advanced-security · GeekMasher · Sep 19, 2023 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -37,6 +37,8 @@ jobs:
 
           ./scripts/create-extractor-pack.sh
 
+          gh codeql resolve languages --format=json --search-path ./extractor-pack
+
       - name: "Run Tests"
         if: steps.changes.outputs.src == 'true'
         run: |

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/codeql-extractor.yml b/codeql-extractor.yml
@@ -1,29 +1,33 @@
 name: "iac"
 display_name: "IAC"
-version: 0.0.3
+version: 0.0.4
 column_kind: "utf8"
 legacy_qltest_extraction: true
 github_api_languages:
   - HCL
   - Docker
+  - Bicep
 scc_languages:
   - HCL
   - Docker
+  - Bicep
 
 # File types
 file_types:
   - name: hcl
     display_name: HCL
     extensions:
       - .tf
-      - .ftvars
+      - .tfvars
       - .hcl
-  - name: json
-    display_name: JSON
-    extensions:
-      - .json
+
   - name: dockerfile
     display_name: Dockerfile
     extensions:
       - .Dockerfile
       - .Containerfile
+
+  - name: bicep
+    display_name: Bicep
+    extensions:
+      - .bicep
diff --git a/docs/languages-and-frameworks.md b/docs/languages-and-frameworks.md
@@ -10,6 +10,7 @@ The `codeql-extractor-iac` extractor supports the following languages:
 | JSON            | `.json`, `.jsonl`, `.jsonc`     |
 | YAML            | `.yaml`, `.yml`                 |
 | Container files | `*Dockerfile`, `*Containerfile` |
+| Bicep           | `.bicep`                        |
 
 All of these files will be extracted and stored inside the IaC CodeQL Database.
 
@@ -30,7 +31,7 @@ The following table lists the supported frameworks and technologies:
 | Docker / Container file(s) |      2      | extractor and library           |
 | GitHub Actions             |      2      | extractor and library           |
 | OpenAPI / Swagger          |      2      | extractor and library           |
-| Azure Bicep                |      0      | currently unsupported           |
+| Azure Bicep                |      2      | extractor and library           |
 
 _levels grades are based on completeness, higher the grade the better its supported._
 

diff --git a/extractor/Cargo.toml b/extractor/Cargo.toml
@@ -12,6 +12,7 @@ flate2 = "1.0"
 tree-sitter = ">= 0.20, < 0.21"
 tree-sitter-hcl = { git = "https://github.com/GeekMasher/tree-sitter-hcl", rev = "5e045dd1ff7852511c249c4c5d919d9556751d98" }
 tree-sitter-dockerfile = { git = "https://github.com/GeekMasher/tree-sitter-dockerfile", rev = "c0a9d694d9bf8ab79a919f5f9c7bc9c169caf321" }
+tree-sitter-bicep = { git = "https://github.com/GeekMasher/tree-sitter-bicep", rev = "3604d8c961ab129d2bfc6dfca56419c236ccdb83" }
 clap = { version = "4.4", features = ["derive"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }

diff --git a/extractor/src/autobuilder.rs b/extractor/src/autobuilder.rs
@@ -19,6 +19,7 @@ pub fn run(_: Options) -> std::io::Result<()> {
             ".tf",
             ".ftvars",     // Terraform / HCL files
             ".Dockerfile", // Docker files
+            ".bicep",      // Bicep files
         ])
         .include_globs(&[
             "**/Dockerfile",

diff --git a/extractor/src/extractor.rs b/extractor/src/extractor.rs
@@ -42,6 +42,12 @@ pub fn run(options: Options) -> std::io::Result<()> {
                 node_types: tree_sitter_dockerfile::NODE_TYPES,
                 file_globs: vec!["*Dockerfile".into(), "*Containerfile".into()],
             },
+            simple::LanguageSpec {
+                prefix: "bicep",
+                ts_language: tree_sitter_bicep::language(),
+                node_types: tree_sitter_bicep::NODE_TYPES,
+                file_globs: vec!["*.bicep".into()],
+            },
         ],
         trap_dir: options.output_dir,
         trap_compression: trap::Compression::from_env("CODEQL_IAC_TRAP_COMPRESSION"),

diff --git a/extractor/src/generator.rs b/extractor/src/generator.rs
@@ -31,6 +31,10 @@ pub fn run(options: Options) -> std::io::Result<()> {
             name: "DOCKERFILE".to_owned(),
             node_types: tree_sitter_dockerfile::NODE_TYPES,
         },
+        Language {
+            name: "BICEP".to_owned(),
+            node_types: tree_sitter_bicep::NODE_TYPES,
+        },
     ];
 
     generate(languages, options.dbscheme, options.library)

diff --git a/ql/lib/bicep.qll b/ql/lib/bicep.qll
@@ -0,0 +1,6 @@
+import codeql.Locations
+import codeql.files.FileSystem
+import codeql.bicep.AST
+// Resources
+import codeql.bicep.microsoft.Compute
+import codeql.bicep.microsoft.Storage
diff --git a/ql/lib/codeql/bicep/AST.qll b/ql/lib/codeql/bicep/AST.qll
@@ -0,0 +1,4 @@
+import codeql.bicep.ast.AstNodes
+import codeql.bicep.ast.Expr
+import codeql.bicep.ast.Literal
+import codeql.bicep.ast.Resources
diff --git a/ql/lib/codeql/bicep/ast/AstNodes.qll b/ql/lib/codeql/bicep/ast/AstNodes.qll
@@ -0,0 +1,67 @@
+private import codeql.Locations
+private import codeql.files.FileSystem
+private import codeql.iac.ast.internal.Bicep
+
+/** An AST node of a Bicep program */
+class BicepAstNode extends TBicepAstNode {
+  string toString() { result = this.getAPrimaryQlClass() }
+
+  /** Gets the location of the AST node. */
+  cached
+  Location getLocation() { result = this.getFullLocation() } // overridden in some subclasses
+
+  /** Gets the file containing this AST node. */
+  cached
+  File getFile() { result = this.getFullLocation().getFile() }
+
+  /** Gets the location that spans the entire AST node. */
+  cached
+  final Location getFullLocation() { result = toBicepTreeSitter(this).getLocation() }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    if exists(this.getLocation())
+    then this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    else (
+      filepath = "" and
+      startline = 0 and
+      startcolumn = 0 and
+      endline = 0 and
+      endcolumn = 0
+    )
+  }
+
+  /**
+   * Gets the parent in the AST for this node.
+   */
+  cached
+  BicepAstNode getParent() { result.getAChild(_) = this }
+
+  /**
+   * Gets a child of this node, which can also be retrieved using a predicate
+   * named `pred`.
+   */
+  cached
+  BicepAstNode getAChild(string pred) { none() }
+
+  /** Gets any child of this node. */
+  BicepAstNode getAChild() { result = this.getAChild(_) }
+
+  /**
+   * Gets the primary QL class for the ast node.
+   */
+  string getAPrimaryQlClass() { result = "???" }
+}
+
+class Comment extends BicepAstNode, TComment {
+  override string getAPrimaryQlClass() { result = "Comment" }
+}
+
+class Infrastructure extends BicepAstNode, TInfrastructure {
+  private BICEP::Infrastructure infrastructure;
+
+  override string getAPrimaryQlClass() { result = "Infrastructure" }
+
+  Infrastructure() { this = TInfrastructure(infrastructure) }
+}