diff --git a/.github/workflows/release-codeql.yml b/.github/workflows/release-codeql.yml index e78f21df5..2d3aa87ca 100644 --- a/.github/workflows/release-codeql.yml +++ b/.github/workflows/release-codeql.yml @@ -43,19 +43,6 @@ jobs: release_name: ${{ steps.version.outputs.release_name }} version: ${{ steps.version.outputs.version }} - env: - PUBLISHABLE_PACKS_LIST: | - javascript/frameworks/cap/src - javascript/frameworks/cap/ext - javascript/frameworks/cap/lib - javascript/frameworks/ui5/src - javascript/frameworks/ui5/ext - javascript/frameworks/ui5/lib - javascript/frameworks/xsjs/src - javascript/frameworks/xsjs/ext - javascript/frameworks/xsjs/lib - javascript/heuristic-models/ext - steps: - name: CodeQL - Validate and parse version id: version @@ -91,9 +78,7 @@ jobs: - name: CodeQL - Install pack dependencies shell: bash - run: | - chmod +x ./scripts/install-packs.sh - ./scripts/install-packs.sh + run: ./scripts/install-packs.sh - name: CodeQL - Validate version consistency run: | @@ -106,50 +91,14 @@ jobs: if: inputs.publish_codeql_packs env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - # Read the shared pack list from the job-level environment variable. - mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}" - - echo "Publishing CodeQL packs..." - for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do - if [ -d "${pack_dir}" ]; then - pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}') - echo "📦 Publishing ${pack_name} from ${pack_dir}..." - echo "${GITHUB_TOKEN}" | codeql pack publish --github-auth-stdin --threads=-1 -- "${pack_dir}" - echo "✅ Published ${pack_name}" - else - echo "⚠️ Skipping: ${pack_dir} not found" - fi - done + run: ./scripts/publish-packs.sh "${{ steps.version.outputs.release_name }}" - name: CodeQL - Skip pack publishing if: '!inputs.publish_codeql_packs' run: echo "⏭️ CodeQL pack publishing disabled via workflow input" - name: CodeQL - Bundle CodeQL packs - run: | - mkdir -p dist-packs - - # Bundle all publishable packs - # Read the pack list from the environment into a Bash array. - # Each line in PUBLISHABLE_PACKS_LIST becomes one element. - mapfile -t PUBLISHABLE_PACKS <<< "${PUBLISHABLE_PACKS_LIST}" - - echo "Bundling CodeQL packs..." - for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do - if [ -d "${pack_dir}" ]; then - pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}') - # Convert pack name to filename: advanced-security/foo -> foo - bundle_name="${pack_name#advanced-security/}" - output="dist-packs/${bundle_name}.tar.gz" - echo "📦 Bundling ${pack_name} -> ${output}..." - codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}" - echo "✅ Bundled ${bundle_name}" - fi - done - echo "" - echo "Bundled packs:" - ls -lh dist-packs/ + run: ./scripts/bundle-packs.sh --output-dir dist-packs - name: CodeQL - Upload pack artifacts uses: actions/upload-artifact@v6 diff --git a/javascript/frameworks/cap/ext/qlpack.yml b/javascript/frameworks/cap/ext/qlpack.yml index 9aa930dfd..d7839e4b5 100644 --- a/javascript/frameworks/cap/ext/qlpack.yml +++ b/javascript/frameworks/cap/ext/qlpack.yml @@ -1,6 +1,6 @@ --- library: true name: advanced-security/javascript-sap-cap-models -version: 2.3.0 +version: 2.24.2 extensionTargets: - codeql/javascript-all: "^2.4.0" + codeql/javascript-all: "^2.6.22" diff --git a/javascript/frameworks/cap/lib/codeql-pack.lock.yml b/javascript/frameworks/cap/lib/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/cap/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/lib/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/cap/lib/qlpack.yml b/javascript/frameworks/cap/lib/qlpack.yml index 06b56a070..83bec95d1 100644 --- a/javascript/frameworks/cap/lib/qlpack.yml +++ b/javascript/frameworks/cap/lib/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-cap-all -version: 2.3.0 +version: 2.24.2 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" + codeql/javascript-all: "^2.6.22" diff --git a/javascript/frameworks/cap/src/codeql-pack.lock.yml b/javascript/frameworks/cap/src/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/cap/src/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/src/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/cap/src/qlpack.yml b/javascript/frameworks/cap/src/qlpack.yml index 9d4439e11..5c3b2518b 100644 --- a/javascript/frameworks/cap/src/qlpack.yml +++ b/javascript/frameworks/cap/src/qlpack.yml @@ -1,10 +1,10 @@ --- library: false name: advanced-security/javascript-sap-cap-queries -version: 2.3.0 +version: 2.24.2 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-cap-all: "^2.3.0" + codeql/javascript-all: "^2.6.22" + advanced-security/javascript-sap-cap-all: "${workspace}" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/cap/test/codeql-pack.lock.yml b/javascript/frameworks/cap/test/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/cap/test/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/test/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/cap/test/qlpack.yml b/javascript/frameworks/cap/test/qlpack.yml index 92d9a60fe..600112aaa 100644 --- a/javascript/frameworks/cap/test/qlpack.yml +++ b/javascript/frameworks/cap/test/qlpack.yml @@ -1,9 +1,9 @@ --- name: advanced-security/javascript-sap-cap-queries-tests -version: 2.3.0 +version: 2.24.2 extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-cap-queries: "^2.3.0" - advanced-security/javascript-sap-cap-models: "^2.3.0" - advanced-security/javascript-sap-cap-all: "^2.3.0" + codeql/javascript-all: "^2.6.22" + advanced-security/javascript-sap-cap-queries: "${workspace}" + advanced-security/javascript-sap-cap-models: "${workspace}" + advanced-security/javascript-sap-cap-all: "${workspace}" diff --git a/javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml b/javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/ui5-webcomponents/test/qlpack.yml b/javascript/frameworks/ui5-webcomponents/test/qlpack.yml index 0288ba949..34d8bd955 100644 --- a/javascript/frameworks/ui5-webcomponents/test/qlpack.yml +++ b/javascript/frameworks/ui5-webcomponents/test/qlpack.yml @@ -1,6 +1,6 @@ name: advanced-security/javascript-sap-ui5-webcomponents-for-react-test -version: 2.3.0 +version: 2.24.2 extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-ui5-all: "^2.3.0" + codeql/javascript-all: "^2.6.22" + advanced-security/javascript-sap-ui5-all: "${workspace}" diff --git a/javascript/frameworks/ui5/ext/qlpack.yml b/javascript/frameworks/ui5/ext/qlpack.yml index 9e58e6605..d692148db 100644 --- a/javascript/frameworks/ui5/ext/qlpack.yml +++ b/javascript/frameworks/ui5/ext/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-ui5-models -version: 2.3.0 +version: 2.24.2 extensionTargets: - codeql/javascript-all: "^2.4.0" + codeql/javascript-all: "^2.6.22" dataExtensions: - "*.model.yml" diff --git a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/ui5/lib/qlpack.yml b/javascript/frameworks/ui5/lib/qlpack.yml index e596840d2..e1f8977d2 100644 --- a/javascript/frameworks/ui5/lib/qlpack.yml +++ b/javascript/frameworks/ui5/lib/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-ui5-all -version: 2.3.0 +version: 2.24.2 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" + codeql/javascript-all: "^2.6.22" diff --git a/javascript/frameworks/ui5/src/codeql-pack.lock.yml b/javascript/frameworks/ui5/src/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/ui5/src/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/src/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/ui5/src/qlpack.yml b/javascript/frameworks/ui5/src/qlpack.yml index 89f008024..790258ab6 100644 --- a/javascript/frameworks/ui5/src/qlpack.yml +++ b/javascript/frameworks/ui5/src/qlpack.yml @@ -1,10 +1,10 @@ --- library: false name: advanced-security/javascript-sap-ui5-queries -version: 2.3.0 +version: 2.24.2 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-ui5-all: "^2.3.0" + codeql/javascript-all: "^2.6.22" + advanced-security/javascript-sap-ui5-all: "${workspace}" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/ui5/test/codeql-pack.lock.yml b/javascript/frameworks/ui5/test/codeql-pack.lock.yml index e539eecc2..9e87e4580 100644 --- a/javascript/frameworks/ui5/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/test/codeql-pack.lock.yml @@ -2,35 +2,35 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/javascript-queries: - version: 2.3.1 + version: 2.3.2 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/suite-helpers: - version: 1.0.41 + version: 1.0.42 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/typos: - version: 1.0.41 + version: 1.0.42 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index cdf7b5a4a..14e59b2ed 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -1,12 +1,12 @@ name: advanced-security/javascript-sap-ui5-queries-tests -version: 2.3.0 +version: 2.24.2 extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" + codeql/javascript-all: "^2.6.22" # We use this dependency to run the standard Log Injection query to ensure that # no overlap occurs with the SAP UI5 queries. We therefore allow any version # greater than or equal to 1.2.0, as major breaking changes are not a concern. codeql/javascript-queries: ">1.2.0" - advanced-security/javascript-sap-ui5-queries: "^2.3.0" - advanced-security/javascript-sap-ui5-models: "^2.3.0" - advanced-security/javascript-sap-ui5-all: "^2.3.0" + advanced-security/javascript-sap-ui5-queries: "${workspace}" + advanced-security/javascript-sap-ui5-models: "${workspace}" + advanced-security/javascript-sap-ui5-all: "${workspace}" diff --git a/javascript/frameworks/xsjs/ext/qlpack.yml b/javascript/frameworks/xsjs/ext/qlpack.yml index dc1690560..cb2b9d721 100644 --- a/javascript/frameworks/xsjs/ext/qlpack.yml +++ b/javascript/frameworks/xsjs/ext/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-xsjs-models -version: 2.3.0 +version: 2.24.2 extensionTargets: - codeql/javascript-all: "^2.4.0" + codeql/javascript-all: "^2.6.22" dataExtensions: - "*.model.yml" diff --git a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/xsjs/lib/qlpack.yml b/javascript/frameworks/xsjs/lib/qlpack.yml index 2e56a7f83..8853e70aa 100644 --- a/javascript/frameworks/xsjs/lib/qlpack.yml +++ b/javascript/frameworks/xsjs/lib/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-xsjs-all -version: 2.3.0 +version: 2.24.2 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" + codeql/javascript-all: "^2.6.22" diff --git a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/xsjs/src/qlpack.yml b/javascript/frameworks/xsjs/src/qlpack.yml index 81316e2a7..6aad949f7 100644 --- a/javascript/frameworks/xsjs/src/qlpack.yml +++ b/javascript/frameworks/xsjs/src/qlpack.yml @@ -1,10 +1,10 @@ --- library: false name: advanced-security/javascript-sap-xsjs-queries -version: 2.3.0 +version: 2.24.2 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-xsjs-all: "^2.3.0" + codeql/javascript-all: "^2.6.22" + advanced-security/javascript-sap-xsjs-all: "${workspace}" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/frameworks/xsjs/test/qlpack.yml b/javascript/frameworks/xsjs/test/qlpack.yml index 2b7017e6f..7e638d7cd 100644 --- a/javascript/frameworks/xsjs/test/qlpack.yml +++ b/javascript/frameworks/xsjs/test/qlpack.yml @@ -1,9 +1,9 @@ --- name: advanced-security/javascript-sap-xsjs-tests -version: 2.3.0 +version: 2.24.2 extractor: javascript dependencies: - codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-xsjs-queries: "^2.3.0" - advanced-security/javascript-sap-xsjs-all: "^2.3.0" - advanced-security/javascript-sap-xsjs-models: "^2.3.0" + codeql/javascript-all: "^2.6.22" + advanced-security/javascript-sap-xsjs-queries: "${workspace}" + advanced-security/javascript-sap-xsjs-all: "${workspace}" + advanced-security/javascript-sap-xsjs-models: "${workspace}" diff --git a/javascript/heuristic-models/ext/qlpack.yml b/javascript/heuristic-models/ext/qlpack.yml index 97dc74859..2e7d5c3e2 100644 --- a/javascript/heuristic-models/ext/qlpack.yml +++ b/javascript/heuristic-models/ext/qlpack.yml @@ -2,8 +2,8 @@ library: true warnOnImplicitThis: false name: advanced-security/javascript-heuristic-models -version: 2.3.0 +version: 2.24.2 extensionTargets: - codeql/javascript-all: "*" + codeql/javascript-all: "^2.6.22" dataExtensions: - "*.model.yml" diff --git a/javascript/heuristic-models/tests/codeql-pack.lock.yml b/javascript/heuristic-models/tests/codeql-pack.lock.yml index 6869bc0cd..f3bb41d1c 100644 --- a/javascript/heuristic-models/tests/codeql-pack.lock.yml +++ b/javascript/heuristic-models/tests/codeql-pack.lock.yml @@ -2,29 +2,29 @@ lockVersion: 1.0.0 dependencies: codeql/concepts: - version: 0.0.15 + version: 0.0.16 codeql/controlflow: - version: 2.0.25 + version: 2.0.26 codeql/dataflow: - version: 2.0.25 + version: 2.0.26 codeql/javascript-all: - version: 2.6.21 + version: 2.6.22 codeql/mad: - version: 1.0.41 + version: 1.0.42 codeql/regex: - version: 1.0.41 + version: 1.0.42 codeql/ssa: - version: 2.0.17 + version: 2.0.18 codeql/threat-models: - version: 1.0.41 + version: 1.0.42 codeql/tutorial: - version: 1.0.41 + version: 1.0.42 codeql/typetracking: - version: 2.0.25 + version: 2.0.26 codeql/util: - version: 2.0.28 + version: 2.0.29 codeql/xml: - version: 1.0.41 + version: 1.0.42 codeql/yaml: - version: 1.0.41 + version: 1.0.42 compiled: false diff --git a/javascript/heuristic-models/tests/qlpack.yml b/javascript/heuristic-models/tests/qlpack.yml index 768b923ae..e192d1713 100644 --- a/javascript/heuristic-models/tests/qlpack.yml +++ b/javascript/heuristic-models/tests/qlpack.yml @@ -1,8 +1,8 @@ library: false warnOnImplicitThis: false name: advanced-security/javascript-heuristic-models-tests -version: 2.3.0 +version: 2.24.2 extractor: javascript dependencies: - "codeql/javascript-all": "*" - "advanced-security/javascript-heuristic-models": 2.3.0 + "codeql/javascript-all": "^2.6.22" + "advanced-security/javascript-heuristic-models": "${workspace}" diff --git a/qlt.conf.json b/qlt.conf.json index d595e2c4e..fb60b31cd 100644 --- a/qlt.conf.json +++ b/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.24.1", - "CodeQLStandardLibrary": "codeql-cli/v2.24.1", - "CodeQLCLIBundle": "codeql-bundle-v2.24.1" + "CodeQLCLI": "2.24.2", + "CodeQLStandardLibrary": "codeql-cli/v2.24.2", + "CodeQLCLIBundle": "codeql-bundle-v2.24.2" } diff --git a/scripts/bundle-packs.sh b/scripts/bundle-packs.sh new file mode 100755 index 000000000..7369c0bee --- /dev/null +++ b/scripts/bundle-packs.sh @@ -0,0 +1,194 @@ +#!/usr/bin/env bash +set -euo pipefail + +## bundle-packs.sh +## Bundle CodeQL packs into distributable .tar.gz archives. +## +## This script bundles all publishable CodeQL packs in the codeql-sap-js +## repository using `codeql pack bundle`, producing .tar.gz files suitable +## for upload as release artifacts or offline distribution. +## +## Requirements: +## - The `codeql` CLI must be available on PATH. +## +## Usage: +## ./scripts/bundle-packs.sh [OPTIONS] +## ./scripts/bundle-packs.sh --output-dir dist-packs +## ./scripts/bundle-packs.sh --dry-run +## +## Options: +## --output-dir Directory for bundled .tar.gz files (default: dist-packs). +## --dry-run Show what would be bundled without actually bundling. +## -h, --help Show this help message. + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)" + +DRY_RUN=false +OUTPUT_DIR="dist-packs" + +## All publishable pack directories relative to repo root. +## These must match the packs listed in publish-packs.sh. +PUBLISHABLE_PACKS=( + "javascript/frameworks/cap/src" + "javascript/frameworks/cap/ext" + "javascript/frameworks/cap/lib" + "javascript/frameworks/ui5/src" + "javascript/frameworks/ui5/ext" + "javascript/frameworks/ui5/lib" + "javascript/frameworks/xsjs/src" + "javascript/frameworks/xsjs/ext" + "javascript/frameworks/xsjs/lib" + "javascript/heuristic-models/ext" +) + +usage() { + cat < Directory for bundled .tar.gz files (default: dist-packs). + --dry-run Show what would be bundled without actually bundling. + -h, --help Show this help message. + +EXAMPLES: + ./scripts/bundle-packs.sh + ./scripts/bundle-packs.sh --output-dir dist-packs + ./scripts/bundle-packs.sh --dry-run +EOF +} + +while [[ $# -gt 0 ]]; do + case $1 in + --output-dir) + if [[ $# -lt 2 || "${2-}" == -* ]]; then + echo "Error: --output-dir requires a value" >&2 + usage >&2 + exit 1 + fi + OUTPUT_DIR="$2" + shift 2 + ;; + --dry-run) + DRY_RUN=true + shift + ;; + -h|--help) + usage + exit 0 + ;; + *) + echo "Error: Unknown option $1" >&2 + usage >&2 + exit 1 + ;; + esac +done + +## ── Diagnostics ────────────────────────────────────────────────────────────── + +echo "╔══════════════════════════════════════════════════════════════╗" +echo "║ CodeQL Pack Bundler ║" +echo "╚══════════════════════════════════════════════════════════════╝" +echo "" +echo "Output dir: ${OUTPUT_DIR}" +echo "Dry run: ${DRY_RUN}" +echo "Repo root: ${REPO_ROOT}" +echo "" + +# Verify codeql is available +if ! command -v codeql &> /dev/null; then + echo "Error: 'codeql' CLI not found on PATH." >&2 + echo "Install CodeQL CLI and ensure it is on your PATH before running this script." >&2 + exit 1 +fi + +echo "CodeQL CLI: $(command -v codeql)" +echo "CodeQL version: $(codeql version --format=terse)" +echo "" + +## ── Bundle packs ───────────────────────────────────────────────────────────── + +cd "${REPO_ROOT}" + +if [[ "${DRY_RUN}" == false ]]; then + mkdir -p "${OUTPUT_DIR}" +fi + +BUNDLED=0 +SKIPPED=0 +FAILED=0 + +echo "Bundling ${#PUBLISHABLE_PACKS[@]} CodeQL packs..." +echo "" + +for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do + if [[ ! -d "${pack_dir}" ]]; then + echo "⚠️ Skipping: ${pack_dir} (directory not found)" + SKIPPED=$((SKIPPED + 1)) + continue + fi + + if [[ ! -f "${pack_dir}/qlpack.yml" ]]; then + echo "⚠️ Skipping: ${pack_dir} (no qlpack.yml found)" + SKIPPED=$((SKIPPED + 1)) + continue + fi + + pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}') + # Convert pack name to filename: advanced-security/foo -> foo + bundle_name="${pack_name#advanced-security/}" + output="${OUTPUT_DIR}/${bundle_name}.tar.gz" + + echo "────────────────────────────────────────────────────────────────" + echo "📦 Pack: ${pack_name}" + echo " Directory: ${pack_dir}" + echo " Output: ${output}" + + if [[ "${DRY_RUN}" == true ]]; then + echo " Action: [DRY RUN] Would bundle with: codeql pack bundle --threads=-1 --output=${output} -- ${pack_dir}" + BUNDLED=$((BUNDLED + 1)) + continue + fi + + if codeql pack bundle --threads=-1 --output="${output}" -- "${pack_dir}"; then + echo " ✅ Bundled ${bundle_name}" + BUNDLED=$((BUNDLED + 1)) + else + EXIT_CODE=$? + echo " ❌ Failed to bundle ${bundle_name} (exit code: ${EXIT_CODE})" >&2 + FAILED=$((FAILED + 1)) + fi + echo "" +done + +## ── Summary ────────────────────────────────────────────────────────────────── + +echo "" +echo "════════════════════════════════════════════════════════════════" +echo "Summary" +echo "════════════════════════════════════════════════════════════════" +echo " Total: ${#PUBLISHABLE_PACKS[@]}" +echo " Bundled: ${BUNDLED}" +echo " Skipped: ${SKIPPED}" +echo " Failed: ${FAILED}" +echo "" + +if [[ "${DRY_RUN}" == false && -d "${OUTPUT_DIR}" ]]; then + echo "Bundled packs:" + ls -lh "${OUTPUT_DIR}/" + echo "" +fi + +if [[ "${FAILED}" -gt 0 ]]; then + echo "❌ ${FAILED} pack(s) failed to bundle." >&2 + exit 1 +fi + +if [[ "${DRY_RUN}" == true ]]; then + echo "✅ Dry run complete. No packs were actually bundled." +else + echo "✅ All CodeQL packs bundled successfully." +fi diff --git a/scripts/publish-packs.sh b/scripts/publish-packs.sh new file mode 100755 index 000000000..f9307cd2d --- /dev/null +++ b/scripts/publish-packs.sh @@ -0,0 +1,275 @@ +#!/usr/bin/env bash +set -euo pipefail + +## publish-packs.sh +## Publish CodeQL packs to the GitHub Container Registry (GHCR). +## +## This script publishes all publishable CodeQL packs in the codeql-sap-js +## repository to GHCR using `codeql pack publish`. Pre-release versions +## (those containing a hyphen, e.g., 2.24.2-rc1) are automatically detected +## and published with the --allow-prerelease flag. +## +## Requirements: +## - GITHUB_TOKEN environment variable must be set to a non-empty value +## with packages:write permission for the target GHCR registry. +## - The `codeql` CLI must be available on PATH. +## +## Usage: +## GITHUB_TOKEN= ./scripts/publish-packs.sh +## GITHUB_TOKEN= ./scripts/publish-packs.sh 2.24.2 +## GITHUB_TOKEN= ./scripts/publish-packs.sh 2.24.2-rc1 +## GITHUB_TOKEN= ./scripts/publish-packs.sh --dry-run 2.24.2 +## +## Options: +## --dry-run Show what would be published without actually publishing. +## -h, --help Show this help message. + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)" + +DRY_RUN=false + +## All publishable pack directories relative to repo root. +## These are the packs that have qlpack.yml files and are intended +## for publishing to GHCR. +PUBLISHABLE_PACKS=( + "javascript/frameworks/cap/src" + "javascript/frameworks/cap/ext" + "javascript/frameworks/cap/lib" + "javascript/frameworks/ui5/src" + "javascript/frameworks/ui5/ext" + "javascript/frameworks/ui5/lib" + "javascript/frameworks/xsjs/src" + "javascript/frameworks/xsjs/ext" + "javascript/frameworks/xsjs/lib" + "javascript/heuristic-models/ext" +) + +usage() { + cat < + +Publish CodeQL packs to the GitHub Container Registry (GHCR). + +ARGUMENTS: + Release version (e.g., 2.24.2 or 2.24.2-rc1). + Do NOT include a "v" prefix. + +OPTIONS: + --dry-run Show what would be published without actually publishing. + -h, --help Show this help message. + +ENVIRONMENT: + GITHUB_TOKEN Required. Token with packages:write permission for GHCR. + +EXAMPLES: + GITHUB_TOKEN=\$TOKEN ./scripts/publish-packs.sh 2.24.2 + GITHUB_TOKEN=\$TOKEN ./scripts/publish-packs.sh 2.24.2-rc1 + GITHUB_TOKEN=\$TOKEN ./scripts/publish-packs.sh --dry-run 2.24.2 +EOF +} + +RELEASE_NAME="" + +while [[ $# -gt 0 ]]; do + case $1 in + --dry-run) + DRY_RUN=true + shift + ;; + -h|--help) + usage + exit 0 + ;; + -*) + echo "Error: Unknown option $1" >&2 + usage >&2 + exit 1 + ;; + *) + if [[ -n "${RELEASE_NAME}" ]]; then + echo "Error: Unexpected argument '$1'. Release name already set to '${RELEASE_NAME}'." >&2 + usage >&2 + exit 1 + fi + RELEASE_NAME="$1" + shift + ;; + esac +done + +## ── Validate inputs ────────────────────────────────────────────────────────── + +if [[ -z "${RELEASE_NAME}" ]]; then + echo "Error: Release name is required." >&2 + usage >&2 + exit 1 +fi + +if [[ "${RELEASE_NAME}" =~ ^v ]]; then + echo "Error: Release name '${RELEASE_NAME}' should not include a 'v' prefix." >&2 + echo "Hint: Use '${RELEASE_NAME#v}' instead." >&2 + exit 1 +fi + +if [[ -z "${GITHUB_TOKEN:-}" ]]; then + echo "Error: GITHUB_TOKEN environment variable is required but not set or empty." >&2 + echo "Set it to a token with packages:write permission for GHCR." >&2 + exit 1 +fi + +## ── Diagnostics ────────────────────────────────────────────────────────────── + +echo "╔══════════════════════════════════════════════════════════════╗" +echo "║ CodeQL Pack Publisher ║" +echo "╚══════════════════════════════════════════════════════════════╝" +echo "" +echo "Release name: ${RELEASE_NAME}" +echo "Dry run: ${DRY_RUN}" +echo "Repo root: ${REPO_ROOT}" +echo "" + +# Verify codeql is available +if ! command -v codeql &> /dev/null; then + echo "Error: 'codeql' CLI not found on PATH." >&2 + echo "Install CodeQL CLI and ensure it is on your PATH before running this script." >&2 + exit 1 +fi + +echo "CodeQL CLI: $(command -v codeql)" +echo "CodeQL version: $(codeql version --format=terse)" +echo "" + +# Diagnostic: show GITHUB_TOKEN metadata (without revealing the token value) +TOKEN_LENGTH=${#GITHUB_TOKEN} +TOKEN_PREFIX="${GITHUB_TOKEN:0:4}" +echo "GITHUB_TOKEN: set (length=${TOKEN_LENGTH}, prefix=${TOKEN_PREFIX}...)" + +# Diagnostic: verify token validity and scopes via the GitHub API. +# Note: GHCR's /v2/ endpoint uses OCI token exchange, so a raw Bearer check +# against it always returns 401/403. The GitHub API /user endpoint is the +# reliable way to validate a token and inspect its scopes. +echo "" +echo "Verifying GitHub token via API..." +API_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + "https://api.github.com/user" 2>/dev/null || echo "000") + +if [[ "${API_STATUS}" == "200" ]]; then + # Single verbose request for login (body) and scopes (headers). + API_HEADER_FILE=$(mktemp) + trap 'rm -f "${API_HEADER_FILE}"' EXIT + API_LOGIN=$(curl -s -D "${API_HEADER_FILE}" \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + "https://api.github.com/user" 2>/dev/null \ + | grep -o '"login" *: *"[^"]*"' | cut -d'"' -f4 || true) + echo "✅ Token is valid (HTTP ${API_STATUS}, user: ${API_LOGIN:-unknown})" + + # Check scopes for classic PATs (ghp_ prefix). Fine-grained tokens and + # GITHUB_TOKEN from Actions do not return X-OAuth-Scopes. + SCOPES_HEADER=$(grep -i "^x-oauth-scopes:" "${API_HEADER_FILE}" \ + | sed 's/^[^:]*: //' | tr -d '\r' || true) + + if [[ -n "${SCOPES_HEADER}" ]]; then + echo " Scopes: ${SCOPES_HEADER}" + if echo "${SCOPES_HEADER}" | grep -qi "write:packages"; then + echo " ✅ write:packages scope present" + else + echo " ❌ write:packages scope NOT found in token scopes" >&2 + echo " The token needs the 'write:packages' scope to publish to GHCR." >&2 + exit 1 + fi + else + echo " Scopes: (not reported — fine-grained token or Actions GITHUB_TOKEN)" + fi +elif [[ "${API_STATUS}" == "401" ]]; then + echo "❌ Token authentication failed (HTTP ${API_STATUS})" >&2 + echo "The GITHUB_TOKEN is invalid or expired." >&2 + exit 1 +else + echo "⚠️ GitHub API returned HTTP ${API_STATUS}" + echo "This may indicate a network issue. Proceeding anyway — codeql pack publish" + echo "will report the definitive error." +fi +echo "" + +## ── Pre-release detection ──────────────────────────────────────────────────── + +PRERELEASE_FLAG="" +if [[ "${RELEASE_NAME}" == *-* ]]; then + PRERELEASE_FLAG="--allow-prerelease" + echo "Detected pre-release version — will use: ${PRERELEASE_FLAG}" + echo "" +fi + +## ── Publish packs ──────────────────────────────────────────────────────────── + +cd "${REPO_ROOT}" + +PUBLISHED=0 +SKIPPED=0 +FAILED=0 + +echo "Publishing ${#PUBLISHABLE_PACKS[@]} CodeQL packs..." +echo "" + +for pack_dir in "${PUBLISHABLE_PACKS[@]}"; do + if [[ ! -d "${pack_dir}" ]]; then + echo "⚠️ Skipping: ${pack_dir} (directory not found)" + SKIPPED=$((SKIPPED + 1)) + continue + fi + + if [[ ! -f "${pack_dir}/qlpack.yml" ]]; then + echo "⚠️ Skipping: ${pack_dir} (no qlpack.yml found)" + SKIPPED=$((SKIPPED + 1)) + continue + fi + + pack_name=$(grep -m1 "^name:" "${pack_dir}/qlpack.yml" | awk '{print $2}') + pack_version=$(grep -m1 "^version:" "${pack_dir}/qlpack.yml" | awk '{print $2}') + + echo "────────────────────────────────────────────────────────────────" + echo "📦 Pack: ${pack_name}" + echo " Version: ${pack_version}" + echo " Directory: ${pack_dir}" + + if [[ "${DRY_RUN}" == true ]]; then + echo " Action: [DRY RUN] Would publish with: codeql pack publish --threads=-1 ${PRERELEASE_FLAG} -- ${pack_dir}" + PUBLISHED=$((PUBLISHED + 1)) + continue + fi + + if codeql pack publish --threads=-1 ${PRERELEASE_FLAG} -- "${pack_dir}"; then + echo " ✅ Published ${pack_name}@${pack_version}" + PUBLISHED=$((PUBLISHED + 1)) + else + EXIT_CODE=$? + echo " ❌ Failed to publish ${pack_name} (exit code: ${EXIT_CODE})" >&2 + FAILED=$((FAILED + 1)) + fi + echo "" +done + +## ── Summary ────────────────────────────────────────────────────────────────── + +echo "" +echo "════════════════════════════════════════════════════════════════" +echo "Summary" +echo "════════════════════════════════════════════════════════════════" +echo " Total: ${#PUBLISHABLE_PACKS[@]}" +echo " Published: ${PUBLISHED}" +echo " Skipped: ${SKIPPED}" +echo " Failed: ${FAILED}" +echo "" + +if [[ "${FAILED}" -gt 0 ]]; then + echo "❌ ${FAILED} pack(s) failed to publish." >&2 + exit 1 +fi + +if [[ "${DRY_RUN}" == true ]]; then + echo "✅ Dry run complete. No packs were actually published." +else + echo "✅ All CodeQL packs published successfully." +fi