diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a0fd437cdd..fb06146be1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,6 +19,15 @@ jobs: with: submodules: true + - name: Debug Checkout + run: | + echo "codeql/${{ matrix.language }}-queries:" + find ./codeql -type f -name "qlpack.yml" -exec grep -l "name: codeql/${{ matrix.language }}-queries" {} \; + echo "codeql/${{ matrix.language }}-all:" + find ./codeql -type f -name "qlpack.yml" -exec grep -l "name: codeql/${{ matrix.language }}-all" {} \; + echo "codeql/suite-helpers:" + find ./codeql -type f -name "qlpack.yml" -exec grep -l "name: codeql/suite-helpers" {} \; + - name: Install CodeQL env: GITHUB_TOKEN: ${{ github.token }} @@ -26,10 +35,12 @@ jobs: gh extension install github/gh-codeql # gh codeql set-channel nightly gh codeql version + # Install the CodeQL Pack + gh codeql pack download "codeql/${{ matrix.language }}-queries" - name: Compile Queries run: | - gh codeql query compile --warnings=error --search-path=./codeql:./codeql-go ./${{ matrix.language }}/ + gh codeql query compile --warnings=error --search-path=./codeql --additional-packs=./codeql/ ./${{ matrix.language }}/ - name: Test Queries run: | diff --git a/CODEOWNERS b/CODEOWNERS index 6e8b211ce4..669fcad046 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,16 +1,16 @@ # CodeQL Queries -config/* @geekmasher -cpp/* @geekmasher -csharp/* @geekmasher -java/* @geekmasher -javascript/* @geekmasher -python/* @geekmasher -ruby/* @geekmasher +config/* @geekmasher @aegilops @nickliffen +cpp/* @geekmasher @aegilops @nickliffen +csharp/* @geekmasher @aegilops @nickliffen +java/* @geekmasher @aegilops @nickliffen +javascript/* @geekmasher @aegilops @nickliffen +python/* @geekmasher @aegilops @nickliffen +ruby/* @geekmasher @aegilops @nickliffen # CI / Scripts -.github/workflows/* @geekmasher -.github/scripts/* @geekmasher +.github/workflows/* @geekmasher @aegilops @nickliffen +.github/scripts/* @geekmasher @aegilops @nickliffen # Misc -* @geekmasher +* @geekmasher @aegilops @nickliffen diff --git a/codeql b/codeql index d0e3edf7ad..a520de3986 160000 --- a/codeql +++ b/codeql @@ -1 +1 @@ -Subproject commit d0e3edf7adf7cac22753aafa875b4e477eb14205 +Subproject commit a520de3986987baf4c5f846bd82bf68536ae042c diff --git a/cpp/qlpack.yml b/cpp/qlpack.yml index c7226e4fdf..ef5e5e3c7a 100644 --- a/cpp/qlpack.yml +++ b/cpp/qlpack.yml @@ -1,3 +1,4 @@ name: github-queries-cpp version: 0.0.0 -libraryPathDependencies: codeql-cpp \ No newline at end of file +dependencies: + codeql/cpp-queries: "*" \ No newline at end of file diff --git a/csharp/qlpack.yml b/csharp/qlpack.yml index 2717f5bf41..6c12bddbac 100644 --- a/csharp/qlpack.yml +++ b/csharp/qlpack.yml @@ -1,3 +1,4 @@ name: github-queries-csharp version: 0.0.0 -libraryPathDependencies: codeql-csharp \ No newline at end of file +dependencies: + codeql/csharp-queries: "*" \ No newline at end of file diff --git a/go/qlpack.yml b/go/qlpack.yml index 39eced8e4d..285d7d5826 100644 --- a/go/qlpack.yml +++ b/go/qlpack.yml @@ -1,3 +1,4 @@ name: github-queries-go version: 0.1.0 -libraryPathDependencies: codeql-go \ No newline at end of file +dependencies: + codeql/go-queries: "*" \ No newline at end of file diff --git a/java/qlpack.yml b/java/qlpack.yml index 842d4339d0..340a96e4fa 100644 --- a/java/qlpack.yml +++ b/java/qlpack.yml @@ -1,3 +1,4 @@ name: github-queries-java version: 0.0.0 -libraryPathDependencies: codeql-java \ No newline at end of file +dependencies: + codeql/java-queries: "*" \ No newline at end of file diff --git a/javascript/qlpack.yml b/javascript/qlpack.yml index 7d3b081704..b190fb42ca 100644 --- a/javascript/qlpack.yml +++ b/javascript/qlpack.yml @@ -1,3 +1,4 @@ name: github-queries-javascript version: 0.0.0 -libraryPathDependencies: codeql-javascript \ No newline at end of file +dependencies: + codeql/javascript-queries: "*" \ No newline at end of file diff --git a/python/qlpack.yml b/python/qlpack.yml index 997de41315..4b93d38cb0 100644 --- a/python/qlpack.yml +++ b/python/qlpack.yml @@ -1,3 +1,4 @@ name: github-queries-python version: 0.1.0 -libraryPathDependencies: codeql-python \ No newline at end of file +dependencies: + codeql/python-queries: "*" \ No newline at end of file diff --git a/python/suites/python-security-experimental.qls b/python/suites/python-security-experimental.qls new file mode 100644 index 0000000000..5c9bf5ac7e --- /dev/null +++ b/python/suites/python-security-experimental.qls @@ -0,0 +1,47 @@ +# Use with caution ⚠️ experimental queries are not assured for performance or false positives + +# Use in a CodeQL workflow, e.g. copy to `./.github/codeql/python-experimental-security.qls` +# then alter the workflow to look like: +# +# # Initializes the CodeQL tools for scanning. +# - name: Initialize CodeQL +# uses: github/codeql-action/init@v2 +# with: +# languages: ${{ matrix.language }} +# queries: security-extended,./.github/codeql/python-experimental-security.qls # <-- add this bit here after the comma + +- description: "Python experimental security queries" +- qlpack: codeql/python-queries + +- queries: '.' + from: codeql/python-queries + +- include: + kind: + - problem + - path-problem + - alert + - path-alert + tags contain: + - security + query path: + - /experimental\/.*/ + +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary + +- exclude: + deprecated: // +- exclude: + query path: + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - model-generator diff --git a/ruby/qlpack.yml b/ruby/qlpack.yml index 1fea92c353..d3e176fdd0 100644 --- a/ruby/qlpack.yml +++ b/ruby/qlpack.yml @@ -1,3 +1,4 @@ name: github-queries-ruby version: 0.1.0 -libraryPathDependencies: codeql-ruby \ No newline at end of file +dependencies: + codeql/ruby-queries: "*" \ No newline at end of file