From e290c962e0ef83dd6340b47f7947728ddfdb0262 Mon Sep 17 00:00:00 2001 From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:22:35 +0000 Subject: [PATCH 1/4] feat: Add initial QL for QL support --- .github/workflows/codeql-ql.yml | 91 +++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 .github/workflows/codeql-ql.yml diff --git a/.github/workflows/codeql-ql.yml b/.github/workflows/codeql-ql.yml new file mode 100644 index 0000000..49373bb --- /dev/null +++ b/.github/workflows/codeql-ql.yml @@ -0,0 +1,91 @@ +name: CodeQL for QL + +on: + workflow_call: + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + ql-for-ql: + runs-on: ubuntu-latest + + concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + + steps: + - name: "Checkout repository" + uses: actions/checkout@v4 + + - name: "Set up Rust" + uses: dtolnay/rust-toolchain@nightly + + - name: "Build QL-for-QL" + env: + GH_TOKEN: ${{ github.token }} + CODEQL_REPOSITORY_PATH: ${{ runner.temp }}/codeql + run: | + set -e + + CODEQL_REPOSITORY_PATH="${CODEQL_REPOSITORY_PATH:-$HOME/.codeql/codeql-ql}" + echo "CodeQL repository path: $CODEQL_REPOSITORY_PATH" + + if [ ! -d "$CODEQL_REPOSITORY_PATH" ]; then + echo "CodeQL repository not found. Cloning..." + mkdir -p "$HOME/.codeql" + + git clone \ + --depth 1 \ + https://github.com/github/codeql.git\ + "$CODEQL_REPOSITORY_PATH" + fi + + pushd "$CODEQL_REPOSITORY_PATH/ql" > /dev/null + + echo "Building QL Extractor..." + ./scripts/create-extractor-pack.sh + + popd > /dev/null + + - name: "Run QL-for-QL" + id: run_ql + env: + GH_TOKEN: ${{ github.token }} + CODEQL_REPOSITORY_PATH: ${{ runner.temp }}/codeql + run: | + set -e + + SARIF_FILE="${SARIF_FILE:-ql-for-ql.sarif}" + CODEQL_REPOSITORY_PATH="${CODEQL_REPOSITORY_PATH:-$HOME/.codeql/codeql-ql}" + CODEQL_SUITE="${CODEQL_SUITE:-$CODEQL_REPOSITORY_PATH/ql/ql/src/codeql-suites/ql-code-scanning.qls}" + + if which codeql >/dev/null; then + CODEQL_BINARY="codeql" + elif gh codeql >/dev/null; then + CODEQL_BINARY="gh codeql" + else + gh extension install github/gh-codeql + CODEQL_BINARY="gh codeql" + fi + + $CODEQL_BINARY database create \ + --language ql --overwrite \ + --search-path "$CODEQL_REPOSITORY_PATH/ql/extractor-pack" \ + ../ql-for-ql-db + + $CODEQL_BINARY database analyze \ + --format=sarif-latest \ + --additional-packs "$CODEQL_REPOSITORY_PATH/ql" \ + --output=$SARIF_FILE \ + ../ql-for-ql-db \ + $CODEQL_SUITE + + echo "sarif=[$matrix]" >> "$GITHUB_OUTPUT" + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.run_ql.outputs.SARIF_FILE }} \ No newline at end of file From d20d00b817bf5018e24c43f5d141019dde211c98 Mon Sep 17 00:00:00 2001 From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:24:55 +0000 Subject: [PATCH 2/4] fix: Update output --- .github/workflows/codeql-ql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-ql.yml b/.github/workflows/codeql-ql.yml index 49373bb..924865e 100644 --- a/.github/workflows/codeql-ql.yml +++ b/.github/workflows/codeql-ql.yml @@ -88,4 +88,4 @@ jobs: - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: ${{ steps.run_ql.outputs.SARIF_FILE }} \ No newline at end of file + sarif_file: ${{ steps.run_ql.outputs.sarif }} \ No newline at end of file From 556b4388ead2241a58f8d4850a748ed17b18ca32 Mon Sep 17 00:00:00 2001 From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:27:09 +0000 Subject: [PATCH 3/4] fix: Update slash typo and sarif output --- .github/workflows/codeql-ql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-ql.yml b/.github/workflows/codeql-ql.yml index 924865e..03efe70 100644 --- a/.github/workflows/codeql-ql.yml +++ b/.github/workflows/codeql-ql.yml @@ -39,7 +39,7 @@ jobs: git clone \ --depth 1 \ - https://github.com/github/codeql.git\ + https://github.com/github/codeql.git \ "$CODEQL_REPOSITORY_PATH" fi @@ -83,7 +83,7 @@ jobs: ../ql-for-ql-db \ $CODEQL_SUITE - echo "sarif=[$matrix]" >> "$GITHUB_OUTPUT" + echo "sarif=$SARIF_FILE" >> "$GITHUB_OUTPUT" - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v3 From d1c7f2fdf9d85b3a1158eed54696c02bcfc5c50f Mon Sep 17 00:00:00 2001 From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com> Date: Thu, 5 Dec 2024 13:33:41 +0000 Subject: [PATCH 4/4] feat: Update CodeQL binary detection logic in workflow --- .github/workflows/codeql-ql.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-ql.yml b/.github/workflows/codeql-ql.yml index 03efe70..22697ce 100644 --- a/.github/workflows/codeql-ql.yml +++ b/.github/workflows/codeql-ql.yml @@ -62,7 +62,12 @@ jobs: CODEQL_REPOSITORY_PATH="${CODEQL_REPOSITORY_PATH:-$HOME/.codeql/codeql-ql}" CODEQL_SUITE="${CODEQL_SUITE:-$CODEQL_REPOSITORY_PATH/ql/ql/src/codeql-suites/ql-code-scanning.qls}" - if which codeql >/dev/null; then + # Glob for Actions toolcache + CODEQL_GLOB='$RUNNER_TOOL_CACHE/CodeQL/*/x64/codeql/codeql' + + if [ -f "$CODEQL_GLOB" ]; then + CODEQL_BINARY=$(echo $CODEQL_GLOB) + elif which codeql >/dev/null; then CODEQL_BINARY="codeql" elif gh codeql >/dev/null; then CODEQL_BINARY="gh codeql" @@ -70,6 +75,7 @@ jobs: gh extension install github/gh-codeql CODEQL_BINARY="gh codeql" fi + echo "[+] Using codeql binary: $CODEQL_BINARY" $CODEQL_BINARY database create \ --language ql --overwrite \