Merge branch 'main' into releases

Author: GeekMasher

.devcontainer/bootstrap.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+echo "Installing GH Extensions..."
+gh extensions install GitHubSecurityLab/gh-mrva
+gh extensions install advanced-security/gh-codeql-scan
+
+echo "Installing stubs..."
+chmod +x .devcontainer/scripts/* && cp -r .devcontainer/scripts/* /usr/local/bin/
+
+# Clone an instance of the CodeQL repository
+# https://github.com/github/codeql/tree/codeql-cli/latest
+echo "Cloning CodeQL repository..."
+if [ ! -d "./codeql" ]; then
+  git clone \
+    --branch codeql-cli/latest \
+    https://github.com/github/codeql ./codeql
+fi

.devcontainer/devcontainer.json

@@ -1,15 +1,45 @@
 {
     "name": "CodeQL-Community-Packs",
+    "postAttachCommand": ".devcontainer/bootstrap.sh",
+    "hostRequirements": {
+        "storage": "32gb",
+        "memory": "16gb",
+        "cpus": 4
+    },
     "extensions": [
         "github.vscode-codeql",
-        "github.copilot"
+        "github.copilot",
+        "MS-vsliveshare.vsliveshare",
+        "lostintangent.github-security-alerts",
+        "ms-vscode.test-adapter-converter",
+        "ms-vscode.cpptools",
+        "ms-dotnettools.vscode-dotnet-runtime",
+        "ms-python.vscode-pylance",
+        "redhat.java",
     ],
     "settings": {
+        "codeQL.canary": true,
         "codeQL.runningQueries.autoSave": true,
         "codeQL.runningQueries.numberOfThreads": 4,
         "codeQL.runningQueries.debug": true,
         "editor.formatOnSave": true
     },
     "postCreateCommand": "git submodule init && git submodule update --recursive",
-    "remoteUser": "root"
-}
+    "remoteUser": "root",
+    "customizations": {
+        "codespaces": {
+            "repositories": {
+                "github/gh-codeql": {
+                    "permissions": {
+                        "contents": "read"
+                    }
+                },
+                "github/codeql": {
+                    "permissions": {
+                        "contents": "read"
+                    }
+                }
+            }
+        }
+    }
+}

.devcontainer/scripts/codeql

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+CODEQL_PATH=/home/root/.vscode-remote/data/User/globalStorage/github.vscode-codeql/distribution1/codeql/codeql
+
+if [ ! -f $CODEQL_PATH ]; then
+    echo "CodeQL not found. Please install the CodeQL extension in VSCode and try again."
+    exit 1
+fi
+
+$CODEQL_PATH $@

.devcontainer/scripts/codeql-scan

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+gh codeql-scan $@

.github/scripts/pr-tests.sh

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  compile:
+  compile-and-test:
     runs-on: ubuntu-latest
 
     strategy:
@@ -55,9 +55,61 @@ jobs:
       - name: Test Queries
         if: steps.changes.outputs.src == 'true'
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          RUNNER_TEMP: ${{ runner.temp }}
+        shell: python
         run: |
-          ./.github/scripts/pr-tests.sh ${{ github.event.number }} ${{ matrix.language }}
+          import os
+          import sys
+          import subprocess
+          from pathlib import Path
+
+          def print_error(fmt, *args):
+            print(f"::error::{fmt}", *args)
+
+          def print_error_and_fail(fmt, *args):
+            print_error(fmt, args)
+            sys.exit(1)
+
+          runner_temp = os.environ['RUNNER_TEMP']
+
+          test_root = Path('${{ github.workspace }}', '${{ matrix.language }}', 'test')
+          print(f"Executing tests found (recursively) in the directory '{test_root}'")
+          files_to_close = []
+          try:
+            # Runners have 4 cores, so split the tests into 4 "slices", and run one per thread
+            num_slices = 4
+            procs = []
+
+            for slice in range(1, num_slices+1):
+              test_report_path = os.path.join(runner_temp, "${{ matrix.language }}", f"test_report_slice_{slice}_of_{num_slices}.json")
+              os.makedirs(os.path.dirname(test_report_path), exist_ok=True)
+              test_report_file = open(test_report_path, 'w')
+              files_to_close.append(test_report_file)
+              procs.append(subprocess.Popen(["codeql", "test", "run", "--failing-exitcode=122", f"--slice={slice}/{num_slices}", "--ram=2048", "--format=json", test_root], stdout=test_report_file, stderr=subprocess.PIPE))
+
+            for p in procs:
+              _, err = p.communicate()
+              if p.returncode != 0:
+                if p.returncode == 122:
+                  # Failed because a test case failed, so just print the regular output.
+                  # This will allow us to proceed to validate-test-results, which will fail if
+                  # any test cases failed
+                  print(f"{err.decode()}")
+                else:
+                  # Some more serious problem occurred, so print and fail fast
+                  print_error_and_fail(f"Failed to run tests with return code {p.returncode}\n{err.decode()}")
+          finally:
+            for file in files_to_close:
+              file.close()
+
+      - name: Upload test results
+        if: steps.changes.outputs.src == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.language }}-test-results
+          path: |
+            ${{ runner.temp }}/${{ matrix.language }}/test_report_slice_*.json
+          if-no-files-found: error
 
       - name: Compile / Check Suites & Packs
         if: steps.changes.outputs.src == 'true'
@@ -66,6 +118,39 @@ jobs:
         run: |
           ./.github/scripts/pr-suites-packs.sh ${{ github.event.number }} ${{ matrix.language }}
 
+  validate-test-results:
+    name: Validate test results
+    needs: compile-and-test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if compile-and-test job failed to complete, if so fail
+        if: ${{ needs.compile-and-test.result == 'failure' }}
+        uses: actions/github-script@v3
+        with:
+          script: |
+            core.setFailed('Test run job failed')
+
+      - name: Collect test results
+        uses: actions/download-artifact@v4
+
+      - name: Validate test results
+        run: |
+          if [[ ! -n "$(find . -name 'test_report_*' -print -quit)" ]]; then
+            echo "No test results found"
+            exit 0
+          fi
+
+          for json_report in *-test-results/test_report_*
+          do
+            jq --raw-output '"PASS \(map(select(.pass == true)) | length)/\(length)'" $json_report\"" "$json_report"
+          done
+          FAILING_TESTS=$(jq --raw-output '.[] | select(.pass == false)' *-test-results/test_report_*.json)
+          if [[ ! -z "$FAILING_TESTS" ]]; then
+            echo "ERROR: The following tests failed:"
+            echo $FAILING_TESTS | jq .
+            exit 1
+          fi
+  
   extensions:
     runs-on: ubuntu-latest
 
@@ -143,7 +228,7 @@ jobs:
 
   configs:
     runs-on: ubuntu-latest
-    needs: compile
+    needs: compile-and-test
 
     steps:
       - uses: actions/checkout@v3

.github/workflows/build.yml renamed to .github/workflows/ci.yml

@@ -9,6 +9,8 @@
 *.actual
 *.class
 */*.class
+# Cloned repository of codeql
+/codeql
 
 # Test files / folders
 test.ql

.gitignore

@@ -104,6 +104,7 @@ paths-ignore:
     - "vendor/**"
     - "examples/**"
     - "tests/**"
+    - "site-packages/**"
 
     # JavaScript
     - "node_modules"
@@ -114,3 +115,12 @@ paths-ignore:
     - "dist"
     - "CoverageResults"    
     - "**/wwwroot/lib/**"
+    - "**/deps/**"
+    - "**/third_party/**"
+
+    # Ruby
+    - "**/gems/**"
+    - "**/spec/**/*_spec.rb"
+    - "**/test/**/*_test.rb"
+    
+    

configs/synthetics.yml

@@ -2,17 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 0.0.3
+    version: 1.0.10
   codeql/csharp-all:
-    version: 0.7.4
+    version: 3.0.1
   codeql/dataflow:
-    version: 0.0.3
+    version: 1.1.4
   codeql/mad:
-    version: 0.1.4
+    version: 1.0.10
   codeql/ssa:
-    version: 0.1.4
+    version: 1.0.10
+  codeql/threat-models:
+    version: 1.0.10
   codeql/tutorial:
-    version: 0.1.4
+    version: 1.0.10
+  codeql/typetracking:
+    version: 1.0.10
   codeql/util:
-    version: 0.1.4
+    version: 1.0.10
+  codeql/xml:
+    version: 1.0.10
 compiled: false

csharp/lib/codeql-pack.lock.yml

@@ -36,7 +36,7 @@ module Cryptography {
   class CryptoRfc2898DeriveBytes extends HashingAlgorithms {
     CryptoRfc2898DeriveBytes() {
       exists(ObjectCreation object |
-        object.getType().getQualifiedName() = "System.Security.Cryptography.Rfc2898DeriveBytes" and
+        object.getType().hasFullyQualifiedName("System.Security.Cryptography", "Rfc2898DeriveBytes") and
         this.asExpr() = object
       )
     }
@@ -67,7 +67,7 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
+            .hasFullyQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
         this.asExpr() = object
       )
     }
@@ -90,7 +90,7 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider") and
+            .hasFullyQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider") and
         this.asExpr() = object
       )
     }
@@ -113,12 +113,13 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography", ["RSACryptoServiceProvider", "RSACng"]) and
+            .hasFullyQualifiedName("System.Security.Cryptography",
+              ["RSACryptoServiceProvider", "RSACng"]) and
         this.asExpr() = object
       )
       or
       exists(MethodCall call |
-        call.getType().hasQualifiedName("System.Security.Cryptography", ["RSA"]) and
+        call.getType().hasFullyQualifiedName("System.Security.Cryptography", ["RSA"]) and
         call.getTarget().hasName("Create") and
         this.asExpr() = call
       )
@@ -152,7 +153,7 @@ module Cryptography {
       exists(ObjectCreation object |
         object
             .getType()
-            .hasQualifiedName("System.Security.Cryptography",
+            .hasFullyQualifiedName("System.Security.Cryptography",
               ["HMACMD5", "HMACSHA1", "HMACSHA256", "HMACSHA384", "HMACSHA512", "HMACRIPEMD160"]) and
         this.asExpr() = object
       )