How to parse JSON file in code using CodeQL?

[donky16]

I have a Java project and its permission settings use JSON file to config. Now I can not use CodeQL to parse JSON file and find BAC issues.

[redsun82]

👋 @donky16 there's no official supported way of extracting JSON data into CodeQL. That said, there is a roundabout way of doing it, with many caveats.

The idea is that JSON is a subset of YAML, which we can extract, but which only certain language library packs can then analyse.

In order to force the YAML extractor to extract JSON, you can run:

codeql database init --language=yaml --source-root=. json-db
codeql database index-files --language=yaml --include-extension=.json json-db
codeql database finalize json-db

You can double check that the expected json files were extracted by looking in json-db/src.zip. You can tweak what is extracted by passing --include=<pattern> or --include=!<negated pattern> to the database index-files command.

Beware, that this data cannot be put in the same database that is used for java analysis, and must be a separate database. Then, you can use any CodeQL language library pack that understands YAML to write queries on these files. Currently the library packs that include YAML support are codeql/python-all, codeql/javascript-all and codeql/actions-all. You can then work with the JSON trees importing respectively semmle.python.Yaml, semmle.javascript.YAML or codeql.actions.ast.internal.Yaml.

[donky16]

Thanks @redsun82