feat(iac): Update Dependencies and add better Semver support

Author: GeekMasher

ql/lib/codeql/iac/Dependencies.qll

@@ -27,13 +27,89 @@ class Dependency extends Location {
   /**
    * Gets the version of the dependency.
    */
-  string getVersion() { result = version.replaceAll("=", "") }
+  string getVersion() { result = this.getSemanticVersion().getPretty() }
 
-  SemanticVersion getSemanticVersion() { result = this.getVersion() }
+  /**
+   * Gets the raw version of the dependency.
+   */
+  string getRawVersion() { result = version }
+
+  /**
+   * Gets the semantic version of the dependency.
+   */
+  SemanticVersion getSemanticVersion() { result = version  }
 }
 
 class SemanticVersion extends string {
-  private Dependency dep;
+  Dependency dep;
+  string normalized;
+  string pretty;
+
+  SemanticVersion() {
+    this = dep.getRawVersion() and
+    normalized = normalizeSemver(this) and 
+    pretty = prettySemver(this)
+  }
+
+  /**
+   * Holds if this version may be before `last`.
+   */
+  bindingset[last]
+  predicate maybeBefore(string last) { normalized < normalizeSemver(last) }
+
+  /**
+   * Holds if this version may be after `first`.
+   */
+  bindingset[first]
+  predicate maybeAfter(string first) { normalizeSemver(first) < normalized }
 
-  SemanticVersion() { this = dep.getVersion() }
+  /**
+   * Holds if this version may be between `first` (inclusive) and `last` (exclusive).
+   */
+  bindingset[first, last]
+  predicate maybeBetween(string first, string last) {
+    normalizeSemver(first) <= normalized and
+    normalized < normalizeSemver(last)
+  }
+
+  /**
+   * Holds if this version is equivalent to `other`.
+   */
+  bindingset[other]
+  predicate is(string other) { normalized = normalizeSemver(other) }
+
+  string getPretty() { result = pretty }
 }
+
+bindingset[str]
+private string leftPad(string str) { result = ("000" + str).suffix(str.length()) }
+
+/**
+ * Normalizes a SemVer string such that the lexicographical ordering
+ * of two normalized strings is consistent with the SemVer ordering.
+ *
+ * Pre-release information and build metadata is not yet supported.
+ */
+bindingset[orig]
+private string normalizeSemver(string orig) {
+  exists(string pattern, string major, string minor, string patch |
+    pattern = "(=|~>|^)(\\d+)\\.(\\d+)\\.(\\d+)" and
+    major = orig.regexpCapture(pattern, 2) and
+    minor = orig.regexpCapture(pattern, 3) and
+    patch = orig.regexpCapture(pattern, 4)
+  |
+    result = leftPad(major) + "." + leftPad(minor) + "." + leftPad(patch)
+  )
+}
+
+bindingset[orig]
+private string prettySemver(string orig) {
+  exists(string pattern, string major, string minor, string patch |
+    pattern = "(=|~>|^)(\\d+)\\.(\\d+)\\.(\\d+)" and
+    major = orig.regexpCapture(pattern, 2) and
+    minor = orig.regexpCapture(pattern, 3) and
+    patch = orig.regexpCapture(pattern, 4)
+  |
+    result = major + "." + minor + "." + patch
+  )
+}

ql/test/library-tests/hcl/terraform/Dependencies.expected

@@ -1,3 +1,6 @@
+dependencies
 | providers.tf:5:15:8:5 | hashicorp/azurerm@3.0.0 |
 | providers.tf:9:14:9:22 | hashicorp/time@~>0.7.2 |
 | providers.tf:10:14:10:22 | hashicorp/random@~>3.3.1 |
+semver
+| 3.0.0 |

ql/test/library-tests/hcl/terraform/Dependencies.ql

@@ -1,3 +1,5 @@
 import hcl
 
 query predicate dependencies(Dependency d) { any() }
+
+query predicate semver(Dependency d, SemanticVersion v) { d.getSemanticVersion() = v }