Enhance the CodeQLReader SARIF parser to include the codeql/java-queries

Dave Wichers · Dave Wichers · commit e81bc429f5c7 · 2025-01-16T14:16:39.000-06:00
ruleset version along with the CodeQL toolsuite version so you know both
the version of CodeQL and the ruleset version used when scoring it.
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReader.java
@@ -19,7 +19,12 @@
  */
 package org.owasp.benchmarkutils.score.parsers.sarif;
 
+import org.json.JSONArray;
+import org.json.JSONException;
+import org.json.JSONObject;
 import org.owasp.benchmarkutils.score.CweNumber;
+import org.owasp.benchmarkutils.score.ResultFile;
+import org.owasp.benchmarkutils.score.TestSuiteResults;
 
 public class CodeQLReader extends SarifReader {
 
@@ -37,4 +42,43 @@ public int mapCwe(int cwe) {
         }
         return cwe;
     }
+
+    /**
+     * Override setVersion to include the version number of the 'codeql/java-queries' ruleset with
+     * the version of the tool. Since both the tool version and the ruleset version can seperately
+     * affect the codeQL score.
+     */
+    @Override
+    public void setVersion(ResultFile resultFile, TestSuiteResults testSuiteResults) {
+        JSONObject driver = toolDriver(firstRun(resultFile));
+
+        String version = "unknown";
+        if (driver.has("semanticVersion")) {
+            version = driver.getString("semanticVersion");
+        } else if (driver.has("version")) {
+            version = driver.getString("version");
+        }
+
+        // Search for codeql/java-queries ruleset version and add that to the tool version
+        try {
+            JSONArray extensions =
+                    firstRun(resultFile).getJSONObject("tool").getJSONArray("extensions");
+
+            for (int i = 0; i < extensions.length(); i++) {
+                JSONObject extension = extensions.getJSONObject(i);
+                String name = extension.getString("name");
+                if ("codeql/java-queries".equals(name)) {
+                    // looking for:
+                    // "semanticVersion": "1.1.9+de325133c7a95d84489acdf5a6ced07886ff5c6d",
+                    String rulesetVersion = extension.getString("semanticVersion");
+                    rulesetVersion = rulesetVersion.substring(0, rulesetVersion.indexOf('+'));
+                    version += "_w" + rulesetVersion + "rules";
+                }
+            }
+        } catch (JSONException e) {
+            // Do nothing it if can't be found.
+        }
+
+        testSuiteResults.setToolVersion(version);
+    }
 }
diff --git a/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java b/plugin/src/main/java/org/owasp/benchmarkutils/score/parsers/sarif/SarifReader.java
@@ -63,11 +63,11 @@ private String sarifToolName(ResultFile resultFile) {
         return toolDriver(firstRun(resultFile)).getString("name");
     }
 
-    private static JSONObject firstRun(ResultFile resultFile) {
+    static JSONObject firstRun(ResultFile resultFile) {
         return resultFile.json().getJSONArray("runs").getJSONObject(0);
     }
 
-    private static JSONObject toolDriver(JSONObject run) {
+    static JSONObject toolDriver(JSONObject run) {
         return run.getJSONObject("tool").getJSONObject("driver");
     }
 
diff --git a/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReaderTest.java b/plugin/src/test/java/org/owasp/benchmarkutils/score/parsers/sarif/CodeQLReaderTest.java
@@ -51,7 +51,7 @@ void readerHandlesGivenResultFile() throws Exception {
         assertEquals(TestSuiteResults.ToolType.SAST, result.getToolType());
 
         assertEquals("CodeQL", result.getToolName());
-        assertEquals("2.13.1", result.getToolVersion());
+        assertEquals("2.13.1_w0.6.1rules", result.getToolVersion());
 
         assertEquals(2, result.getTotalResults());
 

Original file line number	Diff line number	Diff line change
`@@ -63,11 +63,11 @@ private String sarifToolName(ResultFile resultFile) {`
`63`	`63`	`return toolDriver(firstRun(resultFile)).getString("name");`
`64`	`64`	`}`
`65`	`65`
`66`		`- private static JSONObject firstRun(ResultFile resultFile) {`
	`66`	`+ static JSONObject firstRun(ResultFile resultFile) {`
`67`	`67`	`return resultFile.json().getJSONArray("runs").getJSONObject(0);`
`68`	`68`	`}`
`69`	`69`
`70`		`- private static JSONObject toolDriver(JSONObject run) {`
	`70`	`+ static JSONObject toolDriver(JSONObject run) {`
`71`	`71`	`return run.getJSONObject("tool").getJSONObject("driver");`
`72`	`72`	`}`
`73`	`73`