Integrate QLT

.github/actions/install-codeql/action.yml

@@ -0,0 +1,109 @@
+name: Fetch CodeQL CLI and queries
+description: |
+  Fetches a CodeQL CLI and a copy of the CodeQL standard libraries at the specified versions.
+inputs:
+  codeql-cli-version:
+    description: |
+      The version of the CodeQL CLI to be downloaded.
+    required: false
+    default: 'latest'
+
+  codeql-stdlib-version:
+    description: |
+      The tag or commit to use from the CodeQL Standard Library
+    required: false
+    default: 'latest'
+
+  add-to-path:
+    description: |
+      Add the CodeQL CLI to the system path
+    required: false
+    default: 'true'
+
+  codeql-home:
+    description: |
+      The directory to store the CodeQL CLI and Standard Library.
+      A fixed location can be used for caching the tooling.
+    required: false
+outputs:
+  codeql-home:
+    description: 'The directory containing the CodeQL CLI and CodeQL Standard Library'
+    value: ${{ steps.install-codeql.outputs.codeql-home }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install CodeQL
+      id: install-codeql
+      env:
+        RUNNER_OS: ${{ runner.os }}
+        RUNNER_TEMP: ${{ runner.temp }}
+        CODEQL_CLI_VERSION: ${{ inputs.codeql-cli-version }}
+        CODEQL_STDLIB_VERSION: ${{ inputs.codeql-stdlib-version }}
+        GITHUB_TOKEN: ${{ github.token }}
+        ADD_TO_PATH: ${{ inputs.add-to-path }}
+        CODEQL_HOME: ${{ inputs.codeql-home }}
+      shell: bash
+      run: |
+        echo "::debug::Determining CodeQL release for $RUNNER_OS"
+        case $RUNNER_OS in
+          "Linux")
+            RELEASE_PATTERN="codeql-linux64.zip"
+            ;;
+          "macOS")
+            RELEASE_PATTERN="codeql-osx64.zip"
+            ;;
+          "Windows")
+            RELEASE_PATTERN="codeql-win64.zip"
+            ;;
+          *)
+            echo "::error::Unsupported runner operating system $RUNNER_OS"
+            exit 1
+            ;;
+        esac
+        echo "::debug::Selected $RELEASE_PATTERN"
+
+        if [ "$CODEQL_HOME" == "" ]
+        then
+          echo "::debug::Creating temporary CodeQL home"
+          CODEQL_HOME=$(mktemp -d -p $RUNNER_TEMP codeql-home-XXXXXXXXXX)
+        else
+          echo "::debug::Creating CodeQL home at $CODEQL_HOME"
+          mkdir -p $CODEQL_HOME
+        fi
+
+        echo "::debug::Changing directory to $CODEQL_HOME"
+        pushd $CODEQL_HOME
+
+        echo "::debug::Downloading CodeQL CLI version $CODEQL_CLI_VERSION"
+        if [ "$CODEQL_CLI_VERSION" == "latest" ]
+        then
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern $RELEASE_PATTERN
+        else
+          gh release download "v${CODEQL_CLI_VERSION}" --repo https://github.com/github/codeql-cli-binaries --pattern $RELEASE_PATTERN
+        fi
+        echo "::debug::Unpacking CodeQL CLI"
+        unzip -q $RELEASE_PATTERN
+
+        echo "::debug::Cloning CodeQL standard library"
+        git clone https://github.com/github/codeql.git codeql-stdlib
+
+        if [ "$CODEQL_STDLIB_VERSION" != "latest" ]
+        then
+          pushd codeql-stdlib
+          echo "::debug::Switching to revision $CODEQL_STDLIB_VERSION"
+          git checkout $CODEQL_STDLIB_VERSION
+          popd
+        fi
+
+        if [ "$ADD_TO_PATH" == "true" ]
+        then
+          echo "::debug::Adding CodeQL CLI path '$(pwd)/codeql' to system path"
+          echo "$(pwd)/codeql" >> $GITHUB_PATH
+        fi
+
+        echo "::debug::Setting output parameter codeql-home to $(pwd)"
+        echo "codeql-home=$(pwd)" >> $GITHUB_OUTPUT
+
+        popd
+        echo "::debug::Done."

.github/actions/install-qlt/action.yml

@@ -0,0 +1,86 @@
+name: Fetch and Install QLT
+description: |
+  Fetches and installs QLT. 
+inputs:
+  qlt-version:
+    description: |
+      The version of QLT to be downloaded.
+    required: false
+    default: 'latest'
+
+  add-to-path:
+    description: |
+      Add QLT to the system path
+    required: false
+    default: 'true'
+
+  token:
+    description: |
+      Token to use for auth
+    required: true
+
+outputs:
+  qlt-home:
+    description: 'The directory containing the QLT installation'
+    value: ${{ steps.install-qlt.outputs.qlt-home }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install QLT
+      id: install-qlt
+      env:
+        RUNNER_OS: ${{ runner.os }}
+        RUNNER_TEMP: ${{ runner.temp }}
+        GITHUB_TOKEN: ${{ inputs.token }}
+        ADD_TO_PATH: ${{ inputs.add-to-path }}
+        QLT_VERSION: ${{ inputs.qlt-version }}
+        QLT_HOME: ${{ inputs.qlt-home }}
+      shell: bash
+      run: |
+        echo -e "\e[0;32m[QLT]\e[0m Determining QLT release for $RUNNER_OS"
+        case $RUNNER_OS in
+          "Linux")
+            RELEASE_PATTERN="qlt-linux-x86_64.zip"
+            ;;
+          *)
+            echo "::error::Unsupported runner operating system $RUNNER_OS"
+            exit 1
+            ;;
+        esac
+        echo -e "\e[0;32m[QLT]\e[0m Selected $RELEASE_PATTERN"
+
+        if [ "$QLT_HOME" == "" ]
+        then
+          echo -e "\e[0;32m[QLT]\e[0m Creating temporary QLT home"
+          QLT_HOME=$(mktemp -d -p $RUNNER_TEMP qlt-home-XXXXXXXXXX)
+        else
+          echo -e "\e[0;32m[QLT]\e[0m Creating CodeQL home at $QLT_HOME"
+          mkdir -p $QLT_HOME
+        fi
+
+        echo -e "\e[0;32m[QLT]\e[0m Changing directory to $QLT_HOME"
+        pushd $QLT_HOME
+
+        echo -e "\e[0;32m[QLT]\e[0m Downloading QLT version $QLT_VERSION"
+        if [ "$QLT_VERSION" == "latest" ]
+        then
+          # download the actual bundle 
+          gh release download -R advanced-security/codeql-development-toolkit --pattern "$RELEASE_PATTERN"
+        else
+          gh release download "$QLT_VERSION" -R advanced-security/codeql-development-toolkit --pattern "$RELEASE_PATTERN"
+        fi
+        echo -e "\e[0;32m[QLT]\e[0m Unpacking QLT"
+        unzip $RELEASE_PATTERN
+
+        if [ "$ADD_TO_PATH" == "true" ]
+        then
+          echo -e "\e[0;32m[QLT]\e[0m Adding QLT '$(pwd)/qlt' to system path"
+          echo "$(pwd)" >> $GITHUB_PATH
+        fi
+
+        echo -e "\e[0;32m[QLT]\e[0m Setting output parameter qlt-home to $(pwd)"
+        echo "qlt-home=$(pwd)" >> $GITHUB_OUTPUT
+
+        popd
+        echo -e "\e[0;32m[QLT]\e[0m Done."

.github/codeql/codeql-config.yaml

@@ -4,7 +4,7 @@ queries:
   # for log-injection
   - uses: security-and-quality
   # for ui5 queries
-  - uses: ./src
+  - uses: ./javascript/
 
 paths:
   - "**/*.xml"

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -0,0 +1,132 @@
+name: ⚙️ CodeQL - Run Unit Tests (javascript)
+
+
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    branches:
+      - '**'
+  workflow_dispatch:
+
+jobs:
+  create-unit-test-matrix:
+    name: Create CodeQL Unit Test Matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install QLT
+        id: install-qlt
+        uses: ./.github/actions/install-qlt
+        with:
+          qlt-version: 'latest'
+          add-to-path: true
+          token: ${{ secrets.ACCESS_TOKEN }}
+
+      - name: Export unit test matrix
+        id: export-unit-test-matrix
+        run: |
+          qlt test run get-matrix --os-version ubuntu-latest
+
+  run-test-suites:
+    name: Run Unit Tests
+    needs: create-unit-test-matrix
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.create-unit-test-matrix.outputs.matrix) }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install QLT
+        id: install-qlt
+        uses: ./.github/actions/install-qlt
+        with:
+          qlt-version: 'latest'
+          add-to-path: true
+          token: ${{ secrets.ACCESS_TOKEN }}
+
+      - name: Install CodeQL
+        id: install-codeql
+        uses: ./.github/actions/install-codeql
+        with:
+          codeql-cli-version: ${{ matrix.codeql_cli }}
+          codeql-stdlib-version: ${{ matrix.codeql_standard_library }}
+          add-to-path: true
+
+      - name: Verify Versions of Tooling
+        shell: bash
+        run: |
+          echo "CodeQL Home: ${{ steps.install-codeql.outputs.codeql-home }}"
+          echo -e "Checking CodeQL Version:"
+          codeql --version 
+
+          echo -e "Checking QLT Version:"
+          echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}"
+          qlt version
+
+      - name: Install QL Packs
+        shell: bash
+        run: |
+          qlt query run install-packs
+
+      - name: Run test suites
+        id: run-test-suites
+        env:
+          RUNNER_OS: ${{ runner.os }}
+          CODEQL_CLI: ${{ matrix.codeql_cli }}
+          CODEQL_STDLIB: ${{ matrix.codeql_standard_library }}
+          CODEQL_STDLIB_IDENT: ${{matrix.codeql_standard_library_ident}}
+          RUNNER_TMP: ${{ runner.temp }}
+          LGTM_INDEX_XML_MODE: all
+
+        shell: bash
+        run: >
+          qlt test run execute-unit-tests  
+          --codeql-args "--threads=0 --strict-test-discovery"
+          --num-threads 2 
+          --language javascript 
+          --runner-os $RUNNER_OS 
+          --work-dir $RUNNER_TMP
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v2
+        with:
+          name: test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
+          path: |
+            ${{ runner.temp }}/test_report_${{ runner.os }}_${{ matrix.codeql_cli }}_${{ matrix.codeql_standard_library_ident }}_slice_*.json
+          if-no-files-found: error
+
+  validate-test-results:
+    name: Validate test results
+    needs: [run-test-suites]
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install QLT
+        id: install-qlt
+        uses: ./.github/actions/install-qlt
+        with:
+          qlt-version: 'latest'
+          add-to-path: true
+          token: ${{ secrets.ACCESS_TOKEN }}
+
+
+      - name: Collect test results
+        uses: actions/download-artifact@v2
+
+      - name: Validate test results
+        run: |          
+          qlt test run validate-unit-tests --pretty-print --results-directory . >> $GITHUB_STEP_SUMMARY
+          qlt test run validate-unit-tests --results-directory . 

.gitignore

@@ -1,3 +1,6 @@
+# CodeQL Result Files
+*.actual 
+
 # Logs
 logs
 *.log

codeql-workspace.yml

@@ -1,2 +1,3 @@
 provide:
-  - "**/qlpack.yml"
+  - '**/qlpack.yml'
+  - '**/codeql-workspace.yml'

src/queries/UI5Xss.ql → javascript/javascript-sap-ui5-queries/src/UI5Xss/UI5Xss.ql

@@ -13,7 +13,7 @@
  */
 
 import javascript
-import models.UI5DataFlow
+import models.UI5DataFlow 
 import models.UI5DataFlow::UI5PathGraph
 import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
 

javascript/javascript-sap-ui5-queries/src/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

src/models/UI5.qll → javascript/javascript-sap-ui5-queries/src/models/UI5.qll

@@ -1,4 +1,4 @@
-private import javascript
+private import javascript 
 private import DataFlow
 private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 private import UI5View

src/qlpack.yml → javascript/javascript-sap-ui5-queries/src/qlpack.yml

@@ -1,8 +1,6 @@
 ---
-library: false
 name: advanced-security/javascript-sap-ui5-queries
 version: 0.1.2
-suites: codeql-suites
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^0.6.3"