[Track] Enhancement KCL IaC Security through a CodeQL approach.

[flyinox]

Specifically, it is necessary to describe the AST node information of KCL in the form of a dbschema and to add a query library. In addition, an extractor should be written to extract AST information into a database defined by the dbschema. This would enable the analysis and querying of KCL code using the QL infrastructure.

• KCL DB scheme Description: https://github.com/kcl-lang/codeql-kcl/blob/main/dbscheme/kcl.dbscheme
• Extractor impled in KCL Java SDK: feat: kcl java parser API and AST definitions lib#28
  • KCL Parser API [Enhancement] KCL Parser API for Multiple SDKs kcl#970
  • KCL Semantic API feat: scope api for multiple lang sdks kcl#996 feat: semantic API for multiple language SDKs kcl#989
  • Light KCL Java SDK https://github.com/kcl-lang/kcl-java
  • Extractor: https://github.com/kcl-lang/codeql-kcl
• CI Integration
• CodeQL Query Run in KCL IDE Extension
• Common query libraries

Impl

• https://github.com/kcl-lang/codeql-kcl

Ref

IaC & CodeQL

• https://github.com/github/codeql
• https://github.com/advanced-security/codeql-extractor-iac
• https://github.com/colindembovsky/iac-codeql
• https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-infrastructure-as-code

KCL

• Token & AST: https://github.com/kcl-lang/kcl/tree/main/kclvm/ast
• Error: https://github.com/kcl-lang/kcl/tree/main/kclvm/error
• Semantic Model: https://github.com/kcl-lang/kcl/tree/main/kclvm/sema/src/core