Merge branch 'main' into dd/paths-ignore/1

Author: data-douser

.github/codeql/codeql-config.yaml

@@ -6,5 +6,11 @@ queries:
   - uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
   - uses: ./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls
 
+packs:
+  javascript:
+    - advanced-security/javascript-sap-ui5-models
+    - advanced-security/javascript-sap-cap-models
+    - advanced-security/javascript-sap-xsjs-models
+
 paths-ignore:
   - "**/frameworks/*/test/models"

.github/workflows/code_scanning.yml

@@ -2,12 +2,12 @@ name: "Code Scanning"
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches: ["main"]
   schedule:
-    - cron: '39 12 * * 2'
+    - cron: "39 12 * * 2"
   workflow_dispatch:
 
 permissions:
@@ -19,88 +19,80 @@ env:
 jobs:
   analyze-javascript:
     name: Analyze
-    runs-on: 'ubuntu-latest'
+    runs-on: "ubuntu-latest"
     permissions:
       actions: read
       contents: read
       security-events: write
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@v6
 
-    - name: Prepare local CodeQL model packs
-      run: |
-        mkdir -p .github/codeql/extensions
-        for ext in $(find . -name 'qlpack.yml' -exec fgrep -l dataExtensions {} \;); do
-          dir=$(dirname $ext)
-          echo "Moving $ext to .github/codeql/extensions/$dir"
-          mkdir -p .github/codeql/extensions/$dir
-          mv $dir .github/codeql/extensions/$dir
-        done
+      - name: Extract CodeQL bundle version from qlt.conf.json
+        run: |
+          echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
 
-    - name: Extract CodeQL bundle version from qlt.conf.json
-      run: |
-        echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
+      - name: Initialize CodeQL
+        id: initialize-codeql
+        uses: github/codeql-action/init@v4
+        env:
+          # Add our custom extractor to the CodeQL search path
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"init":["--search-path","${{ github.workspace }}/extractors:${{ github.workspace }}"]}}'
+        with:
+          languages: javascript
+          config-file: ./.github/codeql/codeql-config.yaml
+          db-location: ${{ runner.temp }}/codeql-database
+          tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
+          debug: true
 
-    - name: Initialize CodeQL
-      id: initialize-codeql
-      uses: github/codeql-action/init@v4
-      env:
-        # Add our custom extractor to the CodeQL search path
-        CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"init":["--search-path","${{ github.workspace }}/extractors"]}}'
-      with:
-        languages: javascript
-        config-file: ./.github/codeql/codeql-config.yaml
-        db-location: ${{ runner.temp }}/codeql-database
-        tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
-        debug: true
+      - name: Run CDS extractor
+        shell: bash
+        run: |
+          export CODEQL_DIST="$(dirname "${{ steps.initialize-codeql.outputs.codeql-path }}")"
+          export CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${{ runner.temp }}/codeql-database/javascript"
+          ${{ github.workspace }}/scripts/compile-cds.sh
 
-    - name: Run CDS extractor
-      shell: bash
-      run: |
-        export CODEQL_DIST="$(dirname "${{ steps.initialize-codeql.outputs.codeql-path }}")"
-        export CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${{ runner.temp }}/codeql-database/javascript"
-        ${{ github.workspace }}/scripts/compile-cds.sh
+      - name: Perform CodeQL Analysis
+        id: analyze
+        uses: github/codeql-action/analyze@v4
+        env:
+          LGTM_INDEX_XML_MODE: all
+          LGTM_INDEX_FILETYPES: ".json:JSON"
+          # Add our CodeQL workspace to the path to search for packs to then resolve the MaD locally
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"run-queries":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"],"interpret-results":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"]}}'
 
-    - name: Perform CodeQL Analysis
-      id: analyze
-      uses: github/codeql-action/analyze@v4
-      env:
-        LGTM_INDEX_XML_MODE: all
-        LGTM_INDEX_FILETYPES: ".json:JSON"
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
 
-    - name: Setup Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: '3.10'
+      - uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip
 
-    - uses: actions/cache@v4
-      with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip
+      - name: Validate results
+        continue-on-error: true
+        id: validate
+        run: |
+          pip install sarif-tools
+          sarif --version
+          sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
+          cat sarif-diff.json
+          ! grep -q "[1-9]" sarif-diff.json
 
-    - name: Validate results
-      continue-on-error: true
-      id: validate
-      run: |
-        pip install sarif-tools
-        sarif --version
-        sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
-        cat sarif-diff.json
-        ! grep -q "[1-9]" sarif-diff.json
+      - name: Upload sarif change
+        if: steps.validate.outcome != 'success'
+        uses: actions/upload-artifact@v6
+        with:
+          name: sarif
+          path: |
+            sarif-diff.json
+            ${{ steps.analyze.outputs.sarif-output }}
 
-    - name: Upload sarif change
-      if: steps.validate.outcome != 'success'
-      uses: actions/upload-artifact@v6
-      with:
-        name: sarif
-        path: |
-          sarif-diff.json
-          ${{ steps.analyze.outputs.sarif-output }}
-
-    - name: Unexpected Code Scanning results
-      if: steps.validate.outcome != 'success'
-      run: |
-        cat sarif-diff.json
-        echo "::error::Unexpected Code Scanning results!" && exit 1
+      - name: Unexpected Code Scanning results
+        if: steps.validate.outcome != 'success'
+        run: |
+          cat sarif-diff.json
+          echo "::error::Unexpected Code Scanning results!" && exit 1

.github/workflows/javascript.sarif.expected

@@ -6,5 +6,5 @@ suites: codeql-suites
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-cap-all: "${workspace}"
+  advanced-security/javascript-sap-cap-all: "2.24.3"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/src/qlpack.yml

@@ -4,6 +4,6 @@ version: 2.24.3
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-cap-queries: "${workspace}"
-  advanced-security/javascript-sap-cap-models: "${workspace}"
-  advanced-security/javascript-sap-cap-all: "${workspace}"
+  advanced-security/javascript-sap-cap-queries: "2.24.3"
+  advanced-security/javascript-sap-cap-models: "2.24.3"
+  advanced-security/javascript-sap-cap-all: "2.24.3"

javascript/frameworks/cap/test/qlpack.yml

@@ -3,4 +3,4 @@ version: 2.24.3
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-ui5-all: "${workspace}"
+  advanced-security/javascript-sap-ui5-all: "2.24.3"

javascript/frameworks/ui5-webcomponents/test/qlpack.yml

@@ -26,12 +26,15 @@ module UI5LogEntryToHttp implements DataFlow::StateConfigSig {
   predicate isAdditionalFlowStep(
     DataFlow::Node start, FlowState preState, DataFlow::Node end, FlowState postState
   ) {
-    UI5LogInjection::isAdditionalFlowStep(start, end) and
-    preState = postState
-    or
-    logArgumentToListener(start, end) and
-    preState = "not-logged-not-accessed" and
-    postState = "logged-and-accessed"
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      UI5LogInjection::isAdditionalFlowStep(start, end) and
+      preState = postState
+      or
+      logArgumentToListener(start, end) and
+      preState = "not-logged-not-accessed" and
+      postState = "logged-and-accessed"
+    )
   }
 
   predicate isSink(DataFlow::Node node, FlowState state) {

javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/package-lock.json

@@ -49,33 +49,36 @@ module UI5Xss implements DataFlow::ConfigSig {
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node start, DataFlow::Node end) {
-    /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
-    DomBasedXss::DomBasedXssConfig::isAdditionalFlowStep(start, _, end, _)
-    or
-    /* TODO: Legacy code */
-    /* Handler argument node to handler parameter */
-    exists(UI5Handler h |
-      start = h.getBindingPath().getNode() and
-      /*
-       * Ideally we would like to show an intermediate node where
-       * the handler is bound to a control, but there is no sourceNode there
-       * `end = h.getBindingPath() or start = h.getBindingPath()`
-       */
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
+      DomBasedXss::DomBasedXssConfig::isAdditionalFlowStep(start, _, end, _)
+      or
+      /* TODO: Legacy code */
+      /* Handler argument node to handler parameter */
+      exists(UI5Handler h |
+        start = h.getBindingPath().getNode() and
+        /*
+         * Ideally we would like to show an intermediate node where
+         * the handler is bound to a control, but there is no sourceNode there
+         * `end = h.getBindingPath() or start = h.getBindingPath()`
+         */
 
-      end = h.getParameter(0)
-    )
-    or
-    /* Flow from `setContent` to `getContent` of a control */
-    exists(
-      UI5Control control, DataFlow::MethodCallNode getContent, DataFlow::MethodCallNode setContent
-    |
-      control.asJsControl() = setContent.getReceiver().getALocalSource() and
-      control.asJsControl() = getContent.getReceiver().getALocalSource() and
-      setContent.getMethodName() = "setContent" and
-      getContent.getMethodName() = "getContent" and
-      start = setContent.getArgument(0) and
-      end = getContent and
-      not control.isHTMLSanitized()
+        end = h.getParameter(0)
+      )
+      or
+      /* Flow from `setContent` to `getContent` of a control */
+      exists(
+        UI5Control control, DataFlow::MethodCallNode getContent, DataFlow::MethodCallNode setContent
+      |
+        control.asJsControl() = setContent.getReceiver().getALocalSource() and
+        control.asJsControl() = getContent.getReceiver().getALocalSource() and
+        setContent.getMethodName() = "setContent" and
+        getContent.getMethodName() = "getContent" and
+        start = setContent.getArgument(0) and
+        end = getContent and
+        not control.isHTMLSanitized()
+      )
     )
   }
 }