Skip to content

Add diagnostic queries #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 6, 2023
Merged

Add diagnostic queries #60

merged 3 commits into from
Oct 6, 2023

Conversation

@rvermeulen
Copy link

@rvermeulen rvermeulen commented Oct 6, 2023

The diagnostic queries can be used to debug possible missing sources and sinks.

The suite sap-ui5-diagnostics.qls can be used to execute them and collect their results in a Sarif file.

Because the query set now contains non-security queries, the default behavior is changed using suites that follow the standard library convention.

The default suite sap-ui5-codescanning.qls only execute security queries with precision high and very-high. This will exclude the log injection query.

The suite sap-ui5-security-extended.qls will execute all security queries with precision medium to very high.

@rvermeulen
Add diagnostic queries
1c40a3b 
These list:

- Remote flow source.
- UI5 specific sinks for XSS.
- UI5 specific sinks for log injection.

These help with determining if we are missing any for a given codebase.
@rvermeulen
Add codeql suites and set default suite
7bb909e 
Because the pack now contains diagnostic queries we want to by default
only execute the security queries.

The suites follow the standard library convention where the default
suite is suited for running in code scanning. This means only security
queries with precision high or very high. Currently this excludes the
log injection query because its precision is medium.

The security extended suite includes the log injection query.
@rvermeulen rvermeulen force-pushed the rvermeulen/diagnostics branch from 893fbe7 to 53855a0 Compare October 6, 2023 23:25
jeongsoolee09
jeongsoolee09 approved these changes Oct 6, 2023
View reviewed changes
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jeongsoolee09 jeongsoolee09 merged commit 9d0492f into main Oct 6, 2023
@jeongsoolee09 jeongsoolee09 deleted the rvermeulen/diagnostics branch January 26, 2024 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeongsoolee09 jeongsoolee09 jeongsoolee09 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rvermeulen @jeongsoolee09