0.0" +version = "2.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" +checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa" [[package]] name = "aho-corasick" @@ -17,12 +17,6 @@ dependencies = [ "memchr", ] -[[package]] -name = "android-tzdata" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0" - [[package]] name = "android_system_properties" version = "0.1.5" @@ -34,9 +28,9 @@ dependencies = [ [[package]] name = "anstream" -version = "0.6.15" +version = "0.6.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64e15c1ab1f89faffbf04a634d5e1962e9074f2741eef6d97f3c4e322426d526" +checksum = "3ae563653d1938f79b1ab1b5e668c87c76a9930414574a6583a7b7e11a8e6192" dependencies = [ "anstyle", "anstyle-parse", @@ -49,49 +43,50 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.8" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1bec1de6f59aedf83baf9ff929c98f2ad654b97c9510f4e70cf6f661d49fd5b1" +checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd" [[package]] name = "anstyle-parse" -version = "0.2.5" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb47de1e80c2b463c735db5b217a0ddc39d612e7ac9e2e96a5aed1f57616c1cb" +checksum = "4e7644824f0aa2c7b9384579234ef10eb7efb6a0deb83f9630a49594dd9c15c2" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.1.1" +version = "1.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d36fc52c7f6c869915e99412912f22093507da8d9e942ceaf66fe4b7c14422a" +checksum = "9e231f6134f61b71076a3eab506c379d4f36122f2af15a9ff04415ea4c3339e2" dependencies = [ - "windows-sys", + "windows-sys 0.60.2", ] [[package]] name = "anstyle-wincon" -version = "3.0.4" +version = "3.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bf74e1b6e971609db8ca7a9ce79fd5768ab6ae46441c572e46cf596f59e57f8" +checksum = "3e0633414522a32ffaac8ac6cc8f748e090c5717661fddeea04219e2344f5f2a" dependencies = [ "anstyle", - "windows-sys", + "once_cell_polyfill", + "windows-sys 0.60.2", ] [[package]] name = "autocfg" -version = "1.3.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" +checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" [[package]] name = "bstr" -version = "1.10.0" +version = "1.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40723b8fb387abc38f4f4a37c09073622e41dd12327033091ef8950659e6dc0c" +checksum = "234113d19d0d7d613b40e86fb654acf958910802bcceab913a4f9e7cda03b1a4" dependencies = [ "memchr", "serde", @@ -99,45 +94,45 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.16.0" +version = "3.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c" +checksum = "46c5e41b57b8bba42a04676d81cb89e9ee8e859a1a66f80a5a72e1cb76b34d43" [[package]] name = "cc" -version = "1.1.28" +version = "1.2.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2e80e3b6a3ab07840e1cae9b0666a63970dc28e8ed5ffbcdacbfc760c281bfc1" +checksum = "5252b3d2648e5eedbc1a6f501e3c795e07025c1e93bbf8bbdd6eef7f447a6d54" dependencies = [ + "find-msvc-tools", "shlex", ] [[package]] name = "cfg-if" -version = "1.0.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +checksum = "2fd1289c04a9ea8cb22300a459a72a385d7c73d3259e2ed7dcb2af674838cfa9" [[package]] name = "chrono" -version = "0.4.38" +version = "0.4.42" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a21f936df1771bf62b77f047b726c4625ff2e8aa607c01ec06e5a05bd8463401" +checksum = "145052bdd345b87320e369255277e3fb5152762ad123a901ef5c262dd38fe8d2" dependencies = [ - "android-tzdata", "iana-time-zone", "js-sys", "num-traits", "serde", "wasm-bindgen", - "windows-targets", + "windows-link 0.2.0", ] [[package]] name = "clap" -version = "4.5.41" +version = "4.5.47" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be92d32e80243a54711e5d7ce823c35c41c9d929dc4ab58e1276f625841aadf9" +checksum = "7eac00902d9d136acd712710d71823fb8ac8004ca445a89e73a41d45aa712931" dependencies = [ "clap_builder", "clap_derive", @@ -145,9 +140,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.41" +version = "4.5.47" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "707eab41e9622f9139419d573eca0900137718000c517d47da73045f54331c3d" +checksum = "2ad9bbf750e73b5884fb8a211a9424a1906c1e156724260fdae972f31d70e1d6" dependencies = [ "anstream", "anstyle", @@ -157,9 +152,9 @@ dependencies = [ [[package]] name = "clap_derive" -version = "4.5.41" +version = "4.5.47" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef4f52386a59ca4c860f7393bcf8abd8dfd91ecccc0f774635ff68e92eeef491" +checksum = "bbfd7eae0b0f1a6e63d4b13c9c478de77c2eb546fba158ad50b4203dc24b9f9c" dependencies = [ "heck", "proc-macro2", @@ -169,14 +164,14 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.7.4" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" +checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675" [[package]] name = "codeql-extractor" version = "0.2.0" -source = "git+https://github.com/github/codeql?rev=839ca60f90f918b567e192642b0cc3003803f482#839ca60f90f918b567e192642b0cc3003803f482" +source = "git+https://github.com/github/codeql?rev=c524a98eb91c769cb2994b8373181c2ebd27c20f#c524a98eb91c769cb2994b8373181c2ebd27c20f" dependencies = [ "chrono", "encoding", @@ -189,7 +184,8 @@ dependencies = [ "serde", "serde_json", "tracing", - "tree-sitter 0.20.10", + "tracing-subscriber", + "tree-sitter", ] [[package]] @@ -203,17 +199,16 @@ dependencies = [ "regex", "tracing", "tracing-subscriber", - "tree-sitter 0.24.7", - "tree-sitter-bicep", + "tree-sitter", "tree-sitter-dockerfile", "tree-sitter-hcl", ] [[package]] name = "colorchoice" -version = "1.0.2" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" +checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75" [[package]] name = "core-foundation-sys" @@ -223,18 +218,18 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b" [[package]] name = "crc32fast" -version = "1.4.2" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3" +checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511" dependencies = [ "cfg-if", ] [[package]] name = "crossbeam-deque" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "613f8cc01fe9cf1a3eb3d7f488fd2fa8388403e97039e2f73692932e291a770d" +checksum = "9dd111b7b7f7d55b72c0a6ae361660ee5853c9af73f70c3c2ef6858b950e2e51" dependencies = [ "crossbeam-epoch", "crossbeam-utils", @@ -251,15 +246,15 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.20" +version = "0.8.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80" +checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" [[package]] name = "either" -version = "1.13.0" +version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" +checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719" [[package]] name = "encoding" @@ -325,6 +320,12 @@ version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569" +[[package]] +name = "find-msvc-tools" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d" + [[package]] name = "flate2" version = "1.1.2" @@ -337,9 +338,9 @@ dependencies = [ [[package]] name = "globset" -version = "0.4.15" +version = "0.4.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15f1ce686646e7f1e19bf7d5533fe443a45dbfb990e00629110797578b42fb19" +checksum = "54a1028dfc5f5df5da8a56a73e6c153c9a9708ec57232470703592a3f18e49f5" dependencies = [ "aho-corasick", "bstr", @@ -356,20 +357,21 @@ checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" [[package]] name = "hermit-abi" -version = "0.3.9" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024" +checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c" [[package]] name = "iana-time-zone" -version = "0.1.60" +version = "0.1.63" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141" +checksum = "b0c919e5debc312ad217002b8048a17b7d83f80703865bbfcfebb0458b0b27d8" dependencies = [ "android_system_properties", "core-foundation-sys", "iana-time-zone-haiku", "js-sys", + "log", "wasm-bindgen", "windows-core", ] @@ -391,16 +393,17 @@ checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf" [[package]] name = "itoa" -version = "1.0.11" +version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" [[package]] name = "js-sys" -version = "0.3.70" +version = "0.3.78" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1868808506b929d7b0cfa8f75951347aa71bb21144b7791bae35d9bccfcfe37a" +checksum = "0c0b063578492ceec17683ef2f8c5e89121fbd0b172cbc280635ab7567db2738" dependencies = [ + "once_cell", "wasm-bindgen", ] @@ -412,15 +415,15 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" [[package]] name = "libc" -version = "0.2.158" +version = "0.2.175" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "6a82ae493e598baaea5209805c49bbf2ea7de956d50d7da0da1164f9c6d28543" [[package]] name = "log" -version = "0.4.22" +version = "0.4.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" +checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432" [[package]] name = "matchers" @@ -433,15 +436,15 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.4" +version = "2.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" +checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0" [[package]] name = "miniz_oxide" -version = "0.8.5" +version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5" +checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316" dependencies = [ "adler2", ] @@ -452,7 +455,7 @@ version = "0.50.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d4a28e057d01f97e61255210fcff094d74ed0466038633e95017f5beb68e4399" dependencies = [ - "windows-sys", + "windows-sys 0.52.0", ] [[package]] @@ -466,9 +469,9 @@ dependencies = [ [[package]] name = "num_cpus" -version = "1.16.0" +version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" +checksum = "91df4bbde75afed763b708b7eee1e8e7651e02d97f6d5dd763e89367e957b23b" dependencies = [ "hermit-abi", "libc", @@ -476,39 +479,45 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.21.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d" + +[[package]] +name = "once_cell_polyfill" +version = "1.70.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad" [[package]] name = "pin-project-lite" -version = "0.2.14" +version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02" +checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b" [[package]] name = "proc-macro2" -version = "1.0.86" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" +checksum = "89ae43fd86e4158d6db51ad8e2b80f313af9cc74f5c0e03ccb87de09998732de" dependencies = [ "unicode-ident", ] [[package]] name = "quote" -version = "1.0.37" +version = "1.0.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" +checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d" dependencies = [ "proc-macro2", ] [[package]] name = "rayon" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b418a60154510ca1a002a752ca9714984e21e4241e804d32555251faf8b78ffa" +checksum = "368f01d005bf8fd9b1206fb6fa653e6c4a81ceb1466406b81792d87c5677a58f" dependencies = [ "either", "rayon-core", @@ -516,9 +525,9 @@ dependencies = [ [[package]] name = "rayon-core" -version = "1.12.1" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1465873a3dfdaa8ae7cb14b4383657caab0b3e8a0aa9ae8e04b044854c8dfce2" +checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91" dependencies = [ "crossbeam-deque", "crossbeam-utils", @@ -526,9 +535,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.11.1" +version = "1.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191" +checksum = "23d7fd106d8c02486a8d64e778353d1cffe08ce79ac2e82f540c86d0facf6912" dependencies = [ "aho-corasick", "memchr", @@ -538,9 +547,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.8" +version = "0.4.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" +checksum = "6b9458fa0bfeeac22b5ca447c63aaf45f28439a709ccd244698632f9aa6394d6" dependencies = [ "aho-corasick", "memchr", @@ -549,30 +558,36 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.5" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "caf4aa5b0f434c91fe5c7f1ecb6a5ece2130b02ad2a590589dda5146df959001" + +[[package]] +name = "rustversion" +version = "1.0.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" +checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" [[package]] name = "ryu" -version = "1.0.18" +version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" +checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" [[package]] name = "serde" -version = "1.0.210" +version = "1.0.219" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" +checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.210" +version = "1.0.219" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" +checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00" dependencies = [ "proc-macro2", "quote", @@ -581,9 +596,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.128" +version = "1.0.143" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8" +checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a" dependencies = [ "itoa", "memchr", @@ -608,9 +623,9 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" [[package]] name = "smallvec" -version = "1.13.2" +version = "1.15.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" +checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" [[package]] name = "streaming-iterator" @@ -626,9 +641,9 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" [[package]] name = "syn" -version = "2.0.77" +version = "2.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" +checksum = "ede7c438028d4436d71104916910f5bb611972c5cfd7f89b8300a8186e6fada6" dependencies = [ "proc-macro2", "quote", @@ -637,12 +652,11 @@ dependencies = [ [[package]] name = "thread_local" -version = "1.1.8" +version = "1.1.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c" +checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185" dependencies = [ "cfg-if", - "once_cell", ] [[package]] @@ -658,9 +672,9 @@ dependencies = [ [[package]] name = "tracing-attributes" -version = "0.1.28" +version = "0.1.30" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "395ae124c09f9e6918a2310af6038fba074bcf474ac352496d5910dd59a2226d" +checksum = "81383ab64e72a7a8b8e13130c49e3dab29def6d0c7d76a03087b3cf71c5c6903" dependencies = [ "proc-macro2", "quote", @@ -669,9 +683,9 @@ dependencies = [ [[package]] name = "tracing-core" -version = "0.1.33" +version = "0.1.34" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e672c95779cf947c5311f83787af4fa8fffd12fb27e4993211a84bdfd9610f9c" +checksum = "b9d12581f227e93f094d3af2ae690a574abb8a2b9b7a96e7cfe9647b2b617678" dependencies = [ "once_cell", "valuable", @@ -706,16 +720,6 @@ dependencies = [ "tracing-log", ] -[[package]] -name = "tree-sitter" -version = "0.20.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e747b1f9b7b931ed39a548c1fae149101497de3c1fc8d9e18c62c1a66c683d3d" -dependencies = [ - "cc", - "regex", -] - [[package]] name = "tree-sitter" version = "0.24.7" @@ -729,44 +733,35 @@ dependencies = [ "tree-sitter-language", ] -[[package]] -name = "tree-sitter-bicep" -version = "1.0.1" -source = "git+https://github.com/GeekMasher/tree-sitter-bicep?rev=0092c7d1bd6bb22ce0a6f78497d50ea2b87f19c0#0092c7d1bd6bb22ce0a6f78497d50ea2b87f19c0" -dependencies = [ - "cc", - "tree-sitter 0.20.10", -] - [[package]] name = "tree-sitter-dockerfile" -version = "0.1.0" -source = "git+https://github.com/GeekMasher/tree-sitter-dockerfile?rev=439c3e7b8a9bfdbf1f7d7c2beaae4173dc484cbf#439c3e7b8a9bfdbf1f7d7c2beaae4173dc484cbf" +version = "0.2.0" +source = "git+https://github.com/GeekMasher/tree-sitter-dockerfile?rev=54af8c9009d1c55f47e09fc896ba9857edf09f23#54af8c9009d1c55f47e09fc896ba9857edf09f23" dependencies = [ "cc", - "tree-sitter 0.20.10", + "tree-sitter-language", ] [[package]] name = "tree-sitter-hcl" version = "0.0.1" -source = "git+https://github.com/GeekMasher/tree-sitter-hcl?rev=5e045dd1ff7852511c249c4c5d919d9556751d98#5e045dd1ff7852511c249c4c5d919d9556751d98" +source = "git+https://github.com/GeekMasher/tree-sitter-hcl?rev=3e0539c5fe690b353af38dce1423880d0f0c81f9#3e0539c5fe690b353af38dce1423880d0f0c81f9" dependencies = [ "cc", - "tree-sitter 0.20.10", + "tree-sitter-language", ] [[package]] name = "tree-sitter-language" -version = "0.1.0" +version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2545046bd1473dac6c626659cc2567c6c0ff302fc8b84a56c4243378276f7f57" +checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8" [[package]] name = "unicode-ident" -version = "1.0.13" +version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" +checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" [[package]] name = "utf8parse" @@ -776,30 +771,31 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "valuable" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65" [[package]] name = "wasm-bindgen" -version = "0.2.93" +version = "0.2.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" +checksum = "7e14915cadd45b529bb8d1f343c4ed0ac1de926144b746e2710f9cd05df6603b" dependencies = [ "cfg-if", "once_cell", + "rustversion", "wasm-bindgen-macro", + "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-backend" -version = "0.2.93" +version = "0.2.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" +checksum = "e28d1ba982ca7923fd01448d5c30c6864d0a14109560296a162f80f305fb93bb" dependencies = [ "bumpalo", "log", - "once_cell", "proc-macro2", "quote", "syn", @@ -808,9 +804,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.93" +version = "0.2.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" +checksum = "7c3d463ae3eff775b0c45df9da45d68837702ac35af998361e2c84e7c5ec1b0d" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -818,9 +814,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.93" +version = "0.2.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" +checksum = "7bb4ce89b08211f923caf51d527662b75bdc9c9c7aab40f86dcb9fb85ac552aa" dependencies = [ "proc-macro2", "quote", @@ -831,17 +827,76 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.93" +version = "0.2.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" +checksum = "f143854a3b13752c6950862c906306adb27c7e839f7414cec8fea35beab624c1" +dependencies = [ + "unicode-ident", +] [[package]] name = "windows-core" -version = "0.52.0" +version = "0.61.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c0fdd3ddb90610c7638aa2b3a3ab2904fb9e5cdbecc643ddb3647212781c4ae3" +dependencies = [ + "windows-implement", + "windows-interface", + "windows-link 0.1.3", + "windows-result", + "windows-strings", +] + +[[package]] +name = "windows-implement" +version = "0.60.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" +checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836" dependencies = [ - "windows-targets", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "windows-interface" +version = "0.59.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "windows-link" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a" + +[[package]] +name = "windows-link" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "45e46c0661abb7180e7b9c281db115305d49ca1709ab8242adf09666d2173c65" + +[[package]] +name = "windows-result" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56f42bd332cc6c8eac5af113fc0c1fd6a8fd2aa08a0119358686e5160d0586c6" +dependencies = [ + "windows-link 0.1.3", +] + +[[package]] +name = "windows-strings" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56e6c93f3a0c3b36176cb1327a4958a0353d5d166c2a35cb268ace15e91d3b57" +dependencies = [ + "windows-link 0.1.3", ] [[package]] @@ -850,7 +905,16 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets", + "windows-targets 0.52.6", +] + +[[package]] +name = "windows-sys" +version = "0.60.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb" +dependencies = [ + "windows-targets 0.53.3", ] [[package]] @@ -859,14 +923,31 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_gnullvm", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", + "windows_i686_gnullvm 0.52.6", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", +] + +[[package]] +name = "windows-targets" +version = "0.53.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d5fe6031c4041849d7c496a8ded650796e7b6ecc19df1a431c1a363342e5dc91" +dependencies = [ + "windows-link 0.1.3", + "windows_aarch64_gnullvm 0.53.0", + "windows_aarch64_msvc 0.53.0", + "windows_i686_gnu 0.53.0", + "windows_i686_gnullvm 0.53.0", + "windows_i686_msvc 0.53.0", + "windows_x86_64_gnu 0.53.0", + "windows_x86_64_gnullvm 0.53.0", + "windows_x86_64_msvc 0.53.0", ] [[package]] @@ -875,44 +956,92 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764" + [[package]] name = "windows_aarch64_msvc" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" +[[package]] +name = "windows_aarch64_msvc" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c" + [[package]] name = "windows_i686_gnu" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" +[[package]] +name = "windows_i686_gnu" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3" + [[package]] name = "windows_i686_gnullvm" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" +[[package]] +name = "windows_i686_gnullvm" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11" + [[package]] name = "windows_i686_msvc" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" +[[package]] +name = "windows_i686_msvc" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d" + [[package]] name = "windows_x86_64_gnu" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" +[[package]] +name = "windows_x86_64_gnu" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba" + [[package]] name = "windows_x86_64_gnullvm" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57" + [[package]] name = "windows_x86_64_msvc" version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.53.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486" diff --git a/Cargo.toml b/Cargo.toml index 107618e..9adb710 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,2 +1,3 @@ [workspace] +resolver = "2" members = ["extractor"] diff --git a/README.md b/README.md index c397163..a105d29 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,7 @@ -# codeql-extractor-iac -
-:warning: **This project is in early development and is not supported by GitHub or CodeQL** :warning: +

CodeQL IaC Extractor, Libraries, and Queries

[![GitHub](https://img.shields.io/badge/github-%23121011.svg?style=for-the-badge&logo=github&logoColor=white)](https://github.com/advanced-security/codeql-extractor-iac) [![GitHub Actions](https://img.shields.io/github/actions/workflow/status/advanced-security/codeql-extractor-iac/publish.yml?style=for-the-badge)](https://github.com/advanced-security/codeql-extractor-iac/actions/workflows/publish.yml?query=branch%3Amain) @@ -14,6 +12,12 @@
+> [!NOTE] +> This is **not** an official GitHub project and is not supported by the CodeQL team. +> This is a community project. + +## Overview + [CodeQL][codeql] Extractor, Library, and Queries for Infrastructure as Code. ## Usage diff --git a/action.yml b/action.yml index 92c4904..44b6f4e 100644 --- a/action.yml +++ b/action.yml @@ -1,22 +1,31 @@ -name: "codeql-extractor-iac" -description: "CodeQL Extractor for Infrastructure as Code" +name: "CodeQL IaC Extractor" +description: "CodeQL IaC Extractor GitHub Action" +author: "GitHub Security Lab" +branding: + color: "blue" + icon: "lock" inputs: token: - description: GitHub Token + description: > + The GitHub token used to make authenticated API requests. default: ${{ github.token }} + required: false - source-root: - description: "Path of the root source code directory, relative to $GITHUB_WORKSPACE." - default: "./" - - extractor-version: - description: "Pin to a version of the IaC Extractor to use (release tag)." - - sarif: - description: "SARIF File Output" - default: "codeql-iac.sarif" +outputs: + sarif-results: + description: > + The path to the SARIF results file generated by the extractor. + value: ${{ steps.extractor.outputs.sarif_results }} runs: - using: "node16" - main: ".github/action/dist/index.js" + using: "composite" + steps: + - name: "CodeQL Extractor Action" + uses: advanced-security/codeql-extractor-action@v0.1.0 + id: extractor + with: + token: ${{ inputs.token }} + extractors: "advanced-security/codeql-extractor-iac@v0.4.1,githubsecuritylab/codeql-extractor-bicep@v0.2.3" + packs: advanced-security/iac-queries,githubsecuritylab/bicep-queries + languages: "iac,bicep" diff --git a/extractor/Cargo.toml b/extractor/Cargo.toml index aa5455f..9b5248c 100644 --- a/extractor/Cargo.toml +++ b/extractor/Cargo.toml @@ -2,23 +2,27 @@ name = "codeql-extractor-iac" version = "0.4.1" authors = ["GitHub"] -edition = "2018" + +edition = "2024" +rust-version = "1.85" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] -# TreeSitter Grammars -tree-sitter = ">= 0.20, < 0.25" -tree-sitter-hcl = { git = "https://github.com/GeekMasher/tree-sitter-hcl", rev = "5e045dd1ff7852511c249c4c5d919d9556751d98" } -tree-sitter-dockerfile = { git = "https://github.com/GeekMasher/tree-sitter-dockerfile", rev = "439c3e7b8a9bfdbf1f7d7c2beaae4173dc484cbf" } -tree-sitter-bicep = { git = "https://github.com/GeekMasher/tree-sitter-bicep", rev = "0092c7d1bd6bb22ce0a6f78497d50ea2b87f19c0" } - -# CodeQL 2.17.0 -codeql-extractor = { git = "https://github.com/github/codeql", rev = "839ca60f90f918b567e192642b0cc3003803f482" } - flate2 = "1.1" clap = { version = "4.5", features = ["derive"] } tracing = "0.1" -tracing-subscriber = { version = "0.3.20", features = ["env-filter"] } -rayon = "1.10.0" -regex = "1.11.1" +tracing-subscriber = { version = "0.3", features = ["env-filter"] } +rayon = "1.10" +regex = "1.11" + +# TreeSitter +tree-sitter = "^0.24" +# Grammars +# tree-sitter-hcl = { path = "./tree-sitter-hcl" } +tree-sitter-hcl = { git = "https://github.com/GeekMasher/tree-sitter-hcl", rev = "3e0539c5fe690b353af38dce1423880d0f0c81f9" } +# tree-sitter-dockerfile = { path = "./tree-sitter-dockerfile" } +tree-sitter-dockerfile = { git = "https://github.com/GeekMasher/tree-sitter-dockerfile", rev = "54af8c9009d1c55f47e09fc896ba9857edf09f23" } + +# CodeQL - v2.20.4 +codeql-extractor = { git = "https://github.com/github/codeql", rev = "c524a98eb91c769cb2994b8373181c2ebd27c20f" } diff --git a/extractor/README.md b/extractor/README.md new file mode 100644 index 0000000..a3c7fb7 --- /dev/null +++ b/extractor/README.md @@ -0,0 +1,12 @@ +# Extractor + +## TreeSitter + +| Tool/Library | Version | Description | +| ------------------------------------------------------------------ | ------- | ------------------------------------------------------------------ | +| Tree-Sitter | 0.24 | Core library for parsing code using TreeSitter | +| [Tree-Sitter CLI](https://crates.io/crates/tree-sitter-cli/0.24.5) | 0.24.5 | Command-line interface for TreeSitter, used for generating parsers | +| Tree-Sitter Language (*1) | 14 | Version of the TreeSitter language grammar | +| CodeQL Extractor | 2.20.4 | Base CodeQL extractor version | + +1: Tree-Sitter language versions can cause issues if its newer than the supported CodeQL version. diff --git a/extractor/src/autobuilder.rs b/extractor/src/autobuilder.rs index ac24127..9b69ea5 100644 --- a/extractor/src/autobuilder.rs +++ b/extractor/src/autobuilder.rs @@ -19,7 +19,6 @@ pub fn run(_: Options) -> std::io::Result<()> { ".tf", ".ftvars", // Terraform / HCL files ".Dockerfile", // Docker files - ".bicep", // Bicep files ]) .include_globs(&[ "**/Dockerfile", diff --git a/extractor/src/extractor.rs b/extractor/src/extractor.rs index 414bd27..814d4b9 100644 --- a/extractor/src/extractor.rs +++ b/extractor/src/extractor.rs @@ -1,8 +1,7 @@ use clap::Args; use std::path::PathBuf; -use codeql_extractor::extractor::simple; -use codeql_extractor::trap; +use codeql_extractor::{extractor::simple, file_paths, trap}; #[derive(Args)] pub struct Options { @@ -16,7 +15,7 @@ pub struct Options { /// A text file containing the paths of the files to extract #[arg(long)] - file_list: PathBuf, + file_list: String, } pub fn run(options: Options) -> std::io::Result<()> { @@ -27,32 +26,29 @@ pub fn run(options: Options) -> std::io::Result<()> { .with_env_filter(tracing_subscriber::EnvFilter::from_default_env()) .init(); + let file_list = file_paths::path_from_string(&options.file_list); + let file_lists: Vec = vec![file_list]; + let extractor = simple::Extractor { prefix: "iac".to_string(), languages: vec![ simple::LanguageSpec { prefix: "hcl", - ts_language: tree_sitter_hcl::language(), + ts_language: tree_sitter_hcl::LANGUAGE.into(), node_types: tree_sitter_hcl::NODE_TYPES, file_globs: vec!["*.hcl".into(), "*.tf".into(), "*.tfvar".into()], }, simple::LanguageSpec { prefix: "dockerfile", - ts_language: tree_sitter_dockerfile::language(), + ts_language: tree_sitter_dockerfile::LANGUAGE.into(), node_types: tree_sitter_dockerfile::NODE_TYPES, file_globs: vec!["*Dockerfile".into(), "*Containerfile".into()], }, - simple::LanguageSpec { - prefix: "bicep", - ts_language: tree_sitter_bicep::language(), - node_types: tree_sitter_bicep::NODE_TYPES, - file_globs: vec!["*.bicep".into()], - }, ], trap_dir: options.output_dir, trap_compression: trap::Compression::from_env("CODEQL_IAC_TRAP_COMPRESSION"), source_archive_dir: options.source_archive_dir, - file_list: options.file_list, + file_lists, }; extractor.run() diff --git a/extractor/src/generator.rs b/extractor/src/generator.rs index 14d453f..538055c 100644 --- a/extractor/src/generator.rs +++ b/extractor/src/generator.rs @@ -31,10 +31,6 @@ pub fn run(options: Options) -> std::io::Result<()> { name: "DOCKERFILE".to_owned(), node_types: tree_sitter_dockerfile::NODE_TYPES, }, - Language { - name: "BICEP".to_owned(), - node_types: tree_sitter_bicep::NODE_TYPES, - }, ]; generate(languages, options.dbscheme, options.library) diff --git a/extractor/tree-sitter-dockerfile b/extractor/tree-sitter-dockerfile new file mode 160000 index 0000000..56cd7a4 --- /dev/null +++ b/extractor/tree-sitter-dockerfile @@ -0,0 +1 @@ +Subproject commit 56cd7a48f7a9c80246c34238f618c2fa390de633 diff --git a/extractor/tree-sitter-hcl b/extractor/tree-sitter-hcl new file mode 160000 index 0000000..64adaad --- /dev/null +++ b/extractor/tree-sitter-hcl @@ -0,0 +1 @@ +Subproject commit 64adaadf17a1ef0e5269f845eecfa0c0e5682c89 diff --git a/ql/lib/bicep.qll b/ql/lib/bicep.qll deleted file mode 100644 index f647508..0000000 --- a/ql/lib/bicep.qll +++ /dev/null @@ -1,7 +0,0 @@ -import codeql.Locations -import codeql.files.FileSystem -import codeql.bicep.AST -// Resources -import codeql.bicep.microsoft.Compute -import codeql.bicep.microsoft.Storage -import codeql.bicep.microsoft.Network diff --git a/ql/lib/codeql-pack.lock.yml b/ql/lib/codeql-pack.lock.yml index 87cfce3..69ce09b 100644 --- a/ql/lib/codeql-pack.lock.yml +++ b/ql/lib/codeql-pack.lock.yml @@ -2,7 +2,7 @@ lockVersion: 1.0.0 dependencies: codeql/util: - version: 0.1.2 + version: 1.0.12 codeql/yaml: - version: 0.1.5 + version: 1.0.25 compiled: false diff --git a/ql/lib/codeql/bicep/AST.qll b/ql/lib/codeql/bicep/AST.qll deleted file mode 100644 index 97e2427..0000000 --- a/ql/lib/codeql/bicep/AST.qll +++ /dev/null @@ -1,4 +0,0 @@ -import codeql.bicep.ast.AstNodes -import codeql.bicep.ast.Expr -import codeql.bicep.ast.Literal -import codeql.bicep.ast.Resources diff --git a/ql/lib/codeql/bicep/ast/AstNodes.qll b/ql/lib/codeql/bicep/ast/AstNodes.qll deleted file mode 100644 index 16847a2..0000000 --- a/ql/lib/codeql/bicep/ast/AstNodes.qll +++ /dev/null @@ -1,67 +0,0 @@ -private import codeql.Locations -private import codeql.files.FileSystem -private import codeql.iac.ast.internal.Bicep - -/** An AST node of a Bicep program */ -class BicepAstNode extends TBicepAstNode { - string toString() { result = this.getAPrimaryQlClass() } - - /** Gets the location of the AST node. */ - cached - Location getLocation() { result = this.getFullLocation() } // overridden in some subclasses - - /** Gets the file containing this AST node. */ - cached - File getFile() { result = this.getFullLocation().getFile() } - - /** Gets the location that spans the entire AST node. */ - cached - final Location getFullLocation() { result = toBicepTreeSitter(this).getLocation() } - - predicate hasLocationInfo( - string filepath, int startline, int startcolumn, int endline, int endcolumn - ) { - if exists(this.getLocation()) - then this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) - else ( - filepath = "" and - startline = 0 and - startcolumn = 0 and - endline = 0 and - endcolumn = 0 - ) - } - - /** - * Gets the parent in the AST for this node. - */ - cached - BicepAstNode getParent() { result.getAChild(_) = this } - - /** - * Gets a child of this node, which can also be retrieved using a predicate - * named `pred`. - */ - cached - BicepAstNode getAChild(string pred) { none() } - - /** Gets any child of this node. */ - BicepAstNode getAChild() { result = this.getAChild(_) } - - /** - * Gets the primary QL class for the ast node. - */ - string getAPrimaryQlClass() { result = "???" } -} - -class Comment extends BicepAstNode, TComment { - override string getAPrimaryQlClass() { result = "Comment" } -} - -class Infrastructure extends BicepAstNode, TInfrastructure { - private BICEP::Infrastructure infrastructure; - - override string getAPrimaryQlClass() { result = "Infrastructure" } - - Infrastructure() { this = TInfrastructure(infrastructure) } -} diff --git a/ql/lib/codeql/bicep/ast/Expr.qll b/ql/lib/codeql/bicep/ast/Expr.qll deleted file mode 100644 index 9e6f7d8..0000000 --- a/ql/lib/codeql/bicep/ast/Expr.qll +++ /dev/null @@ -1,122 +0,0 @@ -private import codeql.iac.ast.internal.Bicep -private import codeql.bicep.ast.AstNodes - -class Expr extends BicepAstNode, TExpr { - override string getAPrimaryQlClass() { result = "Expr" } -} - -class Identifier extends Expr, TIdentifier { - private BICEP::Identifier identifier; - - override string getAPrimaryQlClass() { result = "Identifier" } - - Identifier() { this = TIdentifier(identifier) } - - override string toString() { result = this.getName() } - - string getName() { result = identifier.getValue() } -} - -class Expression extends Expr, TExpression { - private BICEP::Expression expression; - - override string getAPrimaryQlClass() { result = "Expression" } - - Expression() { this = TExpression(expression) } -} - -class AssignmentExpr extends Expr, TAssignmentExpression { - BICEP::AssignmentExpression aexpr; - - override string getAPrimaryQlClass() { result = "AssignmentExpr" } - - AssignmentExpr() { this = TAssignmentExpression(aexpr) } -} - -class BinaryExpr extends Expr, TBinaryExpression { - BICEP::BinaryExpression bexpr; - - override string getAPrimaryQlClass() { result = "BinaryExpr" } - - BinaryExpr() { this = TBinaryExpression(bexpr) } -} - -class CallExpr extends Expr, TCallExpression { - BICEP::CallExpression cexpr; - - override string getAPrimaryQlClass() { result = "CallExpr" } - - CallExpr() { this = TCallExpression(cexpr) } -} - -class LambdaExpr extends Expr, TLambdaExpression { - BICEP::LambdaExpression lexpr; - - override string getAPrimaryQlClass() { result = "LambdaExpr" } - - LambdaExpr() { this = TLambdaExpression(lexpr) } -} - -class MemberExpr extends Expr, TMemberExpression { - BICEP::MemberExpression mexpr; - - override string getAPrimaryQlClass() { result = "MemberExpr" } - - MemberExpr() { this = TMemberExpression(mexpr) } - - Expr getObject() { toBicepTreeSitter(result) = mexpr.getObject() } - - PropertyIdentifier getProperty() { toBicepTreeSitter(result) = mexpr.getProperty() } -} - -class ParenthesizedExpr extends Expr, TParenthesizedExpression { - BICEP::ParenthesizedExpression pexpr; - - override string getAPrimaryQlClass() { result = "ParenthesizedExpr" } - - ParenthesizedExpr() { this = TParenthesizedExpression(pexpr) } -} - -class ResourceExpr extends Expr, TResourceExpression { - BICEP::ResourceExpression rexpr; - - override string getAPrimaryQlClass() { result = "ResourceExpr" } - - ResourceExpr() { this = TResourceExpression(rexpr) } -} - -class SubscriptExpr extends Expr, TSubscriptExpression { - BICEP::SubscriptExpression sexpr; - - override string getAPrimaryQlClass() { result = "SubscriptExpr" } - - SubscriptExpr() { this = TSubscriptExpression(sexpr) } -} - -class TerenaryExpr extends Expr, TTernaryExpression { - BICEP::TernaryExpression texpr; - - override string getAPrimaryQlClass() { result = "TerenaryExpr" } - - TerenaryExpr() { this = TTernaryExpression(texpr) } -} - -class UnaryExpr extends Expr, TUnaryExpression { - BICEP::UnaryExpression uexpr; - - override string getAPrimaryQlClass() { result = "UnaryExpr" } - - UnaryExpr() { this = TUnaryExpression(uexpr) } -} - -class PropertyIdentifier extends Expr, TPropertyIdentifier { - BICEP::PropertyIdentifier pidentifier; - - override string getAPrimaryQlClass() { result = "PropertyIdentifier" } - - PropertyIdentifier() { this = TPropertyIdentifier(pidentifier) } - - override string toString() { result = this.getName() } - - string getName() { result = pidentifier.getValue() } -} diff --git a/ql/lib/codeql/bicep/ast/Literal.qll b/ql/lib/codeql/bicep/ast/Literal.qll deleted file mode 100644 index d50c6eb..0000000 --- a/ql/lib/codeql/bicep/ast/Literal.qll +++ /dev/null @@ -1,60 +0,0 @@ -private import codeql.iac.ast.internal.Bicep -private import codeql.bicep.ast.AstNodes - -class Literal extends BicepAstNode, TLiteral { - override string getAPrimaryQlClass() { result = "Literal" } - - string getValue() { none() } - - override string toString() { result = this.getValue() } -} - -class NumberLiteral extends Literal, TNumber { - private BICEP::Number literal; - - override string getAPrimaryQlClass() { result = "NumberLiteral" } - - NumberLiteral() { this = TNumber(literal) } -} - -class NullLiteral extends Literal, TNull { - private BICEP::Null literal; - - override string getAPrimaryQlClass() { result = "NullLiteral" } - - NullLiteral() { this = TNull(literal) } -} - -class BooleanLiteral extends Literal, TBoolean { - private BICEP::Boolean literal; - - override string getAPrimaryQlClass() { result = "BooleanLiteral" } - - BooleanLiteral() { this = TBoolean(literal) } - - boolean getBool() { result.toString() = literal.getValue() } -} - -class StringLiteral extends Literal, TString { - private BICEP::String literal; - - override string getAPrimaryQlClass() { result = "StringLiteral" } - - StringLiteral() { this = TString(literal) } - - override string getValue() { - exists(StringContent c | toBicepTreeSitter(c) = literal.getAFieldOrChild() | - result = c.getValue() - ) - } -} - -class StringContent extends Literal, TStringContent { - private BICEP::StringContent literal; - - override string getAPrimaryQlClass() { result = "StringContent" } - - StringContent() { this = TStringContent(literal) } - - override string getValue() { result = literal.getValue() } -} diff --git a/ql/lib/codeql/bicep/ast/Object.qll b/ql/lib/codeql/bicep/ast/Object.qll deleted file mode 100644 index 352f558..0000000 --- a/ql/lib/codeql/bicep/ast/Object.qll +++ /dev/null @@ -1,47 +0,0 @@ -private import codeql.iac.ast.internal.Bicep -private import codeql.bicep.ast.AstNodes -private import codeql.bicep.ast.Literal -private import codeql.bicep.ast.Expr - -class Object extends Expr, TObject { - private BICEP::Object object; - - override string getAPrimaryQlClass() { result = "Object" } - - Object() { this = TObject(object) } - - ObjectProperty getProperties() { toBicepTreeSitter(result) = object.getAFieldOrChild() } - - Expr getProperty(string name) { - exists(ObjectProperty prop | object.getAFieldOrChild() = toBicepTreeSitter(prop) | - prop.getKey().(Identifier).getName() = name and - result = prop.getValue() - ) - } -} - -class ObjectProperty extends BicepAstNode, TObjectProperty { - private BICEP::ObjectProperty property; - - override string getAPrimaryQlClass() { result = "ObjectProperty" } - - ObjectProperty() { this = TObjectProperty(property) } - - override string toString() { result = this.getKey().getName() + " = " + this.getValue() } - - Identifier getKey() { toBicepTreeSitter(result) = property.getChild(0) } - - Expr getValue() { toBicepTreeSitter(result) = property.getChild(1) } -} - -class Array extends Expr, TArray { - private BICEP::Array array; - - override string getAPrimaryQlClass() { result = "Array" } - - Array() { this = TArray(array) } - - Expr getElements() { toBicepTreeSitter(result) = array.getAFieldOrChild() } - - Expr getElement(int index) { toBicepTreeSitter(result) = array.getChild(index) } -} diff --git a/ql/lib/codeql/bicep/ast/Resources.qll b/ql/lib/codeql/bicep/ast/Resources.qll deleted file mode 100644 index 60e0eb2..0000000 --- a/ql/lib/codeql/bicep/ast/Resources.qll +++ /dev/null @@ -1,50 +0,0 @@ -private import codeql.iac.ast.internal.Bicep -private import codeql.bicep.ast.AstNodes -private import codeql.bicep.ast.Literal -private import codeql.bicep.ast.Object -private import codeql.bicep.ast.Expr - -Resource resolveResource(Expr expr) { - exists(Resource resource | - // Object having an id property needs to be resolved - // {resource.id}.id - exists(MemberExpr memexpr | - memexpr = expr.(Object).getProperty("id") and - memexpr.getObject().(Identifier).getName() = resource.getIdentifier().(Identifier).getName() - | - result = resource - ) - or - exists(Identifier ident | - ident = expr and - ident.getName() = resource.getIdentifier().(Identifier).getName() - | - result = resource - ) - ) -} - -class Resource extends BicepAstNode, TResourceDeclaration { - private BICEP::ResourceDeclaration resource; - - override string getAPrimaryQlClass() { result = "ResourceDeclaration" } - - Resource() { this = TResourceDeclaration(resource) } - - string getResourceType() { - exists(StringLiteral s | toBicepTreeSitter(s) = resource.getAFieldOrChild() | - result = s.getValue() - ) - } - - /** - * A name given to the resource instance that is unique within the template. - */ - Identifier getIdentifier() { toBicepTreeSitter(result) = resource.getChild(0) } - - Object getBody() { toBicepTreeSitter(result) = resource.getAFieldOrChild() } - - Expr getProperty(string name) { result = this.getBody().getProperty(name) } - - override Resource getParent() { result = resolveResource(this.getProperty("parent")) } -} diff --git a/ql/lib/codeql/bicep/microsoft/Compute.qll b/ql/lib/codeql/bicep/microsoft/Compute.qll deleted file mode 100644 index 2d9cfce..0000000 --- a/ql/lib/codeql/bicep/microsoft/Compute.qll +++ /dev/null @@ -1,135 +0,0 @@ -private import codeql.Locations -private import codeql.bicep.ast.Expr -private import codeql.bicep.ast.Object -private import codeql.bicep.ast.Resources -private import codeql.bicep.ast.Literal -private import codeql.bicep.microsoft.Network - -/** - * A resource of type Microsoft.Compute/virtualMachines - */ -module Compute { - class ComputeResource extends Resource { - ComputeResource() { this.getResourceType().regexpMatch("^Microsoft.Compute/.*") } - } - - /** - * A resource of type Microsoft.Compute/virtualMachines - * https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines - */ - class VirtualMachines extends ComputeResource { - VirtualMachines() { - this.getResourceType().regexpMatch("^Microsoft.Compute/virtualMachines@.*") - } - - override string toString() { result = "VirtualMachines Resource" } - - VirtualMachinesProperties::Properties getProperties() { - result = this.getProperty("properties") - } - - /** - * The the hardware network interfaces of the virtual machine - */ - Network::NetworkInterfaces getNetworkInterfaces() { - result = this.getProperties().getNetworkProfile().getNetworkInterfaces() - } - } - - /** - * The properties module for Microsoft.Compute/virtualMachines - */ - module VirtualMachinesProperties { - /** - * The properties object for the Microsoft.Compute/virtualMachines type - */ - class Properties extends Object { - private VirtualMachines virtualMachines; - - Properties() { this = virtualMachines.getProperty("properties") } - - VirtualMachines getVirtualMachine() { result = virtualMachines } - - HardwareProfile getHardwareProfile() { result = this.getProperty("hardwareProfile") } - - NetworkProfile getNetworkProfile() { result = this.getProperty("networkProfile") } - - OsProfile getOsProfile() { result = this.getProperty("osProfile") } - } - - /** - * The hardwareProfile property object for the Microsoft.Compute/virtualMachines type - */ - class HardwareProfile extends Object { - private Properties properties; - - HardwareProfile() { this = properties.getProperty("hardwareProfile") } - - override string toString() { result = "HardwareProfile" } - - Expr getVmSize() { result = this.getProperty("vmSize") } - } - - /** - * A NetworkProfile for the Microsoft.Compute/virtualMachines type - */ - class NetworkProfile extends Object { - private Properties properties; - - NetworkProfile() { this = properties.getProperty("networkProfile") } - - override string toString() { result = "NetworkProfile" } - - Network::NetworkInterfaces getNetworkInterfaces() { - result = resolveResource(this.getNetworkInterfacesObject()) - } - - private Object getNetworkInterfacesObject() { - result = this.getProperty("networkInterfaces").(Array).getElements() - } - } - - /** - */ - class StorageProfile extends Object { - private Properties properties; - - StorageProfile() { this = properties.getProperty("storageProfile") } - - ImageReference getImageReference() { result = this.getProperty("imageReference") } - } - - /** - * A ImageReference for the Microsoft.Compute/virtualMachines type - * https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep#imagereference - */ - class ImageReference extends Object { - private StorageProfile storageProfile; - - ImageReference() { this = storageProfile.getProperty("imageReference") } - - Expr getPublisher() { result = this.getProperty("publisher") } - - Expr getOffer() { result = this.getProperty("offer") } - - Expr getSku() { result = this.getProperty("sku") } - - Expr getVersion() { result = this.getProperty("version") } - } - - /** - * The OsProfile object for the Microsoft.Compute/virtualMachines type - */ - class OsProfile extends Object { - private Properties properties; - - OsProfile() { this = properties.getProperty("osProfile") } - - Expr getComputerName() { result = this.getProperty("computerName") } - - Expr getAdminUsername() { result = this.getProperty("adminUsername") } - - Expr getAdminPassword() { result = this.getProperty("adminPassword") } - } - } -} diff --git a/ql/lib/codeql/bicep/microsoft/Network.qll b/ql/lib/codeql/bicep/microsoft/Network.qll deleted file mode 100644 index b8f72b2..0000000 --- a/ql/lib/codeql/bicep/microsoft/Network.qll +++ /dev/null @@ -1,119 +0,0 @@ -private import codeql.Locations -private import codeql.bicep.ast.Expr -private import codeql.bicep.ast.Object -private import codeql.bicep.ast.Resources -private import codeql.bicep.ast.Literal - -module Network { - /** - * A resource of type Microsoft.Network - */ - class NetworkResource extends Resource { - NetworkResource() { this.getResourceType().regexpMatch("^Microsoft.Network/.*") } - } - - /** - * A resource of type Microsoft.Network/networkInterfaces - */ - class NetworkInterfaces extends NetworkResource { - NetworkInterfaces() { - this.getResourceType().regexpMatch("^Microsoft.Network/networkInterfaces@.*") - } - - override string toString() { result = "NetworkInterfaces Resource" } - - NetworkInterfaceProperties::Properties getProperties() { - result = this.getProperty("properties") - } - } - - /** - * A module for all properties of Microsoft.Network/networkInterfaces - */ - module NetworkInterfaceProperties { - /** - * The properties object for the Microsoft.Network/networkInterfaces type - */ - class Properties extends Object { - private NetworkInterfaces networkInterfaces; - - Properties() { this = networkInterfaces.getProperty("properties") } - - IpConfiguration getIpConfigurations() { - result = this.getProperty("ipConfigurations").(Array).getElements() - } - } - - /** - * An IpConfiguration for the Microsoft.Network/networkInterfaces type - * https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep#virtualmachinenetworkinterfaceipconfigurationproperties - */ - class IpConfiguration extends Object { - private Properties properties; - - IpConfiguration() { this = properties.getProperty("ipConfigurations").(Array).getElements() } - - string getName() { result = this.getProperty("name").(StringLiteral).getValue() } - } - } - - /** - * A resource of type Microsoft.Network/virtualNetworks - */ - class VirtualNetworks extends NetworkResource { - VirtualNetworks() { - this.getResourceType().regexpMatch("^Microsoft.Network/virtualNetworks@.*") - } - - override string toString() { result = "VirtualNetworks Resource" } - - /** - * Get the properties object for the Microsoft.Network/virtualNetworks type - */ - VirtualNetworkProperties::Properties getProperties() { result = this.getProperty("properties") } - } - - /** - * A resource of type Microsoft.Network/virtualNetworks/subnets - */ - class VirtualNetworkSubnets extends Resource { - VirtualNetworkSubnets() { - this.getResourceType().regexpMatch("^Microsoft.Network/virtualNetworks/subnets@.*") - } - } - - module VirtualNetworkProperties { - /** - * The properties object for the Microsoft.Network/virtualNetworks/subnets type - */ - class Properties extends Object { - private VirtualNetworkSubnets virtualNetworkSubnets; - - Properties() { this = virtualNetworkSubnets.getProperty("properties") } - - AddressSpace getAddressSpace() { result = this.getProperty("addressSpace") } - - boolean getEnableDdosProtection() { - result = this.getProperty("enableDdosProtection").(BooleanLiteral).getBool() - } - - boolean getEnableVmProtection() { - result = this.getProperty("enableVmProtection").(BooleanLiteral).getBool() - } - } - - /** - * An AddressSpace for the Microsoft.Network/virtualNetworks type - */ - class AddressSpace extends Object { - private Properties properties; - - AddressSpace() { this = properties.getProperty("addressSpace") } - - string getAddressPrefixes() { - result = - this.getProperty("addressPrefixes").(Array).getElements().(StringLiteral).getValue() - } - } - } -} diff --git a/ql/lib/codeql/bicep/microsoft/Storage.qll b/ql/lib/codeql/bicep/microsoft/Storage.qll deleted file mode 100644 index 7db37aa..0000000 --- a/ql/lib/codeql/bicep/microsoft/Storage.qll +++ /dev/null @@ -1,60 +0,0 @@ -private import codeql.Locations -private import codeql.bicep.ast.Expr -private import codeql.bicep.ast.Object -private import codeql.bicep.ast.Resources -private import codeql.bicep.ast.Literal - -module Storage { - class StorageAccounts extends Resource { - StorageAccounts() { - this.getResourceType().regexpMatch("^Microsoft.Storage/storageAccounts@.*") - } - - Expr getKind() { result = this.getProperty("kind") } - } - - class StorageAccountsProperties extends Object { - private StorageAccounts storageAccounts; - - StorageAccountsProperties() { this = storageAccounts.getProperty("properties") } - - boolean getSupportsHttpsTrafficOnly() { - result = this.getProperty("supportsHttpsTrafficOnly").(BooleanLiteral).getBool() - } - } - - /** - * A resource of type Microsoft.Compute/disks - */ - class Disks extends Resource { - Disks() { this.getResourceType().regexpMatch("^Microsoft.Compute/disks@.*") } - } - - /** - * The Disk Properties object for the Microsoft.Compute/disks type - */ - class DisksProperties extends Object { - private Disks disks; - - DisksProperties() { this = disks.getProperty("properties") } - - Object getEncryptionSettings() { result = this.getProperty("encryptionSettingsCollection") } - - boolean getEncryptionEnabled() { - result = this.getEncryptionSettings().getProperty("enabled").(BooleanLiteral).getBool() - } - } - - class BlobServiceContainers extends Resource { - BlobServiceContainers() { - this.getResourceType() - .regexpMatch("^Microsoft.Storage/storageAccounts/blobServices/containers@.*") - } - - Object getProperties() { result = this.getProperty("properties") } - - string getPublicAccess() { - result = this.getProperties().getProperty("publicAccess").(StringLiteral).getValue() - } - } -} diff --git a/ql/lib/codeql/iac/ast/Bicep.qll b/ql/lib/codeql/iac/ast/Bicep.qll deleted file mode 100644 index dc25f90..0000000 --- a/ql/lib/codeql/iac/ast/Bicep.qll +++ /dev/null @@ -1 +0,0 @@ -import codeql.bicep.AST diff --git a/ql/lib/codeql/iac/ast/internal/AstNodes.qll b/ql/lib/codeql/iac/ast/internal/AstNodes.qll index f368acf..c6c2e1b 100644 --- a/ql/lib/codeql/iac/ast/internal/AstNodes.qll +++ b/ql/lib/codeql/iac/ast/internal/AstNodes.qll @@ -8,5 +8,4 @@ import Container cached newtype TAstNode = THclAstNode(HCL::AstNode node) or - TBicepAstNode(BICEP::AstNode node) or TContainerAstNode(DOCKERFILE::AstNode node) diff --git a/ql/lib/codeql/iac/ast/internal/Bicep.qll b/ql/lib/codeql/iac/ast/internal/Bicep.qll deleted file mode 100644 index 6060c8e..0000000 --- a/ql/lib/codeql/iac/ast/internal/Bicep.qll +++ /dev/null @@ -1,73 +0,0 @@ -import TreeSitter - -cached -newtype TBicepAstNode = - TComment(BICEP::Comment c) or - TInfrastructure(BICEP::Infrastructure i) or - // Literals - TBoolean(BICEP::Boolean b) or - TNull(BICEP::Null n) or - TNumber(BICEP::Number n) or - TString(BICEP::String s) or - TStringContent(BICEP::StringContent s) or - // Expressions - TAssignmentExpression(BICEP::AssignmentExpression a) or - TArray(BICEP::Array a) or - TBinaryExpression(BICEP::BinaryExpression b) or - TCallExpression(BICEP::CallExpression c) or - TExpression(BICEP::Expression e) or - TLambdaExpression(BICEP::LambdaExpression l) or - TMemberExpression(BICEP::MemberExpression m) or - TParenthesizedExpression(BICEP::ParenthesizedExpression p) or - TPrimaryExpression(BICEP::PrimaryExpression p) or - TResourceExpression(BICEP::ResourceExpression r) or - TSubscriptExpression(BICEP::SubscriptExpression s) or - TTernaryExpression(BICEP::TernaryExpression t) or - TUnaryExpression(BICEP::UnaryExpression u) or - TPropertyIdentifier(BICEP::PropertyIdentifier p) or - // Declarations - TResourceDeclaration(BICEP::ResourceDeclaration r) or - TObject(BICEP::Object o) or - TObjectProperty(BICEP::ObjectProperty p) or - TIdentifier(BICEP::Identifier i) - -class TLiteral = TBoolean or TNull or TNumber or TString or TStringContent; - -class TDeclaration = TResourceDeclaration or TObject or TObjectProperty or TIdentifier; - -class TIdentifiers = TIdentifier or TPropertyIdentifier; - -class TExpr = - TLiteral or TArray or TAssignmentExpression or TBinaryExpression or TCallExpression or - TExpression or TLambdaExpression or TMemberExpression or TParenthesizedExpression or - TResourceExpression or TSubscriptExpression or TTernaryExpression or TUnaryExpression or - TIdentifiers or TObject or TObjectProperty; - -cached -BICEP::AstNode toBicepTreeSitter(TBicepAstNode n) { - n = TComment(result) or - n = TInfrastructure(result) or - n = TBoolean(result) or - n = TNull(result) or - n = TNumber(result) or - n = TString(result) or - n = TStringContent(result) or - n = TAssignmentExpression(result) or - n = TArray(result) or - n = TBinaryExpression(result) or - n = TCallExpression(result) or - n = TExpression(result) or - n = TLambdaExpression(result) or - n = TMemberExpression(result) or - n = TParenthesizedExpression(result) or - n = TPrimaryExpression(result) or - n = TResourceExpression(result) or - n = TSubscriptExpression(result) or - n = TTernaryExpression(result) or - n = TUnaryExpression(result) or - n = TResourceDeclaration(result) or - n = TObject(result) or - n = TObjectProperty(result) or - n = TIdentifier(result) or - n = TPropertyIdentifier(result) -} diff --git a/ql/lib/codeql/iac/ast/internal/TreeSitter.qll b/ql/lib/codeql/iac/ast/internal/TreeSitter.qll index bd08235..3530285 100644 --- a/ql/lib/codeql/iac/ast/internal/TreeSitter.qll +++ b/ql/lib/codeql/iac/ast/internal/TreeSitter.qll @@ -1228,833 +1228,3 @@ module DOCKERFILE { final override AstNode getAFieldOrChild() { dockerfile_workdir_instruction_def(this, result) } } } - -module BICEP { - /** The base class for all AST nodes */ - class AstNode extends @bicep_ast_node { - /** Gets a string representation of this element. */ - string toString() { result = this.getAPrimaryQlClass() } - - /** Gets the location of this element. */ - final L::Location getLocation() { bicep_ast_node_location(this, result) } - - /** Gets the parent of this element. */ - final AstNode getParent() { bicep_ast_node_parent(this, result, _) } - - /** Gets the index of this node among the children of its parent. */ - final int getParentIndex() { bicep_ast_node_parent(this, _, result) } - - /** Gets a field or child node of this node. */ - AstNode getAFieldOrChild() { none() } - - /** Gets the name of the primary QL class for this element. */ - string getAPrimaryQlClass() { result = "???" } - - /** Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs. */ - string getPrimaryQlClasses() { result = concat(this.getAPrimaryQlClass(), ",") } - } - - /** A token. */ - class Token extends @bicep_token, AstNode { - /** Gets the value of this token. */ - final string getValue() { bicep_tokeninfo(this, _, result) } - - /** Gets a string representation of this element. */ - final override string toString() { result = this.getValue() } - - /** Gets the name of the primary QL class for this element. */ - override string getAPrimaryQlClass() { result = "Token" } - } - - /** A reserved word. */ - class ReservedWord extends @bicep_reserved_word, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ReservedWord" } - } - - /** A class representing `arguments` nodes. */ - class Arguments extends @bicep_arguments, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Arguments" } - - /** Gets the `i`th child of this node. */ - final Expression getChild(int i) { bicep_arguments_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_arguments_child(this, _, result) } - } - - /** A class representing `array` nodes. */ - class Array extends @bicep_array, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Array" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_array_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_array_child(this, _, result) } - } - - /** A class representing `array_type` nodes. */ - class ArrayType extends @bicep_array_type, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ArrayType" } - - /** Gets the child of this node. */ - final Type getChild() { bicep_array_type_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_array_type_def(this, result) } - } - - /** A class representing `assert_statement` nodes. */ - class AssertStatement extends @bicep_assert_statement, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "AssertStatement" } - - /** Gets the node corresponding to the field `name`. */ - final Identifier getName() { bicep_assert_statement_def(this, result, _) } - - /** Gets the child of this node. */ - final Expression getChild() { bicep_assert_statement_def(this, _, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_assert_statement_def(this, result, _) or bicep_assert_statement_def(this, _, result) - } - } - - /** A class representing `assignment_expression` nodes. */ - class AssignmentExpression extends @bicep_assignment_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "AssignmentExpression" } - - /** Gets the node corresponding to the field `left`. */ - final AstNode getLeft() { bicep_assignment_expression_def(this, result, _) } - - /** Gets the node corresponding to the field `right`. */ - final Expression getRight() { bicep_assignment_expression_def(this, _, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_assignment_expression_def(this, result, _) or - bicep_assignment_expression_def(this, _, result) - } - } - - /** A class representing `binary_expression` nodes. */ - class BinaryExpression extends @bicep_binary_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "BinaryExpression" } - - /** Gets the node corresponding to the field `left`. */ - final Expression getLeft() { bicep_binary_expression_def(this, result, _, _) } - - /** Gets the node corresponding to the field `operator`. */ - final string getOperator() { - exists(int value | bicep_binary_expression_def(this, _, value, _) | - result = "!=" and value = 0 - or - result = "!~" and value = 1 - or - result = "%" and value = 2 - or - result = "&&" and value = 3 - or - result = "*" and value = 4 - or - result = "+" and value = 5 - or - result = "-" and value = 6 - or - result = "/" and value = 7 - or - result = "<" and value = 8 - or - result = "<=" and value = 9 - or - result = "==" and value = 10 - or - result = "=~" and value = 11 - or - result = ">" and value = 12 - or - result = ">=" and value = 13 - or - result = "??" and value = 14 - or - result = "|" and value = 15 - or - result = "||" and value = 16 - ) - } - - /** Gets the node corresponding to the field `right`. */ - final Expression getRight() { bicep_binary_expression_def(this, _, _, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_binary_expression_def(this, result, _, _) or - bicep_binary_expression_def(this, _, _, result) - } - } - - /** A class representing `boolean` tokens. */ - class Boolean extends @bicep_token_boolean, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Boolean" } - } - - /** A class representing `call_expression` nodes. */ - class CallExpression extends @bicep_call_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "CallExpression" } - - /** Gets the node corresponding to the field `arguments`. */ - final Arguments getArguments() { bicep_call_expression_def(this, result, _) } - - /** Gets the node corresponding to the field `function`. */ - final Expression getFunction() { bicep_call_expression_def(this, _, result) } - - /** Gets the child of this node. */ - final NullableReturnType getChild() { bicep_call_expression_child(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_call_expression_def(this, result, _) or - bicep_call_expression_def(this, _, result) or - bicep_call_expression_child(this, result) - } - } - - /** A class representing `comment` tokens. */ - class Comment extends @bicep_token_comment, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Comment" } - } - - /** A class representing `compatible_identifier` nodes. */ - class CompatibleIdentifier extends @bicep_compatible_identifier, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "CompatibleIdentifier" } - - /** Gets the child of this node. */ - final Identifier getChild() { bicep_compatible_identifier_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_compatible_identifier_def(this, result) } - } - - class Declaration extends @bicep_declaration, AstNode { } - - /** A class representing `decorator` nodes. */ - class Decorator extends @bicep_decorator, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Decorator" } - - /** Gets the child of this node. */ - final CallExpression getChild() { bicep_decorator_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_decorator_def(this, result) } - } - - /** A class representing `decorators` nodes. */ - class Decorators extends @bicep_decorators, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Decorators" } - - /** Gets the `i`th child of this node. */ - final Decorator getChild(int i) { bicep_decorators_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_decorators_child(this, _, result) } - } - - /** A class representing `diagnostic_comment` tokens. */ - class DiagnosticComment extends @bicep_token_diagnostic_comment, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "DiagnosticComment" } - } - - /** A class representing `escape_sequence` tokens. */ - class EscapeSequence extends @bicep_token_escape_sequence, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "EscapeSequence" } - } - - class Expression extends @bicep_expression, AstNode { } - - /** A class representing `for_loop_parameters` nodes. */ - class ForLoopParameters extends @bicep_for_loop_parameters, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ForLoopParameters" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_for_loop_parameters_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_for_loop_parameters_child(this, _, result) } - } - - /** A class representing `for_statement` nodes. */ - class ForStatement extends @bicep_for_statement, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ForStatement" } - - /** Gets the node corresponding to the field `body`. */ - final AstNode getBody() { bicep_for_statement_def(this, result) } - - /** Gets the node corresponding to the field `initializer`. */ - final Identifier getInitializer() { bicep_for_statement_initializer(this, result) } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_for_statement_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_for_statement_def(this, result) or - bicep_for_statement_initializer(this, result) or - bicep_for_statement_child(this, _, result) - } - } - - /** A class representing `identifier` tokens. */ - class Identifier extends @bicep_token_identifier, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Identifier" } - } - - /** A class representing `if_statement` nodes. */ - class IfStatement extends @bicep_if_statement, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "IfStatement" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_if_statement_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_if_statement_child(this, _, result) } - } - - /** A class representing `import_functionality` nodes. */ - class ImportFunctionality extends @bicep_import_functionality, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ImportFunctionality" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_import_functionality_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_import_functionality_child(this, _, result) } - } - - /** A class representing `import_statement` nodes. */ - class ImportStatement extends @bicep_import_statement, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ImportStatement" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_import_statement_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_import_statement_child(this, _, result) } - } - - /** A class representing `import_with_statement` nodes. */ - class ImportWithStatement extends @bicep_import_with_statement, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ImportWithStatement" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_import_with_statement_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_import_with_statement_child(this, _, result) } - } - - /** A class representing `infrastructure` nodes. */ - class Infrastructure extends @bicep_infrastructure, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Infrastructure" } - - /** Gets the `i`th child of this node. */ - final Statement getChild(int i) { bicep_infrastructure_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_infrastructure_child(this, _, result) } - } - - /** A class representing `interpolation` nodes. */ - class Interpolation extends @bicep_interpolation, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Interpolation" } - - /** Gets the child of this node. */ - final Expression getChild() { bicep_interpolation_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_interpolation_def(this, result) } - } - - /** A class representing `lambda_expression` nodes. */ - class LambdaExpression extends @bicep_lambda_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "LambdaExpression" } - - /** Gets the `i`th child of this node. */ - final Expression getChild(int i) { bicep_lambda_expression_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_lambda_expression_child(this, _, result) } - } - - /** A class representing `loop_enumerator` tokens. */ - class LoopEnumerator extends @bicep_token_loop_enumerator, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "LoopEnumerator" } - } - - /** A class representing `loop_variable` tokens. */ - class LoopVariable extends @bicep_token_loop_variable, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "LoopVariable" } - } - - /** A class representing `member_expression` nodes. */ - class MemberExpression extends @bicep_member_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "MemberExpression" } - - /** Gets the node corresponding to the field `object`. */ - final AstNode getObject() { bicep_member_expression_def(this, result, _) } - - /** Gets the node corresponding to the field `property`. */ - final PropertyIdentifier getProperty() { bicep_member_expression_def(this, _, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_member_expression_def(this, result, _) or bicep_member_expression_def(this, _, result) - } - } - - /** A class representing `metadata_declaration` nodes. */ - class MetadataDeclaration extends @bicep_metadata_declaration, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "MetadataDeclaration" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_metadata_declaration_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_metadata_declaration_child(this, _, result) } - } - - /** A class representing `module_declaration` nodes. */ - class ModuleDeclaration extends @bicep_module_declaration, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ModuleDeclaration" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_module_declaration_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_module_declaration_child(this, _, result) } - } - - /** A class representing `negated_type` nodes. */ - class NegatedType extends @bicep_negated_type, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "NegatedType" } - - /** Gets the child of this node. */ - final Type getChild() { bicep_negated_type_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_negated_type_def(this, result) } - } - - /** A class representing `null` tokens. */ - class Null extends @bicep_token_null, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Null" } - } - - /** A class representing `nullable_return_type` tokens. */ - class NullableReturnType extends @bicep_token_nullable_return_type, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "NullableReturnType" } - } - - /** A class representing `nullable_type` nodes. */ - class NullableType extends @bicep_nullable_type, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "NullableType" } - - /** Gets the child of this node. */ - final AstNode getChild() { bicep_nullable_type_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_nullable_type_def(this, result) } - } - - /** A class representing `number` tokens. */ - class Number extends @bicep_token_number, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Number" } - } - - /** A class representing `object` nodes. */ - class Object extends @bicep_object, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Object" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_object_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_object_child(this, _, result) } - } - - /** A class representing `object_property` nodes. */ - class ObjectProperty extends @bicep_object_property, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ObjectProperty" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_object_property_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_object_property_child(this, _, result) } - } - - /** A class representing `output_declaration` nodes. */ - class OutputDeclaration extends @bicep_output_declaration, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "OutputDeclaration" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_output_declaration_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_output_declaration_child(this, _, result) } - } - - /** A class representing `parameter` nodes. */ - class Parameter extends @bicep_parameter, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Parameter" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_parameter_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_parameter_child(this, _, result) } - } - - /** A class representing `parameter_declaration` nodes. */ - class ParameterDeclaration extends @bicep_parameter_declaration, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ParameterDeclaration" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_parameter_declaration_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_parameter_declaration_child(this, _, result) } - } - - /** A class representing `parameterized_type` nodes. */ - class ParameterizedType extends @bicep_parameterized_type, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ParameterizedType" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_parameterized_type_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_parameterized_type_child(this, _, result) } - } - - /** A class representing `parameters` nodes. */ - class Parameters extends @bicep_parameters, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Parameters" } - - /** Gets the `i`th child of this node. */ - final Parameter getChild(int i) { bicep_parameters_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_parameters_child(this, _, result) } - } - - /** A class representing `parenthesized_expression` nodes. */ - class ParenthesizedExpression extends @bicep_parenthesized_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ParenthesizedExpression" } - - /** Gets the `i`th child of this node. */ - final Expression getChild(int i) { bicep_parenthesized_expression_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_parenthesized_expression_child(this, _, result) - } - } - - /** A class representing `parenthesized_type` nodes. */ - class ParenthesizedType extends @bicep_parenthesized_type, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ParenthesizedType" } - - /** Gets the child of this node. */ - final Type getChild() { bicep_parenthesized_type_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_parenthesized_type_def(this, result) } - } - - class PrimaryExpression extends @bicep_primary_expression, AstNode { } - - /** A class representing `primitive_type` tokens. */ - class PrimitiveType extends @bicep_token_primitive_type, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "PrimitiveType" } - } - - /** A class representing `property_identifier` tokens. */ - class PropertyIdentifier extends @bicep_token_property_identifier, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "PropertyIdentifier" } - } - - /** A class representing `resource_declaration` nodes. */ - class ResourceDeclaration extends @bicep_resource_declaration, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ResourceDeclaration" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_resource_declaration_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_resource_declaration_child(this, _, result) } - } - - /** A class representing `resource_expression` nodes. */ - class ResourceExpression extends @bicep_resource_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "ResourceExpression" } - - /** Gets the node corresponding to the field `object`. */ - final Expression getObject() { bicep_resource_expression_def(this, result, _) } - - /** Gets the node corresponding to the field `resource`. */ - final Identifier getResource() { bicep_resource_expression_def(this, _, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_resource_expression_def(this, result, _) or - bicep_resource_expression_def(this, _, result) - } - } - - class Statement extends @bicep_statement, AstNode { } - - /** A class representing `string` nodes. */ - class String extends @bicep_string__, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "String" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_string_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_string_child(this, _, result) } - } - - /** A class representing `string_content` tokens. */ - class StringContent extends @bicep_token_string_content, Token { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "StringContent" } - } - - /** A class representing `subscript_expression` nodes. */ - class SubscriptExpression extends @bicep_subscript_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "SubscriptExpression" } - - /** Gets the node corresponding to the field `index`. */ - final Expression getIndex() { bicep_subscript_expression_def(this, result, _) } - - /** Gets the node corresponding to the field `object`. */ - final Expression getObject() { bicep_subscript_expression_def(this, _, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_subscript_expression_def(this, result, _) or - bicep_subscript_expression_def(this, _, result) - } - } - - /** A class representing `target_scope_assignment` nodes. */ - class TargetScopeAssignment extends @bicep_target_scope_assignment, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "TargetScopeAssignment" } - - /** Gets the child of this node. */ - final String getChild() { bicep_target_scope_assignment_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_target_scope_assignment_def(this, result) } - } - - /** A class representing `ternary_expression` nodes. */ - class TernaryExpression extends @bicep_ternary_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "TernaryExpression" } - - /** Gets the node corresponding to the field `alternative`. */ - final Expression getAlternative() { bicep_ternary_expression_def(this, result, _, _) } - - /** Gets the node corresponding to the field `condition`. */ - final Expression getCondition() { bicep_ternary_expression_def(this, _, result, _) } - - /** Gets the node corresponding to the field `consequence`. */ - final Expression getConsequence() { bicep_ternary_expression_def(this, _, _, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_ternary_expression_def(this, result, _, _) or - bicep_ternary_expression_def(this, _, result, _) or - bicep_ternary_expression_def(this, _, _, result) - } - } - - /** A class representing `test_block` nodes. */ - class TestBlock extends @bicep_test_block, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "TestBlock" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_test_block_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_test_block_child(this, _, result) } - } - - /** A class representing `type` nodes. */ - class Type extends @bicep_type__, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "Type" } - - /** Gets the child of this node. */ - final AstNode getChild() { bicep_type_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_type_def(this, result) } - } - - /** A class representing `type_arguments` nodes. */ - class TypeArguments extends @bicep_type_arguments, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "TypeArguments" } - - /** Gets the `i`th child of this node. */ - final String getChild(int i) { bicep_type_arguments_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_type_arguments_child(this, _, result) } - } - - /** A class representing `type_declaration` nodes. */ - class TypeDeclaration extends @bicep_type_declaration, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "TypeDeclaration" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_type_declaration_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_type_declaration_child(this, _, result) } - } - - /** A class representing `unary_expression` nodes. */ - class UnaryExpression extends @bicep_unary_expression, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "UnaryExpression" } - - /** Gets the node corresponding to the field `argument`. */ - final Expression getArgument() { bicep_unary_expression_def(this, result, _) } - - /** Gets the node corresponding to the field `operator`. */ - final string getOperator() { - exists(int value | bicep_unary_expression_def(this, _, value) | - result = "!" and value = 0 - or - result = "-" and value = 1 - ) - } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_unary_expression_def(this, result, _) } - } - - /** A class representing `union_type` nodes. */ - class UnionType extends @bicep_union_type, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "UnionType" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_union_type_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_union_type_child(this, _, result) } - } - - /** A class representing `user_defined_function` nodes. */ - class UserDefinedFunction extends @bicep_user_defined_function, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "UserDefinedFunction" } - - /** Gets the node corresponding to the field `name`. */ - final Identifier getName() { bicep_user_defined_function_def(this, result, _) } - - /** Gets the node corresponding to the field `returns`. */ - final Type getReturns() { bicep_user_defined_function_def(this, _, result) } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_user_defined_function_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { - bicep_user_defined_function_def(this, result, _) or - bicep_user_defined_function_def(this, _, result) or - bicep_user_defined_function_child(this, _, result) - } - } - - /** A class representing `using_statement` nodes. */ - class UsingStatement extends @bicep_using_statement, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "UsingStatement" } - - /** Gets the child of this node. */ - final String getChild() { bicep_using_statement_def(this, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_using_statement_def(this, result) } - } - - /** A class representing `variable_declaration` nodes. */ - class VariableDeclaration extends @bicep_variable_declaration, AstNode { - /** Gets the name of the primary QL class for this element. */ - final override string getAPrimaryQlClass() { result = "VariableDeclaration" } - - /** Gets the `i`th child of this node. */ - final AstNode getChild(int i) { bicep_variable_declaration_child(this, i, result) } - - /** Gets a field or child node of this node. */ - final override AstNode getAFieldOrChild() { bicep_variable_declaration_child(this, _, result) } - } -} diff --git a/ql/lib/codeql/iac/azure/Bicep.qll b/ql/lib/codeql/iac/azure/Bicep.qll deleted file mode 100644 index b292a7c..0000000 --- a/ql/lib/codeql/iac/azure/Bicep.qll +++ /dev/null @@ -1,10 +0,0 @@ -private import codeql.files.FileSystem - -module Bicep { - /** - * All extracted Bicep files. - */ - class BicepFile extends File { - BicepFile() { this.getExtension() = "bicep" } - } -} diff --git a/ql/lib/iac.dbscheme b/ql/lib/iac.dbscheme index e360fad..ac0194d 100644 --- a/ql/lib/iac.dbscheme +++ b/ql/lib/iac.dbscheme @@ -36,6 +36,12 @@ containerparent( unique int child: @container ref ); +/*- Empty location -*/ + +empty_location( + int location: @location_default ref +); + /*- Source location prefix -*/ /** @@ -943,569 +949,3 @@ dockerfile_ast_node_parent( int parent_index: int ref ); -/*- BICEP dbscheme -*/ -#keyset[bicep_arguments, index] -bicep_arguments_child( - int bicep_arguments: @bicep_arguments ref, - int index: int ref, - unique int child: @bicep_expression ref -); - -bicep_arguments_def( - unique int id: @bicep_arguments -); - -@bicep_array_child_type = @bicep_decorators | @bicep_expression - -#keyset[bicep_array, index] -bicep_array_child( - int bicep_array: @bicep_array ref, - int index: int ref, - unique int child: @bicep_array_child_type ref -); - -bicep_array_def( - unique int id: @bicep_array -); - -bicep_array_type_def( - unique int id: @bicep_array_type, - int child: @bicep_type__ ref -); - -bicep_assert_statement_def( - unique int id: @bicep_assert_statement, - int name: @bicep_token_identifier ref, - int child: @bicep_expression ref -); - -@bicep_assignment_expression_left_type = @bicep_member_expression | @bicep_parenthesized_expression | @bicep_resource_expression | @bicep_subscript_expression | @bicep_token_identifier - -bicep_assignment_expression_def( - unique int id: @bicep_assignment_expression, - int left: @bicep_assignment_expression_left_type ref, - int right: @bicep_expression ref -); - -case @bicep_binary_expression.operator of - 0 = @bicep_binary_expression_bangequal -| 1 = @bicep_binary_expression_bangtilde -| 2 = @bicep_binary_expression_percent -| 3 = @bicep_binary_expression_ampersandampersand -| 4 = @bicep_binary_expression_star -| 5 = @bicep_binary_expression_plus -| 6 = @bicep_binary_expression_minus -| 7 = @bicep_binary_expression_slash -| 8 = @bicep_binary_expression_langle -| 9 = @bicep_binary_expression_langleequal -| 10 = @bicep_binary_expression_equalequal -| 11 = @bicep_binary_expression_equaltilde -| 12 = @bicep_binary_expression_rangle -| 13 = @bicep_binary_expression_rangleequal -| 14 = @bicep_binary_expression_questionquestion -| 15 = @bicep_binary_expression_pipe -| 16 = @bicep_binary_expression_pipepipe -; - - -bicep_binary_expression_def( - unique int id: @bicep_binary_expression, - int left: @bicep_expression ref, - int operator: int ref, - int right: @bicep_expression ref -); - -bicep_call_expression_child( - unique int bicep_call_expression: @bicep_call_expression ref, - unique int child: @bicep_token_nullable_return_type ref -); - -bicep_call_expression_def( - unique int id: @bicep_call_expression, - int arguments: @bicep_arguments ref, - int function: @bicep_expression ref -); - -bicep_compatible_identifier_def( - unique int id: @bicep_compatible_identifier, - int child: @bicep_token_identifier ref -); - -@bicep_declaration = @bicep_assert_statement | @bicep_metadata_declaration | @bicep_module_declaration | @bicep_output_declaration | @bicep_parameter_declaration | @bicep_resource_declaration | @bicep_test_block | @bicep_type_declaration | @bicep_user_defined_function | @bicep_variable_declaration - -bicep_decorator_def( - unique int id: @bicep_decorator, - int child: @bicep_call_expression ref -); - -#keyset[bicep_decorators, index] -bicep_decorators_child( - int bicep_decorators: @bicep_decorators ref, - int index: int ref, - unique int child: @bicep_decorator ref -); - -bicep_decorators_def( - unique int id: @bicep_decorators -); - -@bicep_expression = @bicep_assignment_expression | @bicep_binary_expression | @bicep_lambda_expression | @bicep_primary_expression | @bicep_ternary_expression | @bicep_unary_expression - -@bicep_for_loop_parameters_child_type = @bicep_token_loop_enumerator | @bicep_token_loop_variable - -#keyset[bicep_for_loop_parameters, index] -bicep_for_loop_parameters_child( - int bicep_for_loop_parameters: @bicep_for_loop_parameters ref, - int index: int ref, - unique int child: @bicep_for_loop_parameters_child_type ref -); - -bicep_for_loop_parameters_def( - unique int id: @bicep_for_loop_parameters -); - -@bicep_for_statement_body_type = @bicep_expression | @bicep_if_statement - -bicep_for_statement_initializer( - unique int bicep_for_statement: @bicep_for_statement ref, - unique int initializer: @bicep_token_identifier ref -); - -@bicep_for_statement_child_type = @bicep_expression | @bicep_for_loop_parameters - -#keyset[bicep_for_statement, index] -bicep_for_statement_child( - int bicep_for_statement: @bicep_for_statement ref, - int index: int ref, - unique int child: @bicep_for_statement_child_type ref -); - -bicep_for_statement_def( - unique int id: @bicep_for_statement, - int body: @bicep_for_statement_body_type ref -); - -@bicep_if_statement_child_type = @bicep_object | @bicep_parenthesized_expression - -#keyset[bicep_if_statement, index] -bicep_if_statement_child( - int bicep_if_statement: @bicep_if_statement ref, - int index: int ref, - unique int child: @bicep_if_statement_child_type ref -); - -bicep_if_statement_def( - unique int id: @bicep_if_statement -); - -@bicep_import_functionality_child_type = @bicep_string__ | @bicep_token_identifier - -#keyset[bicep_import_functionality, index] -bicep_import_functionality_child( - int bicep_import_functionality: @bicep_import_functionality ref, - int index: int ref, - unique int child: @bicep_import_functionality_child_type ref -); - -bicep_import_functionality_def( - unique int id: @bicep_import_functionality -); - -@bicep_import_statement_child_type = @bicep_string__ | @bicep_token_identifier - -#keyset[bicep_import_statement, index] -bicep_import_statement_child( - int bicep_import_statement: @bicep_import_statement ref, - int index: int ref, - unique int child: @bicep_import_statement_child_type ref -); - -bicep_import_statement_def( - unique int id: @bicep_import_statement -); - -@bicep_import_with_statement_child_type = @bicep_expression | @bicep_string__ | @bicep_token_identifier - -#keyset[bicep_import_with_statement, index] -bicep_import_with_statement_child( - int bicep_import_with_statement: @bicep_import_with_statement ref, - int index: int ref, - unique int child: @bicep_import_with_statement_child_type ref -); - -bicep_import_with_statement_def( - unique int id: @bicep_import_with_statement -); - -#keyset[bicep_infrastructure, index] -bicep_infrastructure_child( - int bicep_infrastructure: @bicep_infrastructure ref, - int index: int ref, - unique int child: @bicep_statement ref -); - -bicep_infrastructure_def( - unique int id: @bicep_infrastructure -); - -bicep_interpolation_def( - unique int id: @bicep_interpolation, - int child: @bicep_expression ref -); - -#keyset[bicep_lambda_expression, index] -bicep_lambda_expression_child( - int bicep_lambda_expression: @bicep_lambda_expression ref, - int index: int ref, - unique int child: @bicep_expression ref -); - -bicep_lambda_expression_def( - unique int id: @bicep_lambda_expression -); - -@bicep_member_expression_object_type = @bicep_expression | @bicep_parameterized_type - -bicep_member_expression_def( - unique int id: @bicep_member_expression, - int object: @bicep_member_expression_object_type ref, - int property: @bicep_token_property_identifier ref -); - -@bicep_metadata_declaration_child_type = @bicep_expression | @bicep_token_identifier - -#keyset[bicep_metadata_declaration, index] -bicep_metadata_declaration_child( - int bicep_metadata_declaration: @bicep_metadata_declaration ref, - int index: int ref, - unique int child: @bicep_metadata_declaration_child_type ref -); - -bicep_metadata_declaration_def( - unique int id: @bicep_metadata_declaration -); - -@bicep_module_declaration_child_type = @bicep_for_statement | @bicep_if_statement | @bicep_object | @bicep_string__ | @bicep_token_identifier - -#keyset[bicep_module_declaration, index] -bicep_module_declaration_child( - int bicep_module_declaration: @bicep_module_declaration ref, - int index: int ref, - unique int child: @bicep_module_declaration_child_type ref -); - -bicep_module_declaration_def( - unique int id: @bicep_module_declaration -); - -bicep_negated_type_def( - unique int id: @bicep_negated_type, - int child: @bicep_type__ ref -); - -@bicep_nullable_type_child_type = @bicep_array_type | @bicep_expression | @bicep_parenthesized_type | @bicep_token_primitive_type - -bicep_nullable_type_def( - unique int id: @bicep_nullable_type, - int child: @bicep_nullable_type_child_type ref -); - -@bicep_object_child_type = @bicep_decorators | @bicep_object_property - -#keyset[bicep_object, index] -bicep_object_child( - int bicep_object: @bicep_object ref, - int index: int ref, - unique int child: @bicep_object_child_type ref -); - -bicep_object_def( - unique int id: @bicep_object -); - -@bicep_object_property_child_type = @bicep_array_type | @bicep_compatible_identifier | @bicep_expression | @bicep_nullable_type | @bicep_parameterized_type | @bicep_resource_declaration | @bicep_string__ | @bicep_token_identifier | @bicep_token_primitive_type | @bicep_union_type - -#keyset[bicep_object_property, index] -bicep_object_property_child( - int bicep_object_property: @bicep_object_property ref, - int index: int ref, - unique int child: @bicep_object_property_child_type ref -); - -bicep_object_property_def( - unique int id: @bicep_object_property -); - -@bicep_output_declaration_child_type = @bicep_expression | @bicep_token_identifier | @bicep_type__ - -#keyset[bicep_output_declaration, index] -bicep_output_declaration_child( - int bicep_output_declaration: @bicep_output_declaration ref, - int index: int ref, - unique int child: @bicep_output_declaration_child_type ref -); - -bicep_output_declaration_def( - unique int id: @bicep_output_declaration -); - -@bicep_parameter_child_type = @bicep_token_identifier | @bicep_type__ - -#keyset[bicep_parameter, index] -bicep_parameter_child( - int bicep_parameter: @bicep_parameter ref, - int index: int ref, - unique int child: @bicep_parameter_child_type ref -); - -bicep_parameter_def( - unique int id: @bicep_parameter -); - -@bicep_parameter_declaration_child_type = @bicep_expression | @bicep_token_identifier | @bicep_type__ - -#keyset[bicep_parameter_declaration, index] -bicep_parameter_declaration_child( - int bicep_parameter_declaration: @bicep_parameter_declaration ref, - int index: int ref, - unique int child: @bicep_parameter_declaration_child_type ref -); - -bicep_parameter_declaration_def( - unique int id: @bicep_parameter_declaration -); - -@bicep_parameterized_type_child_type = @bicep_token_identifier | @bicep_type_arguments - -#keyset[bicep_parameterized_type, index] -bicep_parameterized_type_child( - int bicep_parameterized_type: @bicep_parameterized_type ref, - int index: int ref, - unique int child: @bicep_parameterized_type_child_type ref -); - -bicep_parameterized_type_def( - unique int id: @bicep_parameterized_type -); - -#keyset[bicep_parameters, index] -bicep_parameters_child( - int bicep_parameters: @bicep_parameters ref, - int index: int ref, - unique int child: @bicep_parameter ref -); - -bicep_parameters_def( - unique int id: @bicep_parameters -); - -#keyset[bicep_parenthesized_expression, index] -bicep_parenthesized_expression_child( - int bicep_parenthesized_expression: @bicep_parenthesized_expression ref, - int index: int ref, - unique int child: @bicep_expression ref -); - -bicep_parenthesized_expression_def( - unique int id: @bicep_parenthesized_expression -); - -bicep_parenthesized_type_def( - unique int id: @bicep_parenthesized_type, - int child: @bicep_type__ ref -); - -@bicep_primary_expression = @bicep_array | @bicep_call_expression | @bicep_for_statement | @bicep_member_expression | @bicep_object | @bicep_parenthesized_expression | @bicep_resource_expression | @bicep_string__ | @bicep_subscript_expression | @bicep_token_boolean | @bicep_token_identifier | @bicep_token_null | @bicep_token_number - -@bicep_resource_declaration_child_type = @bicep_for_statement | @bicep_if_statement | @bicep_object | @bicep_string__ | @bicep_token_identifier - -#keyset[bicep_resource_declaration, index] -bicep_resource_declaration_child( - int bicep_resource_declaration: @bicep_resource_declaration ref, - int index: int ref, - unique int child: @bicep_resource_declaration_child_type ref -); - -bicep_resource_declaration_def( - unique int id: @bicep_resource_declaration -); - -bicep_resource_expression_def( - unique int id: @bicep_resource_expression, - int object: @bicep_expression ref, - int resource: @bicep_token_identifier ref -); - -@bicep_statement = @bicep_declaration | @bicep_decorators | @bicep_import_functionality | @bicep_import_statement | @bicep_import_with_statement | @bicep_target_scope_assignment | @bicep_using_statement - -@bicep_string_child_type = @bicep_interpolation | @bicep_token_escape_sequence | @bicep_token_string_content - -#keyset[bicep_string__, index] -bicep_string_child( - int bicep_string__: @bicep_string__ ref, - int index: int ref, - unique int child: @bicep_string_child_type ref -); - -bicep_string_def( - unique int id: @bicep_string__ -); - -bicep_subscript_expression_def( - unique int id: @bicep_subscript_expression, - int index: @bicep_expression ref, - int object: @bicep_expression ref -); - -bicep_target_scope_assignment_def( - unique int id: @bicep_target_scope_assignment, - int child: @bicep_string__ ref -); - -bicep_ternary_expression_def( - unique int id: @bicep_ternary_expression, - int alternative: @bicep_expression ref, - int condition: @bicep_expression ref, - int consequence: @bicep_expression ref -); - -@bicep_test_block_child_type = @bicep_object | @bicep_string__ | @bicep_token_identifier - -#keyset[bicep_test_block, index] -bicep_test_block_child( - int bicep_test_block: @bicep_test_block ref, - int index: int ref, - unique int child: @bicep_test_block_child_type ref -); - -bicep_test_block_def( - unique int id: @bicep_test_block -); - -@bicep_type_child_type = @bicep_array_type | @bicep_member_expression | @bicep_negated_type | @bicep_nullable_type | @bicep_object | @bicep_parameterized_type | @bicep_parenthesized_type | @bicep_string__ | @bicep_token_boolean | @bicep_token_identifier | @bicep_token_null | @bicep_token_number | @bicep_token_primitive_type | @bicep_union_type - -bicep_type_def( - unique int id: @bicep_type__, - int child: @bicep_type_child_type ref -); - -#keyset[bicep_type_arguments, index] -bicep_type_arguments_child( - int bicep_type_arguments: @bicep_type_arguments ref, - int index: int ref, - unique int child: @bicep_string__ ref -); - -bicep_type_arguments_def( - unique int id: @bicep_type_arguments -); - -@bicep_type_declaration_child_type = @bicep_array_type | @bicep_expression | @bicep_nullable_type | @bicep_parameterized_type | @bicep_token_identifier | @bicep_union_type - -#keyset[bicep_type_declaration, index] -bicep_type_declaration_child( - int bicep_type_declaration: @bicep_type_declaration ref, - int index: int ref, - unique int child: @bicep_type_declaration_child_type ref -); - -bicep_type_declaration_def( - unique int id: @bicep_type_declaration -); - -case @bicep_unary_expression.operator of - 0 = @bicep_unary_expression_bang -| 1 = @bicep_unary_expression_minus -; - - -bicep_unary_expression_def( - unique int id: @bicep_unary_expression, - int argument: @bicep_expression ref, - int operator: int ref -); - -@bicep_union_type_child_type = @bicep_array_type | @bicep_expression | @bicep_member_expression | @bicep_negated_type | @bicep_nullable_type | @bicep_object | @bicep_parameterized_type | @bicep_parenthesized_type | @bicep_string__ | @bicep_token_boolean | @bicep_token_identifier | @bicep_token_null | @bicep_token_number | @bicep_token_primitive_type - -#keyset[bicep_union_type, index] -bicep_union_type_child( - int bicep_union_type: @bicep_union_type ref, - int index: int ref, - unique int child: @bicep_union_type_child_type ref -); - -bicep_union_type_def( - unique int id: @bicep_union_type -); - -@bicep_user_defined_function_child_type = @bicep_expression | @bicep_parameters - -#keyset[bicep_user_defined_function, index] -bicep_user_defined_function_child( - int bicep_user_defined_function: @bicep_user_defined_function ref, - int index: int ref, - unique int child: @bicep_user_defined_function_child_type ref -); - -bicep_user_defined_function_def( - unique int id: @bicep_user_defined_function, - int name: @bicep_token_identifier ref, - int returns: @bicep_type__ ref -); - -bicep_using_statement_def( - unique int id: @bicep_using_statement, - int child: @bicep_string__ ref -); - -@bicep_variable_declaration_child_type = @bicep_expression | @bicep_token_identifier - -#keyset[bicep_variable_declaration, index] -bicep_variable_declaration_child( - int bicep_variable_declaration: @bicep_variable_declaration ref, - int index: int ref, - unique int child: @bicep_variable_declaration_child_type ref -); - -bicep_variable_declaration_def( - unique int id: @bicep_variable_declaration -); - -bicep_tokeninfo( - unique int id: @bicep_token, - int kind: int ref, - string value: string ref -); - -case @bicep_token.kind of - 0 = @bicep_reserved_word -| 1 = @bicep_token_boolean -| 2 = @bicep_token_comment -| 3 = @bicep_token_diagnostic_comment -| 4 = @bicep_token_escape_sequence -| 5 = @bicep_token_identifier -| 6 = @bicep_token_loop_enumerator -| 7 = @bicep_token_loop_variable -| 8 = @bicep_token_null -| 9 = @bicep_token_nullable_return_type -| 10 = @bicep_token_number -| 11 = @bicep_token_primitive_type -| 12 = @bicep_token_property_identifier -| 13 = @bicep_token_string_content -; - - -@bicep_ast_node = @bicep_arguments | @bicep_array | @bicep_array_type | @bicep_assert_statement | @bicep_assignment_expression | @bicep_binary_expression | @bicep_call_expression | @bicep_compatible_identifier | @bicep_decorator | @bicep_decorators | @bicep_for_loop_parameters | @bicep_for_statement | @bicep_if_statement | @bicep_import_functionality | @bicep_import_statement | @bicep_import_with_statement | @bicep_infrastructure | @bicep_interpolation | @bicep_lambda_expression | @bicep_member_expression | @bicep_metadata_declaration | @bicep_module_declaration | @bicep_negated_type | @bicep_nullable_type | @bicep_object | @bicep_object_property | @bicep_output_declaration | @bicep_parameter | @bicep_parameter_declaration | @bicep_parameterized_type | @bicep_parameters | @bicep_parenthesized_expression | @bicep_parenthesized_type | @bicep_resource_declaration | @bicep_resource_expression | @bicep_string__ | @bicep_subscript_expression | @bicep_target_scope_assignment | @bicep_ternary_expression | @bicep_test_block | @bicep_token | @bicep_type__ | @bicep_type_arguments | @bicep_type_declaration | @bicep_unary_expression | @bicep_union_type | @bicep_user_defined_function | @bicep_using_statement | @bicep_variable_declaration - -bicep_ast_node_location( - unique int node: @bicep_ast_node ref, - int loc: @location_default ref -); - -#keyset[parent, parent_index] -bicep_ast_node_parent( - unique int node: @bicep_ast_node ref, - int parent: @bicep_ast_node ref, - int parent_index: int ref -); - diff --git a/ql/lib/iac.qll b/ql/lib/iac.qll index 7031af1..70bc488 100644 --- a/ql/lib/iac.qll +++ b/ql/lib/iac.qll @@ -5,7 +5,6 @@ import codeql.iac.Dependencies import codeql.iac.actions.Actions // Azure import codeql.iac.azure.ARM -import codeql.iac.azure.Bicep import codeql.iac.azure.Pipelines // AWS import codeql.iac.aws.CloudFormation diff --git a/ql/lib/qlpack.yml b/ql/lib/qlpack.yml index 33360e9..ba0dc63 100644 --- a/ql/lib/qlpack.yml +++ b/ql/lib/qlpack.yml @@ -4,8 +4,8 @@ warnOnImplicitThis: false name: advanced-security/iac-all version: 0.4.1 dependencies: - codeql/util: ^0.1.2 - codeql/yaml: ^0.1.2 + codeql/util: ^1.0.12 + codeql/yaml: ^1.0.25 dbscheme: iac.dbscheme extractor: iac upgrades: upgrades diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml index 87cfce3..69ce09b 100644 --- a/ql/src/codeql-pack.lock.yml +++ b/ql/src/codeql-pack.lock.yml @@ -2,7 +2,7 @@ lockVersion: 1.0.0 dependencies: codeql/util: - version: 0.1.2 + version: 1.0.12 codeql/yaml: - version: 0.1.5 + version: 1.0.25 compiled: false diff --git a/ql/src/security/Bicep/Storage/PublicAccess.md b/ql/src/security/Bicep/Storage/PublicAccess.md deleted file mode 100644 index d652455..0000000 --- a/ql/src/security/Bicep/Storage/PublicAccess.md +++ /dev/null @@ -1,27 +0,0 @@ -# Azure Blob Container Public Access - -When using a Bicep template to create a storage account, you can specify the public access level for the blob container. The default value is set to `None` which means that the container is private and can only be accessed by the storage account owner. The other options are `Blob` and `Container` which allow anonymous read access to the blob or container respectively. - -## Examples - -### Bad Example - -```bicep -resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = { - name: 'insecure' - properties: { - publicAccess: 'Blob' - } -} -``` - -### Good Example - -```bicep -resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = { - name: 'secure' - properties: { - publicAccess: 'None' - } -} -``` diff --git a/ql/src/security/Bicep/Storage/PublicAccess.ql b/ql/src/security/Bicep/Storage/PublicAccess.ql deleted file mode 100644 index 8039525..0000000 --- a/ql/src/security/Bicep/Storage/PublicAccess.ql +++ /dev/null @@ -1,19 +0,0 @@ -/** - * @name Azure Blob Container Public Access - * @description Azure Blob Container Public Access - * @kind problem - * @problem.severity error - * @security-severity 10.0 - * @precision high - * @id bicep/azure/storage-publicly-accessible - * @tags security - * bicep - * azure - * storage - */ - -import bicep - -from Storage::BlobServiceContainers container -where container.getPublicAccess() = ["Blob", "Container"] -select container, "Public Blob Container resource." diff --git a/ql/src/security/Bicep/Storage/SupportHttpTraffic.ql b/ql/src/security/Bicep/Storage/SupportHttpTraffic.ql deleted file mode 100644 index 68ddf9f..0000000 --- a/ql/src/security/Bicep/Storage/SupportHttpTraffic.ql +++ /dev/null @@ -1,20 +0,0 @@ -/** - * @name Supports non-HTTPS traffic for storage accounts - * @description Supports non-HTTPS traffic for storage accounts - * @kind problem - * @severity warning - * @security-severity 9.0 - * @precision very-high - * @id bicep/azure/storage-tls-disabled - * @tags security - * bicep - * azure - * storage - */ - -import bicep - -from Storage::StorageAccountsProperties properties -where properties.getSupportsHttpsTrafficOnly() = false -select properties.getProperty("supportsHttpsTrafficOnly"), - "Supports non-HTTPS traffic for storage accounts." diff --git a/ql/test/codeql-pack.lock.yml b/ql/test/codeql-pack.lock.yml index 87cfce3..69ce09b 100644 --- a/ql/test/codeql-pack.lock.yml +++ b/ql/test/codeql-pack.lock.yml @@ -2,7 +2,7 @@ lockVersion: 1.0.0 dependencies: codeql/util: - version: 0.1.2 + version: 1.0.12 codeql/yaml: - version: 0.1.5 + version: 1.0.25 compiled: false diff --git a/ql/test/library-tests/bicep/ast/AST.expected b/ql/test/library-tests/bicep/ast/AST.expected deleted file mode 100644 index cd0a3d5..0000000 --- a/ql/test/library-tests/bicep/ast/AST.expected +++ /dev/null @@ -1,107 +0,0 @@ -| sample.bicep:1:1:14:2 | Infrastructure | -| sample.bicep:1:7:1:14 | ??? | -| sample.bicep:1:7:1:14 | Expression | -| sample.bicep:1:7:1:14 | location | -| sample.bicep:1:25:1:37 | ??? | -| sample.bicep:1:25:1:37 | Expression | -| sample.bicep:1:25:1:37 | resourceGroup | -| sample.bicep:1:25:1:39 | ??? | -| sample.bicep:1:25:1:39 | CallExpr | -| sample.bicep:1:25:1:39 | Expression | -| sample.bicep:1:25:1:48 | ??? | -| sample.bicep:1:25:1:48 | Expression | -| sample.bicep:1:25:1:48 | MemberExpr | -| sample.bicep:1:41:1:48 | location | -| sample.bicep:2:7:2:24 | ??? | -| sample.bicep:2:7:2:24 | Expression | -| sample.bicep:2:7:2:24 | storageAccountName | -| sample.bicep:2:35:2:80 | ??? | -| sample.bicep:2:35:2:80 | Expression | -| sample.bicep:2:35:2:80 | toylaunch | -| sample.bicep:2:36:2:44 | toylaunch | -| sample.bicep:2:47:2:58 | ??? | -| sample.bicep:2:47:2:58 | Expression | -| sample.bicep:2:47:2:58 | uniqueString | -| sample.bicep:2:47:2:78 | ??? | -| sample.bicep:2:47:2:78 | CallExpr | -| sample.bicep:2:47:2:78 | Expression | -| sample.bicep:2:60:2:72 | ??? | -| sample.bicep:2:60:2:72 | Expression | -| sample.bicep:2:60:2:72 | resourceGroup | -| sample.bicep:2:60:2:74 | ??? | -| sample.bicep:2:60:2:74 | CallExpr | -| sample.bicep:2:60:2:74 | Expression | -| sample.bicep:2:60:2:77 | ??? | -| sample.bicep:2:60:2:77 | Expression | -| sample.bicep:2:60:2:77 | MemberExpr | -| sample.bicep:2:76:2:77 | id | -| sample.bicep:4:1:14:1 | ResourceDeclaration | -| sample.bicep:4:10:4:23 | ??? | -| sample.bicep:4:10:4:23 | Expression | -| sample.bicep:4:10:4:23 | storageAccount | -| sample.bicep:4:25:4:70 | ??? | -| sample.bicep:4:25:4:70 | Expression | -| sample.bicep:4:25:4:70 | Microsoft.Storage/storageAccounts@2021-06-01 | -| sample.bicep:4:26:4:69 | Microsoft.Storage/storageAccounts@2021-06-01 | -| sample.bicep:4:74:14:1 | ??? | -| sample.bicep:4:74:14:1 | Expression | -| sample.bicep:4:74:14:1 | Object | -| sample.bicep:5:3:5:6 | ??? | -| sample.bicep:5:3:5:6 | Expression | -| sample.bicep:5:3:5:6 | name | -| sample.bicep:5:3:5:26 | name = Expression | -| sample.bicep:5:3:5:26 | name = storageAccountName | -| sample.bicep:5:9:5:26 | ??? | -| sample.bicep:5:9:5:26 | Expression | -| sample.bicep:5:9:5:26 | storageAccountName | -| sample.bicep:6:3:6:10 | ??? | -| sample.bicep:6:3:6:10 | Expression | -| sample.bicep:6:3:6:10 | location | -| sample.bicep:6:3:6:20 | location = Expression | -| sample.bicep:6:3:6:20 | location = location | -| sample.bicep:6:13:6:20 | ??? | -| sample.bicep:6:13:6:20 | Expression | -| sample.bicep:6:13:6:20 | location | -| sample.bicep:7:3:7:5 | ??? | -| sample.bicep:7:3:7:5 | Expression | -| sample.bicep:7:3:7:5 | sku | -| sample.bicep:7:3:9:3 | sku = Expression | -| sample.bicep:7:3:9:3 | sku = Object | -| sample.bicep:7:8:9:3 | ??? | -| sample.bicep:7:8:9:3 | Expression | -| sample.bicep:7:8:9:3 | Object | -| sample.bicep:8:5:8:8 | ??? | -| sample.bicep:8:5:8:8 | Expression | -| sample.bicep:8:5:8:8 | name | -| sample.bicep:8:5:8:24 | name = Expression | -| sample.bicep:8:5:8:24 | name = Standard_LRS | -| sample.bicep:8:11:8:24 | ??? | -| sample.bicep:8:11:8:24 | Expression | -| sample.bicep:8:11:8:24 | Standard_LRS | -| sample.bicep:8:12:8:23 | Standard_LRS | -| sample.bicep:10:3:10:6 | ??? | -| sample.bicep:10:3:10:6 | Expression | -| sample.bicep:10:3:10:6 | kind | -| sample.bicep:10:3:10:19 | kind = Expression | -| sample.bicep:10:3:10:19 | kind = StorageV2 | -| sample.bicep:10:9:10:19 | ??? | -| sample.bicep:10:9:10:19 | Expression | -| sample.bicep:10:9:10:19 | StorageV2 | -| sample.bicep:10:10:10:18 | StorageV2 | -| sample.bicep:11:3:11:12 | ??? | -| sample.bicep:11:3:11:12 | Expression | -| sample.bicep:11:3:11:12 | properties | -| sample.bicep:11:3:13:3 | properties = Expression | -| sample.bicep:11:3:13:3 | properties = Object | -| sample.bicep:11:15:13:3 | ??? | -| sample.bicep:11:15:13:3 | Expression | -| sample.bicep:11:15:13:3 | Object | -| sample.bicep:12:5:12:14 | ??? | -| sample.bicep:12:5:12:14 | Expression | -| sample.bicep:12:5:12:14 | accessTier | -| sample.bicep:12:5:12:21 | accessTier = Expression | -| sample.bicep:12:5:12:21 | accessTier = Hot | -| sample.bicep:12:17:12:21 | ??? | -| sample.bicep:12:17:12:21 | Expression | -| sample.bicep:12:17:12:21 | Hot | -| sample.bicep:12:18:12:20 | Hot | diff --git a/ql/test/library-tests/bicep/ast/AST.ql b/ql/test/library-tests/bicep/ast/AST.ql deleted file mode 100644 index 7c6d206..0000000 --- a/ql/test/library-tests/bicep/ast/AST.ql +++ /dev/null @@ -1,3 +0,0 @@ -private import codeql.iac.ast.Bicep - -query predicate ast(BicepAstNode ast) { any() } diff --git a/ql/test/library-tests/bicep/ast/sample.bicep b/ql/test/library-tests/bicep/ast/sample.bicep deleted file mode 100644 index ca9508e..0000000 --- a/ql/test/library-tests/bicep/ast/sample.bicep +++ /dev/null @@ -1,14 +0,0 @@ -param location string = resourceGroup().location -param storageAccountName string = 'toylaunch${uniqueString(resourceGroup().id)}' - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { - name: storageAccountName - location: location - sku: { - name: 'Standard_LRS' - } - kind: 'StorageV2' - properties: { - accessTier: 'Hot' - } -} diff --git a/ql/test/library-tests/bicep/resource/Resolve.expected b/ql/test/library-tests/bicep/resource/Resolve.expected deleted file mode 100644 index f4efa13..0000000 --- a/ql/test/library-tests/bicep/resource/Resolve.expected +++ /dev/null @@ -1,4 +0,0 @@ -resolveIdentifier -| sample.bicep:1:1:3:1 | VirtualNetworks Resource | sample.bicep:5:1:8:1 | ResourceDeclaration | -resolveResource -| sample.bicep:15:1:28:1 | VirtualMachines Resource | sample.bicep:10:1:13:1 | NetworkInterfaces Resource | diff --git a/ql/test/library-tests/bicep/resource/Resolve.ql b/ql/test/library-tests/bicep/resource/Resolve.ql deleted file mode 100644 index 0a8fcbf..0000000 --- a/ql/test/library-tests/bicep/resource/Resolve.ql +++ /dev/null @@ -1,9 +0,0 @@ -import bicep - -query predicate resolveIdentifier(Network::VirtualNetworks vn, Network::VirtualNetworkSubnets vns) { - vns.getParent() = vn -} - -query predicate resolveResource(Compute::VirtualMachines vm, Network::NetworkInterfaces ni) { - ni = vm.getNetworkInterfaces() -} diff --git a/ql/test/library-tests/bicep/resource/sample.bicep b/ql/test/library-tests/bicep/resource/sample.bicep deleted file mode 100644 index 2f5ba86..0000000 --- a/ql/test/library-tests/bicep/resource/sample.bicep +++ /dev/null @@ -1,28 +0,0 @@ -resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = { - name: 'vnet' -} - -resource existingSubnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = { - parent: vnet - name: 'subnet' -} - -resource nic 'Microsoft.Network/networkInterfaces@2021-05-01' = { - name: '${name}-nic-${env}' - location: location -} - -resource linuxVm 'Microsoft.Compute/virtualMachines@2020-06-01' = { - name: '${name}-linux-${env}' - location: location - - properties: { - networkProfile: { - networkInterfaces: [ - { - id: nic.id - } - ] - } - } -} diff --git a/ql/test/library-tests/hcl/aws/AST.ql b/ql/test/library-tests/hcl/aws/AST.ql index afd1f8d..9ef3581 100644 --- a/ql/test/library-tests/hcl/aws/AST.ql +++ b/ql/test/library-tests/hcl/aws/AST.ql @@ -1,4 +1,4 @@ -private import codeql.hcl.providers.AWS +import hcl query predicate resource(AWS::AwsResource n) { any() } diff --git a/ql/test/queries-tests/Bicep/Storage/PublicBucket/PublicBucket.expected b/ql/test/queries-tests/Bicep/Storage/PublicBucket/PublicBucket.expected deleted file mode 100644 index 46a9b69..0000000 --- a/ql/test/queries-tests/Bicep/Storage/PublicBucket/PublicBucket.expected +++ /dev/null @@ -1 +0,0 @@ -| storage.bicep:11:1:16:1 | ResourceDeclaration | Public Blob Container resource. | diff --git a/ql/test/queries-tests/Bicep/Storage/PublicBucket/PublicBucket.qlref b/ql/test/queries-tests/Bicep/Storage/PublicBucket/PublicBucket.qlref deleted file mode 100644 index 019d972..0000000 --- a/ql/test/queries-tests/Bicep/Storage/PublicBucket/PublicBucket.qlref +++ /dev/null @@ -1 +0,0 @@ -security/Bicep/Storage/PublicAccess.ql \ No newline at end of file diff --git a/ql/test/queries-tests/Bicep/Storage/PublicBucket/storage.bicep b/ql/test/queries-tests/Bicep/Storage/PublicBucket/storage.bicep deleted file mode 100644 index 6d069db..0000000 --- a/ql/test/queries-tests/Bicep/Storage/PublicBucket/storage.bicep +++ /dev/null @@ -1,16 +0,0 @@ - -// Secure -resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = { - name: 'secure' - properties: { - publicAccess: 'None' - } -} - -// Insecure -resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = { - name: 'insecure' - properties: { - publicAccess: 'Blob' - } -} diff --git a/rust-toolchain.toml b/rust-toolchain.toml index 7c6fd31..00e88ca 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -1,4 +1,4 @@ [toolchain] -channel = "1.75" +channel = "1.85" profile = "minimal" components = ["rustfmt"] diff --git a/scripts/create-extractor-pack.sh b/scripts/create-extractor-pack.sh index 8650e2a..023be27 100755 --- a/scripts/create-extractor-pack.sh +++ b/scripts/create-extractor-pack.sh @@ -22,6 +22,9 @@ else CODEQL_BINARY="gh codeql" fi +echo "Update submodules..." +git submodule update --init --recursive + cargo build --release cargo run --release --bin codeql-extractor-iac -- generate --dbscheme ql/lib/iac.dbscheme --library ql/lib/codeql/iac/ast/internal/TreeSitter.qll $CODEQL_BINARY query format -i ql/lib/codeql/iac/ast/internal/TreeSitter.qll