Added MissingSecuritySeverity query

Author: atorralba

ql/ql/src/queries/style/MissingSecuritySeverity.ql

@@ -0,0 +1,29 @@
+/**
+ * @name Missing security-severity tag
+ * @description Queries tagged as `security` should also have a `@security-severity` tag.
+ * @kind problem
+ * @problem.severity warning
+ * @precision very-high
+ * @id ql/missing-security-severity
+ * @tags correctness
+ */
+
+import ql
+
+predicate missingSecuritySeverity(QLDoc doc) {
+  exists(string s | s = doc.getContents() |
+    exists(string securityTag | securityTag = s.splitAt("@") |
+      securityTag.matches("tags%security%")
+    ) and
+    not exists(string securitySeverity | securitySeverity = s.splitAt("@") |
+      securitySeverity.matches("security-severity %")
+    )
+  )
+}
+
+from TopLevel t
+where
+  t.getLocation().getFile().getBaseName().matches("%.ql") and
+  not t.getLocation().getFile().getRelativePath().matches("%/experimental/%") and
+  missingSecuritySeverity(t.getQLDoc())
+select t, "This query file is missing a `@security-severity` tag."

ql/ql/test/queries/style/MissingSecuritySeverity/MissingSecuritySeverity.expected

@@ -0,0 +1 @@
+| testcases/Bad.ql:1:1:15:9 | TopLevel | This query file is missing a `@security-severity` tag. |

ql/ql/test/queries/style/MissingSecuritySeverity/MissingSecuritySeverity.qlref

@@ -0,0 +1 @@
+queries/style/MissingSecuritySeverity.ql

ql/ql/test/queries/style/MissingSecuritySeverity/testcases/Bad.expected

@@ -0,0 +1,15 @@
+/**
+ * @name Some query
+ * @description Some description
+ * @kind problem
+ * @problem.severity warning
+ * @precision very-high
+ * @id ql/some-query
+ * @tags quality
+ *       security
+ */
+
+import ql
+
+from Class c
+select c

ql/ql/test/queries/style/MissingSecuritySeverity/testcases/Bad.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Some query
+ * @description Some description
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 10.0
+ * @precision very-high
+ * @id ql/some-query
+ * @tags quality
+ *       security
+ */
+
+import ql
+
+from Class c
+select c

ql/ql/test/queries/style/MissingSecuritySeverity/testcases/Good.expected

@@ -0,0 +1,14 @@
+/**
+ * @name Some query
+ * @description Some description
+ * @kind problem
+ * @problem.severity warning
+ * @precision very-high
+ * @id ql/some-query
+ * @tags quality
+ */
+
+import ql
+
+from Class c
+select c

ql/ql/test/queries/style/MissingSecuritySeverity/testcases/Good.ql

@@ -0,0 +1,3 @@
+import ql
+
+FieldDecl getAField(Class c) { result = c.getAField() }