Adding queries related to the Solorigate campaign

[raulgarciamsft]

No description provided.

[intrigus-lgtm]

@raulgarciamsft I think you have to auto-format the ql code (Or is it formatted? Then ignore this)
You can do that by running codeql query format --in-place on the changed files or by using the CodeQL extension for VS Code (I think it's called Format Document in VS Code).

[raulgarciamsft]

@raulgarciamsft I think you have to auto-format the ql code (Or is it formatted? Then ignore this)
You can do that by running codeql query format --in-place on the changed files or by using the CodeQL extension for VS Code (I think it's called Format Document in VS Code).

I completely forgot about that during our internal review. I will fix the formatting right now.

[raulgarciamsft]

Question to the GitHub team. We are seeing a number of failures in the CodeQL task on files we did not modify. Is there anything we can/should do in this case? Thanks

[hvitved]

Question to the GitHub team. We are seeing a number of failures in the CodeQL task on files we did not modify. Is there anything we can/should do in this case? Thanks

No, those errors are not caused by your changes, but instead a combination of this PR initially targeting master instead of main, and CodeScanning not being configured properly (fixed by #5086).

[sj]

Thank you very much for this, @raulgarciamsft! I've done a very cursory review with some initial comments. I''ll leave the in-depth review to the experts 😄

[hvitved]

Thanks a lot for your contributions, Raul. This is a very interesting an novel use of CodeQL, at least not something I have seen before or thought about myself :-)

[hvitved]

I forgot to mention it on the first review, but would it be possible to add some tests for the new queries?

[shati-patel]

Thank you for this! I've had a look on behalf of the documentation team, to keep some of the style and terminology similar to our existing queries.

Since the "Solorigate-Readme" contains lots of helpful information, I've only suggested small additions to the .qhelp files. (As a future task, we could perhaps move more details into the .ql and .qhelp files themselves?)

[joshbw]

I forgot to mention it on the first review, but would it be possible to add some tests for the new queries?

Yeah - we will do that early next week. We have been testing detection against the actual Orion implant so had overlooked our normal test dev. Sorry about that

[raulgarciamsft]

I forgot to mention it on the first review, but would it be possible to add some tests for the new queries?

Done. I added some unit tests. I tried to keep the tests simple, but let me know if you want me to make any changes. Thanks

[sj]

It turns out that I wrote a bunch of review comments last week that were never actually submitted in a review. Very sorry about that. Here they are. Let me know if you think it's feasible to make some of these changes in the next day or two; if not we'll note them for making later.

[raulgarciamsft]

I think we have addressed all comments (BTW. Thanks a lot for all your feedback). Please let me know if we missed anything and I will fix it ASAP.

[raulgarciamsft]

I fixed the comments we were missing from @hvitved (for some reason I couldn't find them in the GitHub view, but we found them via email). Please reply to this message if there are any other comments we are missing and I will try to find the corresponding emails. Thanks a lot.

[raulgarciamsft]

There is a QHelp preview check that is failing. Not sure if it is caused by the Solorigate.qhelp file (that is shared for all the queries in this folder & only intended as an include for the individual .qhelp files) or something else. Please let us know what is the error & what can we do to fix it. Thanks

[shati-patel]

There is a QHelp preview check that is failing. Not sure if it is caused by the Solorigate.qhelp file (that is shared for all the queries in this folder & only intended as an include for the individual .qhelp files) or something else. Please let us know what is the error & what can we do to fix it. Thanks

I asked about this internally, and it looks like this is a limitation of the QHelp preview check itself. A possible fix would be to change the name of the included file to Solorigate.qhelp.inc (and change the includes to <include src="Solorigate.qhelp.inc" />).

If that doesn't work, you might have to duplicate the shared snippet as a way to unblock the check, and we can tidy it up later on!

[hvitved]

I believe all my comments have now been addressed. Thanks for your patience @raulgarciamsft .

[tamasvajk]

@raulgarciamsft Can you tell me why the PR targets the lgtm.com branch? Could you please change it to main?

The base branch was changed.

[raulgarciamsft]

@raulgarciamsft Can you tell me why the PR targets the lgtm.com branch? Could you please change it to main?

Fixing the PR target... I changed the branch by mistake.

[tamasvajk]

All changes appear to be addressed.

All changes appear to be addressed.