Merge pull request github#5832 from tamasvajk/feature/csv-coverage-report

Java: github action for CSV coverage report

Author: tamasvajk

.github/workflows/csv-coverage.yml

@@ -0,0 +1,77 @@
+name: Build/check CSV flow coverage report
+
+on:
+  workflow_dispatch:
+    inputs:
+      qlModelShaOverride:
+        description: 'github/codeql repo SHA used for looking up the CSV models'
+        required: false
+  push:
+    branches:
+     - main
+     - 'rc/**'
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage.yml'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+      # coverage report files
+      - '*/documentation/library-coverage/flow-model-coverage.csv'
+      - '*/documentation/library-coverage/flow-model-coverage.rst'
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) at a given SHA for analysis
+      if: github.event.inputs.qlModelShaOverride != ''
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        ref: github.event.inputs.qlModelShaOverride
+    - name: Clone self (github/codeql) for analysis
+      if: github.event.inputs.qlModelShaOverride == ''
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
+      with:
+        repo: "github/codeql-cli-binaries"
+        version: "latest"
+        file: "codeql-linux64.zip"
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-flow-model-coverage
+        path: flow-model-coverage-*.csv
+    - name: Upload RST package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: rst-flow-model-coverage
+        path: flow-model-coverage-*.rst
+    - name: Check coverage files
+      if: github.event.pull_request
+      run: |
+        python script/misc/scripts/library-coverage/compare-files.py codeqlModels
+

java/documentation/library-coverage/cwe-sink.csv

@@ -0,0 +1,8 @@
+CWE,Sink identifier,Label
+CWE‑089,sql,SQL injection
+CWE‑022,create-file,Path injection
+CWE‑036,url-open-stream,Path traversal
+CWE‑094,bean-validation,Code injection
+CWE‑319,open-url,Cleartext transmission
+CWE‑079,xss,Cross-site scripting
+CWE‑090,ldap,LDAP injection

java/documentation/library-coverage/flow-model-coverage.csv

@@ -0,0 +1,42 @@
+package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
+android.util,,16,,,,,,,,,,,16,,
+android.webkit,3,2,,,,,,,,,,3,2,,
+com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,1,
+com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,1,
+com.fasterxml.jackson.databind,,,2,,,,,,,,,,,2,
+com.google.common.base,,,28,,,,,,,,,,,22,6
+com.google.common.io,6,,69,,,,,,,6,,,,68,1
+com.unboundid.ldap.sdk,17,,,,,,17,,,,,,,,
+java.beans,,,1,,,,,,,,,,,1,
+java.io,3,,20,,3,,,,,,,,,20,
+java.lang,,,1,,,,,,,,,,,1,
+java.net,2,3,4,,,,,2,,,,,3,4,
+java.nio,10,,2,,10,,,,,,,,,2,
+java.util,,,13,,,,,,,,,,,13,
+javax.naming.directory,1,,,,,,1,,,,,,,,
+javax.net.ssl,2,,,,,,,,2,,,,,,
+javax.servlet,4,21,2,,,3,,,,,,1,21,2,
+javax.validation,1,1,,1,,,,,,,,,1,,
+javax.ws.rs.core,1,,,,,1,,,,,,,,,
+javax.xml.transform.sax,,,4,,,,,,,,,,,4,
+javax.xml.transform.stream,,,2,,,,,,,,,,,2,
+javax.xml.xpath,3,,,,,,,,,,3,,,,
+org.apache.commons.codec,,,2,,,,,,,,,,,2,
+org.apache.commons.io,,,22,,,,,,,,,,,22,
+org.apache.commons.lang3,,,313,,,,,,,,,,,299,14
+org.apache.commons.text,,,203,,,,,,,,,,,203,
+org.apache.directory.ldap.client.api,1,,,,,,1,,,,,,,,
+org.apache.hc.core5.function,,,1,,,,,,,,,,,1,
+org.apache.hc.core5.http,1,2,39,,,,,,,,,1,2,39,
+org.apache.hc.core5.net,,,2,,,,,,,,,,,2,
+org.apache.hc.core5.util,,,22,,,,,,,,,,,18,4
+org.apache.http,2,3,66,,,,,,,,,2,3,59,7
+org.dom4j,20,,,,,,,,,,20,,,,
+org.springframework.ldap.core,14,,,,,,14,,,,,,,,
+org.springframework.security.web.savedrequest,,6,,,,,,,,,,,6,,
+org.springframework.web.client,,3,,,,,,,,,,,3,,
+org.springframework.web.context.request,,8,,,,,,,,,,,8,,
+org.springframework.web.multipart,,12,,,,,,,,,,,12,,
+org.xml.sax,,,1,,,,,,,,,,,1,
+org.xmlpull.v1,,3,,,,,,,,,,,3,,
+play.mvc,,4,,,,,,,,,,,4,,

java/documentation/library-coverage/flow-model-coverage.rst

@@ -0,0 +1,19 @@
+Java framework & library support
+================================
+
+.. csv-table::
+   :header-rows: 1
+   :class: fullWidthTable
+   :widths: auto
+
+   Framework / library,Package,Remote flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
+   Android,``android.*``,18,,3,,,3,,,,
+   Apache,``org.apache.*``,5,648,4,,,3,,1,,
+   `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
+   Google,``com.google.common.*``,,97,6,,6,,,,,
+   Java Standard Library,``java.*``,3,41,15,13,,,,,,2
+   Java extensions,``javax.*``,22,8,12,,,1,,1,1,
+   `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
+   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
+   Totals,,84,821,91,13,6,7,,33,1,2
+

java/documentation/library-coverage/frameworks.csv

@@ -0,0 +1,8 @@
+Framework name,URL,Package prefix
+Java Standard Library,,java.*
+Google,,com.google.common.*
+Apache,,org.apache.*
+Apache Commons IO,https://commons.apache.org/proper/commons-io/,org.apache.commons.io
+Android,,android.*
+Spring,https://spring.io/,org.springframework.*
+Java extensions,,javax.*

misc/scripts/library-coverage/compare-files.py

@@ -0,0 +1,54 @@
+import sys
+import os
+import settings
+import difflib
+
+"""
+This script compares the generated CSV coverage files with the ones in the codebase.
+"""
+
+
+def check_file_exists(file):
+    if not os.path.exists(file):
+        print("Expected file '" + file + "' doesn't exist.", file=sys.stderr)
+        sys.exit(1)
+
+
+def ignore_line_ending(ch):
+    return difflib.IS_CHARACTER_JUNK(ch, ws=" \r\n")
+
+
+def compare_files(file1, file2):
+    has_differences = False
+    diff = difflib.ndiff(open(file1).readlines(),
+                         open(file2).readlines(), None, ignore_line_ending)
+    for line in diff:
+        if line.startswith("+") or line.startswith("-"):
+            print(line, end="", file=sys.stderr)
+            has_differences = True
+
+    if has_differences:
+        print("Error: The generated file doesn't match the one in the codebase. Please check and fix file '" +
+              file1 + "'.", file=sys.stderr)
+        sys.exit(1)
+
+
+languages = ['java']
+
+for lang in languages:
+    repo_output_rst = settings.repo_output_rst.format(language=lang)
+    repo_output_csv = settings.repo_output_csv.format(language=lang)
+
+    generated_output_rst = settings.generated_output_rst.format(language=lang)
+    generated_output_csv = settings.generated_output_csv.format(language=lang)
+
+    check_file_exists(repo_output_rst)
+    check_file_exists(repo_output_csv)
+    check_file_exists(generated_output_rst)
+    check_file_exists(generated_output_csv)
+
+    compare_files(repo_output_rst, generated_output_rst)
+    compare_files(repo_output_csv, generated_output_csv)
+
+    print("The generated files for '" + lang +
+          "' match the ones in the codebase.")