From 90a4c1d71ee4d123b17d0f661210d815a92c1cd1 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Fri, 21 Feb 2025 22:37:18 +0000 Subject: [PATCH 01/15] create codeql file --- .github/workflows/codeql-analysis.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..04cfe4a1 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,27 @@ +name: "CodeQL" +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '0 0 * * 0' +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: [ 'javascript', 'typescript', 'ruby' ] + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 \ No newline at end of file From 4e5b595682fcffd51c579d5d09a3bc5f52311378 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Fri, 21 Feb 2025 22:48:29 +0000 Subject: [PATCH 02/15] update to codeql v2 --- .github/workflows/codeql-analysis.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 04cfe4a1..708d2919 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,10 +18,14 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 \ No newline at end of file + uses: github/codeql-action/analyze@v2 + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ github.workspace }}/codeql-results.sarif \ No newline at end of file From eb898c689ab29672412de9f600c7c61f5c2b8115 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Fri, 21 Feb 2025 22:58:32 +0000 Subject: [PATCH 03/15] serif error fix --- .github/codeql/codeql-config.yml | 5 +++++ .github/workflows/codeql-analysis.yml | 1 + 2 files changed, 6 insertions(+) create mode 100644 .github/codeql/codeql-config.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 00000000..06f4d7b6 --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,5 @@ +name: "CodeQL configuration" +queries: + - uses: github/codeql/javascript-queries + - uses: github/codeql/typescript-queries + - uses: github/codeql/ruby-queries \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 708d2919..9e710d0b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,6 +21,7 @@ jobs: uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} + config-file: .github/codeql/codeql-config.yml - name: Autobuild uses: github/codeql-action/autobuild@v2 - name: Perform CodeQL Analysis From f6f1fad42b8380e9c9e44320f7fa2af1c73a0662 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Fri, 21 Feb 2025 23:05:46 +0000 Subject: [PATCH 04/15] v3 --- .github/codeql/codeql-config.yml | 6 +++--- .github/workflows/codeql-analysis.yml | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 06f4d7b6..0b5038cf 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,5 +1,5 @@ name: "CodeQL configuration" queries: - - uses: github/codeql/javascript-queries - - uses: github/codeql/typescript-queries - - uses: github/codeql/ruby-queries \ No newline at end of file + - uses: github/codeql/javascript-queries@v3 + - uses: github/codeql/typescript-queries@v3 + - uses: github/codeql/ruby-queries@v3 \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9e710d0b..80bbbec0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -16,17 +16,17 @@ jobs: language: [ 'javascript', 'typescript', 'ruby' ] steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yml - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ github.workspace }}/codeql-results.sarif \ No newline at end of file From 087ae3e90a5d13456449f49481b2172e79d54e95 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Fri, 21 Feb 2025 23:18:27 +0000 Subject: [PATCH 05/15] fix path --- .github/codeql/codeql-config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 0b5038cf..0afe11e7 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -1,5 +1,5 @@ name: "CodeQL configuration" queries: - - uses: github/codeql/javascript-queries@v3 - - uses: github/codeql/typescript-queries@v3 - - uses: github/codeql/ruby-queries@v3 \ No newline at end of file + - uses: github/codeql/javascript + - uses: github/codeql/typescript + - uses: github/codeql/ruby \ No newline at end of file From 4ec28017f2a48531359ef15a8d1cfb4bb13d9464 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Fri, 21 Feb 2025 23:30:04 +0000 Subject: [PATCH 06/15] use default setup provided by Codeql --- .github/workflows/codeql-analysis.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 80bbbec0..e4ae3845 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,7 +21,6 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} - config-file: .github/codeql/codeql-config.yml - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis From 700cf8bd900a20223405191ffa6d9a18e3727917 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Fri, 21 Feb 2025 23:36:58 +0000 Subject: [PATCH 07/15] rename custom config file --- .github/codeql/{codeql-config.yml => codeql-config-temp.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/codeql/{codeql-config.yml => codeql-config-temp.yml} (100%) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config-temp.yml similarity index 100% rename from .github/codeql/codeql-config.yml rename to .github/codeql/codeql-config-temp.yml From e223939634d25c022f0ddd6744ad1dde2223e75c Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:00:15 +0000 Subject: [PATCH 08/15] codeql files --- .vscode/settings.json | 3 +++ .../codeql-pack.lock.yml | 26 +++++++++++++++++++ .../codeql-pack.yml | 7 +++++ codeql-custom-queries-javascript/example.ql | 12 +++++++++ 4 files changed, 48 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 codeql-custom-queries-javascript/codeql-pack.lock.yml create mode 100644 codeql-custom-queries-javascript/codeql-pack.yml create mode 100644 codeql-custom-queries-javascript/example.ql diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..b8b1f229 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "codeQL.createQuery.qlPackLocation": "/workspaces/ICTTestingBaseline" +} \ No newline at end of file diff --git a/codeql-custom-queries-javascript/codeql-pack.lock.yml b/codeql-custom-queries-javascript/codeql-pack.lock.yml new file mode 100644 index 00000000..ee3c4440 --- /dev/null +++ b/codeql-custom-queries-javascript/codeql-pack.lock.yml @@ -0,0 +1,26 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/dataflow: + version: 2.0.1 + codeql/javascript-all: + version: 2.4.1 + codeql/mad: + version: 1.0.17 + codeql/regex: + version: 1.0.17 + codeql/ssa: + version: 1.0.17 + codeql/threat-models: + version: 1.0.17 + codeql/tutorial: + version: 1.0.17 + codeql/typetracking: + version: 2.0.1 + codeql/util: + version: 2.0.4 + codeql/xml: + version: 1.0.17 + codeql/yaml: + version: 1.0.17 +compiled: false diff --git a/codeql-custom-queries-javascript/codeql-pack.yml b/codeql-custom-queries-javascript/codeql-pack.yml new file mode 100644 index 00000000..4a80ed1a --- /dev/null +++ b/codeql-custom-queries-javascript/codeql-pack.yml @@ -0,0 +1,7 @@ +--- +library: false +warnOnImplicitThis: false +name: getting-started/codeql-extra-queries-javascript +version: 1.0.0 +dependencies: + codeql/javascript-all: ^2.4.1 diff --git a/codeql-custom-queries-javascript/example.ql b/codeql-custom-queries-javascript/example.ql new file mode 100644 index 00000000..c9770d9c --- /dev/null +++ b/codeql-custom-queries-javascript/example.ql @@ -0,0 +1,12 @@ +/** + * This is an automatically generated file + * @name Hello world + * @kind problem + * @problem.severity warning + * @id javascript/example/hello-world + */ + +import javascript + +from File f +select f, "Hello, world!" \ No newline at end of file From a490e34efb918cc02f469faeb7303be3fda7183c Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:03:20 +0000 Subject: [PATCH 09/15] remove file --- .github/codeql/codeql-config-temp.yml | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 .github/codeql/codeql-config-temp.yml diff --git a/.github/codeql/codeql-config-temp.yml b/.github/codeql/codeql-config-temp.yml deleted file mode 100644 index 0afe11e7..00000000 --- a/.github/codeql/codeql-config-temp.yml +++ /dev/null @@ -1,5 +0,0 @@ -name: "CodeQL configuration" -queries: - - uses: github/codeql/javascript - - uses: github/codeql/typescript - - uses: github/codeql/ruby \ No newline at end of file From c483328048d49cff794b2de841a0166b89ba1392 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:12:05 +0000 Subject: [PATCH 10/15] remove custom query files --- .../codeql-pack.lock.yml | 26 ------------------- .../codeql-pack.yml | 7 ----- codeql-custom-queries-javascript/example.ql | 12 --------- 3 files changed, 45 deletions(-) delete mode 100644 codeql-custom-queries-javascript/codeql-pack.lock.yml delete mode 100644 codeql-custom-queries-javascript/codeql-pack.yml delete mode 100644 codeql-custom-queries-javascript/example.ql diff --git a/codeql-custom-queries-javascript/codeql-pack.lock.yml b/codeql-custom-queries-javascript/codeql-pack.lock.yml deleted file mode 100644 index ee3c4440..00000000 --- a/codeql-custom-queries-javascript/codeql-pack.lock.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/dataflow: - version: 2.0.1 - codeql/javascript-all: - version: 2.4.1 - codeql/mad: - version: 1.0.17 - codeql/regex: - version: 1.0.17 - codeql/ssa: - version: 1.0.17 - codeql/threat-models: - version: 1.0.17 - codeql/tutorial: - version: 1.0.17 - codeql/typetracking: - version: 2.0.1 - codeql/util: - version: 2.0.4 - codeql/xml: - version: 1.0.17 - codeql/yaml: - version: 1.0.17 -compiled: false diff --git a/codeql-custom-queries-javascript/codeql-pack.yml b/codeql-custom-queries-javascript/codeql-pack.yml deleted file mode 100644 index 4a80ed1a..00000000 --- a/codeql-custom-queries-javascript/codeql-pack.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -library: false -warnOnImplicitThis: false -name: getting-started/codeql-extra-queries-javascript -version: 1.0.0 -dependencies: - codeql/javascript-all: ^2.4.1 diff --git a/codeql-custom-queries-javascript/example.ql b/codeql-custom-queries-javascript/example.ql deleted file mode 100644 index c9770d9c..00000000 --- a/codeql-custom-queries-javascript/example.ql +++ /dev/null @@ -1,12 +0,0 @@ -/** - * This is an automatically generated file - * @name Hello world - * @kind problem - * @problem.severity warning - * @id javascript/example/hello-world - */ - -import javascript - -from File f -select f, "Hello, world!" \ No newline at end of file From 8c9b2a185f855a92019a15755d7265a7a45fe9ce Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:21:05 +0000 Subject: [PATCH 11/15] comment file --- .vscode/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index b8b1f229..e955ca88 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,3 +1,3 @@ { - "codeQL.createQuery.qlPackLocation": "/workspaces/ICTTestingBaseline" + // "codeQL.createQuery.qlPackLocation": "/workspaces/ICTTestingBaseline" } \ No newline at end of file From ce2576d41df7d78d558a7e850cbe0a00787fa426 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:29:07 +0000 Subject: [PATCH 12/15] remove SARIF --- .github/workflows/codeql-analysis.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e4ae3845..82e483c0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,8 +24,4 @@ jobs: - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ github.workspace }}/codeql-results.sarif \ No newline at end of file + uses: github/codeql-action/analyze@v3 \ No newline at end of file From c44671da86801abd3dd4a1ef6c98a4afb21d00e3 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:32:02 +0000 Subject: [PATCH 13/15] remove --- .vscode/settings.json | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index e955ca88..00000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - // "codeQL.createQuery.qlPackLocation": "/workspaces/ICTTestingBaseline" -} \ No newline at end of file From b6f62cc8a93d2217e0874aa05faff3543a59d3e7 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:38:14 +0000 Subject: [PATCH 14/15] verbosity added --- .github/workflows/codeql-analysis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 82e483c0..b2d87954 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,4 +24,6 @@ jobs: - name: Autobuild uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 \ No newline at end of file + uses: github/codeql-action/analyze@v3 + with: + verbosity: '^(off|errors|warnings|(info|progress)|(debug|progress\+)|(trace|progress\+\+)|progress\+\+\+)$' \ No newline at end of file From 7388d31fe897b0c9cefa3c9415c70892876b1d28 Mon Sep 17 00:00:00 2001 From: Kathy Eng Date: Sat, 22 Feb 2025 00:44:13 +0000 Subject: [PATCH 15/15] another try --- .github/workflows/codeql-analysis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b2d87954..47ac60f9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,4 +26,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - verbosity: '^(off|errors|warnings|(info|progress)|(debug|progress\+)|(trace|progress\+\+)|progress\+\+\+)$' \ No newline at end of file + category: '/language:${{ matrix.language }}' + output: 'results.sarif'