Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a CodeQL query pack #1

Closed
10 tasks done
carlspring opened this issue Jun 8, 2023 · 3 comments
Closed
10 tasks done

Create a CodeQL query pack #1

carlspring opened this issue Jun 8, 2023 · 3 comments
Assignees
@carlspring

Comments

@carlspring
Copy link
Owner

carlspring commented Jun 8, 2023
edited
Loading

Task Description

We need to set up a CodeQL query pack so that it can be used in Github Workflows.

Open Questions

Notes

  • The CodeQL CLI does not provide an option to remove or overwrite versions of published query packs. The will appear under the user's Packages section of their profile. They can be removed manually from there.
  • There is no concept of snapshot versions.

Task List

The following tasks will need to be carried out:

  • Investigate what needs to be done.
  • Add some CodeQL queries.
  • Initialize a CodeQL rule pack.
  • Set up a PAT token.
  • Publish the CodeQL rule pack.
  • Figure out what needs to be done to package qhelp files.
  • Make the published package publicly available.
  • Test the fix
  • Update the documentation.

Useful Commands

  • To initialize a query pack, the following must be executed in the root of the Git repository:
codeql pack init [github-org|github-user]/query-pack-name
  • To generate the Markdown for the qhelp files:
codeql generate query-help *.qhelp --format=markdown -o .
  • To create a query pack:
codeql pack create
  • To install the required dependencies run the following inside the query pack directory:
codeql pack install
  • To publish the query pack:
    • Generate a token that has the following permissions:
    • image
    • image
    • Execute and pass in the token:
codeql pack publish --github-auth-stdin --allow-prerelease
Enter value for --github-auth-stdin (Authenticate to the github.com Container registry by passing a github.com GitHub Apps token or personal access token via standard input.): 
Running on packs: carlspring/vertx-codeql-queries.
Bundling and then publishing qlpack located at '/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries'.
WARNING: 'this' is not bound in the body of this characteristic predicate (/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries/.codeql/pack/carlspring/vertx-codeql-queries/1.0.0/insecure-http-server.ql:21,3-18)
WARNING: Unused variable expr (/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries/.codeql/pack/carlspring/vertx-codeql-queries/1.0.0/insecure-http-server.ql:28,51-55)
WARNING: Unused variable format (/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries/.codeql/pack/carlspring/vertx-codeql-queries/1.0.0/insecure-http-server.ql:28,76-82)
Bundled qlpack created at '/tmp/codeql-docker1039785471392063553/.Docker Package Manager/vertx-codeql-queries.1.0.0.tgz'.
Packaging> Package 'carlspring/vertx-codeql-queries@1.0.0' will be published to registry 'https://ghcr.io/v2/' as 'carlspring/vertx-codeql-queries'.
Packaging> Package 'carlspring/vertx-codeql-queries@1.0.0' will be published locally to /home/carlspring/.codeql/packages/carlspring/vertx-codeql-queries/1.0.0
Publish successful.
  • To create a database for a git repository containing code that should be analyzed (for example after a clone of carlspring/vertx-vulns and inside the root of the cloned repository) :
codeql database create vertx-vulns --language=java
  • To analyze a CodeQL database using a query pack:
codeql database analyze vertx-vulns carlspring/vertx-codeql-queries

Incurred Costs

Task Relationships

This task:

Resources

Useful Links

Points of Contact
@carlspring carlspring self-assigned this Jun 8, 2023
This was referenced Jun 8, 2023
Closed
Closed
Closed
Closed
carlspring added a commit that referenced this issue Jun 8, 2023
@carlspring
#1: Create a CodeQL query pack
2cca08a 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 8, 2023
@carlspring
#1: Create a CodeQL query pack
dc5c028 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 8, 2023
@carlspring
#1: Create a CodeQL query pack
258e374 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 8, 2023
@carlspring
#1: Create a CodeQL query pack
4dc862b 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 8, 2023
@carlspring
#1: Create a CodeQL query pack
5271b20 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 9, 2023
@carlspring
#1: Create a CodeQL query pack
3ca0e58 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 9, 2023
@carlspring
#1: Create a CodeQL query pack
87bb17d 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 9, 2023
@carlspring
#1: Create a CodeQL query pack
6fbdd66 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 9, 2023
@carlspring
#1: Create a CodeQL query pack
84ac76a 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
@carlspring carlspring mentioned this issue Jun 12, 2023
Open
5 tasks
carlspring added a commit that referenced this issue Jun 12, 2023
@carlspring
#1: Create a CodeQL query pack
418019a 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jun 13, 2023
@carlspring
#1: Create a CodeQL query pack
2e29ed4 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
@intrigus-lgtm
Copy link

Generate a token that has the following permissions:

Just curious, can you not use one of the PAT v2 tokens that should offer more fine granular permissions?

@carlspring
Copy link
Owner Author

@intrigus-lgtm ,

There's no need for that anymore, as the package is and will be public, but that is now just for the record.

carlspring added a commit that referenced this issue Jun 29, 2023
@carlspring
#1: Create a CodeQL query pack
094a5a0 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring added a commit that referenced this issue Jul 4, 2023
@carlspring
#1: Create a CodeQL query pack
35b0687 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring/vertx-vulns#15 : Make the CodeQL Github workflow use the carlspring/vertx-codeql-queries.
* Use the `carlspring/vertx-codeql-queries` query pack during the CodeQL Github workflow.
@carlspring
Copy link
Owner Author

Implemented.

carlspring added a commit that referenced this issue Jul 5, 2023
@carlspring
#1: Create a CodeQL query pack
cd77c46 
#3: Implement a CodeQL rule for insecure CORS HTTP origin
#4: Implement a CodeQL rule for CORS misconfigurations that allow wildcard origins
#5: Implement a CodeQL rule for insecure HTTP server connections

* Added query pack.
* Added CodeQL queries for CORS misconfigurations and insecure HTTP connections.
carlspring/vertx-vulns#15 : Make the CodeQL Github workflow use the carlspring/vertx-codeql-queries.
* Use the `carlspring/vertx-codeql-queries` query pack during the CodeQL Github workflow.
@carlspring carlspring mentioned this issue Jul 17, 2023
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carlspring carlspring

Labels
None yet
Projects
CodeQL for Vert.X
Status: Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carlspring @intrigus-lgtm