initial commit

Author: Alvaro Muñoz

.github/workflows/release.yml

@@ -0,0 +1,14 @@
+name: release
+on:
+  push:
+    tags:
+      - "v*"
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: cli/gh-extension-precompile@v1

.gitignore

@@ -0,0 +1,3 @@
+/gh-qldb
+/gh-qldb.exe
+gh-qldb

cmd/create.go

@@ -0,0 +1,48 @@
+package cmd
+
+import (
+  "log"
+	"fmt"
+  "path/filepath"
+  "os/exec"
+  "os"
+
+  "github.com/spf13/cobra"
+)
+
+var createCmd = &cobra.Command{
+    Use:   "create",
+    Short: "Extracts a CodeQL database from a source path",
+    Long:  `Extracts a CodeQL database from a source path. Pass the CodeQL arguments after a '--' separator.
+
+eg: gh-qldb create --nwo foo/bar -- -s /path/to/src -l javascript`,
+    Run: func(cmd *cobra.Command, args []string) {
+      // --nwo foo/bar -- -s /path/to/src -l javascript
+      create(nwoFlag, args)
+    },
+  }
+
+func init() {
+  rootCmd.AddCommand(createCmd)
+  createCmd.Flags().StringVarP(&nwoFlag, "nwo", "n", "", "The NWO of the repository to create the database for. If omitted, it will be inferred from git remotes.")
+}
+
+func create(nwo string, codeqlArgs []string) {
+	fmt.Printf("Creating DB for '%s'. CodeQL args: '%v'", nwo, codeqlArgs)
+  destPath := filepath.Join(os.TempDir(), "codeql-db")
+  if err := os.MkdirAll(destPath, 0755); err != nil {
+			log.Fatal(err)
+  }
+  args := []string{"database", "create"}
+  args = append(args, codeqlArgs...)
+  args = append(args, "--") 
+  args = append(args, destPath) 
+	cmd := exec.Command("codeql", args...)
+	cmd.Env = os.Environ()
+	_, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+  install(nwo, destPath, true)
+}

cmd/download.go

@@ -0,0 +1,119 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+
+	"github.com/cli/go-gh"
+	"github.com/cli/go-gh/pkg/api"
+  "github.com/spf13/cobra"
+  "github.com/GitHubSecurityLab/gh-qldb/utils"
+)
+
+var downloadCmd = &cobra.Command{
+    Use:   "download",
+    Short: "Downloads a CodeQL database from GitHub Code Scanning",
+    Long:  `Downloads a CodeQL database from GitHub Code Scanning`,
+    Run: func(cmd *cobra.Command, args []string) {
+      download()
+    },
+  }
+
+func init() {
+  rootCmd.AddCommand(downloadCmd)
+  downloadCmd.Flags().StringVarP(&nwoFlag, "nwo", "n", "", "The NWO of the repository to download the database for.")
+  downloadCmd.Flags().StringVarP(&languageFlag, "language", "l", "", "The primary language you want the database for.")
+  downloadCmd.MarkFlagRequired("nwo")
+  downloadCmd.MarkFlagRequired("language")
+
+}
+
+func download() {
+	// fetch the DB info from GitHub API
+	fmt.Printf("Fetching DB info for '%s'\n", nwoFlag)
+	restClient, err := gh.RESTClient(nil)
+	response := make([]interface{}, 0)
+	err = restClient.Get(fmt.Sprintf("repos/%s/code-scanning/codeql/databases", nwoFlag), &response)
+	if err != nil {
+		log.Fatal(err)
+	}
+	fmt.Print("Found DBs for the following languages: ")
+	for i, v := range response {
+		dbMap := v.(map[string]interface{})
+		language := dbMap["language"].(string)
+		fmt.Print(language)
+		if i < len(response)-1 {
+			fmt.Print(", ")
+		}
+	}
+	fmt.Print("\n")
+
+	// download the DBs
+	for _, v := range response {
+		dbMap := v.(map[string]interface{})
+		language := dbMap["language"].(string)
+		if languageFlag != "all" && language != languageFlag {
+			continue
+		}
+
+		// download DB
+		fmt.Printf("Downloading '%s' DB for '%s'\n", language, nwoFlag)
+		opts := api.ClientOptions{
+			Headers: map[string]string{"Accept": "application/zip"},
+		}
+		httpClient, err := gh.HTTPClient(&opts)
+		if err != nil {
+			log.Fatal(err)
+		}
+		url := fmt.Sprintf("https://api.github.com/repos/%s/code-scanning/codeql/databases/%s", nwoFlag, language)
+		resp, err := httpClient.Get(url)
+		if err != nil {
+			fmt.Printf("Failure downloading the DB from `%s`: %v", url, err)
+			continue
+		}
+		defer resp.Body.Close()
+
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		// get the commit this DB was created from
+		commitSha, primaryLanguage, err := utils.ExtractDBInfo(body)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		filename := fmt.Sprintf("%s.zip", commitSha)
+		dir := filepath.Join(utils.GetPath(nwoFlag), primaryLanguage)
+		path := filepath.Join(dir, filename)
+
+		// create directory if not exists
+		if _, err := os.Stat(dir); errors.Is(err, os.ErrNotExist) {
+			err := os.MkdirAll(dir, 0755)
+			if err != nil {
+				log.Fatal(err)
+			}
+		}
+
+		// create file if not exists
+		if _, err := os.Stat(path); errors.Is(err, os.ErrNotExist) {
+			// write the DB to disk
+			err = ioutil.WriteFile(path, body, 0755)
+			if err != nil {
+				log.Fatal(err)
+			}
+			fmt.Printf("Writing DB to %s\n", path)
+
+		} else {
+			fmt.Printf("Aborting, DB %s already exists\n", path)
+		}
+
+	}
+	fmt.Println("Done")
+}
+

cmd/install.go

@@ -0,0 +1,133 @@
+package cmd
+
+import (
+  "io"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+  "github.com/spf13/cobra"
+  "github.com/GitHubSecurityLab/gh-qldb/utils"
+)
+
+var installCmd = &cobra.Command{
+    Use:   "install",
+    Short: "Install a local CodeQL database in the QLDB directory",
+    Long:  `Install a local CodeQL database in the QLDB directory`,
+    Run: func(cmd *cobra.Command, args []string) {
+      install(nwoFlag, dbPathFlag, removeFlag)
+    },
+  }
+
+func init() {
+  rootCmd.AddCommand(installCmd)
+  installCmd.Flags().StringVarP(&nwoFlag, "nwo", "n", "", "The NWO to associate the database to.")
+  installCmd.Flags().StringVarP(&dbPathFlag, "database", "d", "", "The path to the database to install.")
+  installCmd.Flags().BoolVarP(&removeFlag, "remove", "r", false, "Remove the database after installing it.")
+  installCmd.MarkFlagRequired("nwo")
+  installCmd.MarkFlagRequired("database")
+}
+
+func install(nwo string, dbPath string, remove bool) {
+	fmt.Printf("Installing '%s' DB for '%s'\n", dbPath, nwo)
+
+	// Check if the path exists
+	fileinfo, err := os.Stat(dbPath)
+	var zipPath string
+	if os.IsNotExist(err) {
+		log.Fatal(errors.New("DB path does not exist"))
+	}
+	if fileinfo.IsDir() {
+		err := utils.ValidateDB(dbPath)
+		if err != nil {
+			fmt.Println("DB is not valid")
+		}
+		// Compress DB
+		zipfilename := filepath.Join(os.TempDir(), "qldb.zip")
+		fmt.Println("Zipping DB to", zipfilename)
+		if err := utils.ZipDirectory(zipfilename, dbPath); err != nil {
+			log.Fatal(err)
+		}
+		zipPath = zipfilename
+
+	} else {
+		// Check if the file is a zip
+		if !strings.HasSuffix(dbPath, ".zip") {
+			log.Fatal(errors.New("DB path is not a zip file"))
+		}
+
+		zipPath = dbPath
+		// Unzip to temporary directory
+		tmpdir, _ := ioutil.TempDir("", "qldb")
+		_, err := utils.Unzip(dbPath, tmpdir)
+		if err != nil {
+			log.Fatal(err)
+		}
+		files, err := ioutil.ReadDir(tmpdir)
+		if err != nil {
+			log.Fatal(err)
+		}
+		if len(files) == 1 {
+			tmpdir = filepath.Join(tmpdir, files[0].Name())
+		}
+		err = utils.ValidateDB(tmpdir)
+		if err != nil {
+			fmt.Println("DB is not valid")
+		}
+	}
+
+	// read bytes from dbPath
+	zipFile, err := os.Open(zipPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer zipFile.Close()
+	zipBytes, err := ioutil.ReadAll(zipFile)
+	if err != nil {
+		log.Fatal(err)
+	}
+	commitSha, primaryLanguage, err := utils.ExtractDBInfo(zipBytes)
+
+	// Destination path
+	dir := filepath.Join(utils.GetPath(nwo), primaryLanguage)
+	filename := fmt.Sprintf("%s.zip", commitSha)
+	path := filepath.Join(dir, filename)
+	fmt.Println("Installing DB to", path)
+
+	// Check if the DB is already installed
+	if _, err := os.Stat(path); errors.Is(err, os.ErrNotExist) {
+		// Copy DB to the right place
+		srcFile, err := os.Open(zipPath)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer srcFile.Close()
+		err = os.MkdirAll(filepath.Dir(path), 0755)
+		if err != nil {
+			log.Fatal(err)
+		}
+		destFile, err := os.Create(path)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer destFile.Close()
+		fmt.Println("Copying DB to", path)
+		_, err = io.Copy(srcFile, destFile) // check first var for number of bytes copied
+		if err != nil {
+			log.Fatal(err)
+		}
+		err = destFile.Sync()
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+	// Remove DB from the current location if -r flag is set
+	if remove {
+		fmt.Println("Removing DB from", dbPath)
+		os.Remove(dbPath)
+	}
+}

cmd/path.go

@@ -0,0 +1,62 @@
+package cmd
+
+import (
+  "github.com/GitHubSecurityLab/gh-qldb/utils"
+  "github.com/spf13/cobra"
+  "path/filepath"
+  "log"
+  "fmt"
+  "io/ioutil"
+  "encoding/json"
+)
+var pathCmd = &cobra.Command{
+    Use:   "path",
+    Short: "Returns the path to a database stored in the QLDB structure",
+    Long:  `Returns the path to a database stored in the QLDB structure`,
+    Run: func(cmd *cobra.Command, args []string) {
+      path(nwoFlag, languageFlag)
+    },
+  }
+
+func init() {
+  rootCmd.AddCommand(pathCmd)
+  pathCmd.Flags().StringVarP(&nwoFlag, "nwo", "n", "", "The NWO of the repository to get the database for.")
+  pathCmd.Flags().StringVarP(&languageFlag, "language", "l", "", "The primary language you want the database for.")
+  pathCmd.Flags().BoolVarP(&jsonFlag, "json", "j", false, "Use json as the output format.")
+  pathCmd.MarkFlagRequired("nwo")
+  pathCmd.MarkFlagRequired("language")
+}
+
+func path(nwo string, language string) {
+  dir := filepath.Join(utils.GetPath(nwo), language)
+  files, err := ioutil.ReadDir(dir)
+  if err != nil {
+    log.Fatal(err)
+  }
+  var pathList []map[string]string
+  for _, f := range files {
+    filename := f.Name()
+    sha := filename[:len(filename)-len(filepath.Ext(filename))]
+    commitSha, committedDate, err := utils.GetCommitInfo(nwo, sha)
+    if err != nil {
+      log.Fatal(err)
+    }
+    pathList = append(pathList, map[string]string{
+      "commitSha": commitSha,
+      "committedDate": committedDate,
+      "path": filepath.Join(dir, filename),
+    })
+  }
+    if jsonFlag {
+      jsonStr, err := json.MarshalIndent(pathList, "", "  ")
+      if err != nil {
+        log.Fatal(err)
+      }
+      fmt.Printf("%s", jsonStr)
+    } else {
+      for _, path := range pathList {
+        fmt.Printf("%s (%s)", path["path"], path["committedDate"])
+      }
+    }
+}
+