Merge pull request #41 from github/js_extractor

Move from yaml to js extractor

Author: Alvaro Muñoz

.github/action/dist/index.js

@@ -28604,7 +28604,7 @@ const toolcache = __importStar(__nccwpck_require__(7784));
 const toolrunner = __importStar(__nccwpck_require__(8159));
 async function newCodeQL() {
     return {
-        language: "yaml",
+        language: "javascript",
         path: await findCodeQL(),
         pack: "githubsecuritylab/actions-queries",
         suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`,
@@ -28771,16 +28771,16 @@ async function run() {
         var codeql = await cql.newCodeQL();
         core.debug(`CodeQL CLI found at '${codeql.path}'`);
         await cql.runCommand(codeql, ["version", "--format", "terse"]);
-        // check yaml support
+        // check javascript support
         var languages = await cql.runCommandJson(codeql, [
             "resolve",
             "languages",
             "--format",
             "json",
         ]);
-        if (!languages.hasOwnProperty("yaml")) {
-            core.setFailed("CodeQL Yaml extractor not installed");
-            throw new Error("CodeQL Yaml extractor not installed");
+        if (!languages.hasOwnProperty("javascript")) {
+            core.setFailed("CodeQL javascript extractor not installed");
+            throw new Error("CodeQL javascript extractor not installed");
         }
         // download pack
         core.info(`Downloading CodeQL Actions pack '${codeql.pack}'`);

.github/action/src/codeql.ts

@@ -24,7 +24,7 @@ export interface CodeQLConfig {
 
 export async function newCodeQL(): Promise<CodeQLConfig> {
   return {
-    language: "yaml",
+    language: "javascript",
     path: await findCodeQL(),
     pack: "githubsecuritylab/actions-queries",
     suite: `codeql-suites/${core.getInput("suite") || "actions-code-scanning"}.qls`,

.github/action/src/index.ts

@@ -15,17 +15,17 @@ export async function run(): Promise<void> {
 
     await cql.runCommand(codeql, ["version", "--format", "terse"]);
 
-    // check yaml support
+    // check javascript support
     var languages = await cql.runCommandJson(codeql, [
       "resolve",
       "languages",
       "--format",
       "json",
     ]);
 
-    if (!languages.hasOwnProperty("yaml")) {
-      core.setFailed("CodeQL Yaml extractor not installed");
-      throw new Error("CodeQL Yaml extractor not installed");
+    if (!languages.hasOwnProperty("javascript")) {
+      core.setFailed("CodeQL javascript extractor not installed");
+      throw new Error("CodeQL javascript extractor not installed");
     }
 
     // download pack

ql/lib/codeql-pack.lock.yml

@@ -5,12 +5,22 @@ dependencies:
     version: 1.0.0
   codeql/dataflow:
     version: 1.0.0
+  codeql/javascript-all:
+    version: 1.0.0
+  codeql/mad:
+    version: 1.0.0
+  codeql/regex:
+    version: 1.0.0
   codeql/ssa:
     version: 1.0.0
+  codeql/tutorial:
+    version: 1.0.0
   codeql/typetracking:
     version: 1.0.0
   codeql/util:
     version: 1.0.0
+  codeql/xml:
+    version: 1.0.0
   codeql/yaml:
     version: 1.0.0
 compiled: false

ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -55,8 +55,8 @@ predicate externallyTriggerableEventsDataModel(string event) {
  *    - output arg: To node (prefixed with either `env.` or `output.`)
  *    - provenance: verification of the model
  */
-predicate sourceModel(string action, string version, string output, string kind, string provenance) {
-  Extensions::sourceModel(action, version, output, kind, provenance)
+predicate actionsSourceModel(string action, string version, string output, string kind, string provenance) {
+  Extensions::actionsSourceModel(action, version, output, kind, provenance)
 }
 
 /**
@@ -69,10 +69,10 @@ predicate sourceModel(string action, string version, string output, string kind,
  *    - kind: Either 'Taint' or 'Value'
  *    - provenance: verification of the model
  */
-predicate summaryModel(
+predicate actionsSummaryModel(
   string action, string version, string input, string output, string kind, string provenance
 ) {
-  Extensions::summaryModel(action, version, input, output, kind, provenance)
+  Extensions::actionsSummaryModel(action, version, input, output, kind, provenance)
 }
 
 /**
@@ -84,13 +84,13 @@ predicate summaryModel(
  *    - kind: sink kind
  *    - provenance: verification of the model
  */
-predicate sinkModel(string action, string version, string input, string kind, string provenance) {
-  Extensions::sinkModel(action, version, input, kind, provenance)
+predicate actionsSinkModel(string action, string version, string input, string kind, string provenance) {
+  Extensions::actionsSinkModel(action, version, input, kind, provenance)
 }
 
 predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) {
   exists(Uses uses, string action, string version, string kind |
-    sourceModel(action, version, fieldName, kind, _) and
+    actionsSourceModel(action, version, fieldName, kind, _) and
     uses.getCallee() = action.toLowerCase() and
     (
       if version.trim() = "*"
@@ -113,7 +113,7 @@ predicate externallyDefinedStoreStep(
   DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c
 ) {
   exists(Uses uses, string action, string version, string input, string output |
-    summaryModel(action, version, input, output, "taint", _) and
+    actionsSummaryModel(action, version, input, output, "taint", _) and
     c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output.", "")) and
     uses.getCallee() = action.toLowerCase() and
     (
@@ -135,7 +135,7 @@ predicate externallyDefinedStoreStep(
 
 predicate externallyDefinedSink(DataFlow::Node sink, string kind) {
   exists(Uses uses, string action, string version, string input |
-    sinkModel(action, version, input, kind, _) and
+    actionsSinkModel(action, version, input, kind, _) and
     uses.getCallee() = action.toLowerCase() and
     (
       if input.trim().matches("env.%")

ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll

@@ -5,21 +5,21 @@
 /**
  * Holds if a source model exists for the given parameters.
  */
-extensible predicate sourceModel(
+extensible predicate actionsSourceModel(
   string action, string version, string output, string kind, string provenance
 );
 
 /**
  * Holds if a summary model exists for the given parameters.
  */
-extensible predicate summaryModel(
+extensible predicate actionsSummaryModel(
   string action, string version, string input, string output, string kind, string provenance
 );
 
 /**
  * Holds if a sink model exists for the given parameters.
  */
-extensible predicate sinkModel(
+extensible predicate actionsSinkModel(
   string action, string version, string input, string kind, string provenance
 );
 

ql/lib/ext/8398a7_action-slack.model.yml

@@ -1,6 +1,6 @@
 extensions:
   - addsTo:
       pack: githubsecuritylab/actions-all
-      extensible: sinkModel
+      extensible: actionsSinkModel
     data:
       - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection", "manual"]

ql/lib/ext/SonarSource_sonarcloud-github-action.model.yml

@@ -1,7 +1,7 @@
 extensions:
   - addsTo:
       pack: githubsecuritylab/actions-all
-      extensible: sinkModel
+      extensible: actionsSinkModel
     data:
       - ["SonarSource/sonarcloud-github-action", "*", "input.args", "secret-exfiltration", "manual"]
 

ql/lib/ext/actions_github-script.model.yml

@@ -1,6 +1,6 @@
 extensions:
   - addsTo:
       pack: githubsecuritylab/actions-all
-      extensible: sinkModel
+      extensible: actionsSinkModel
     data:
       - ["actions/github-script", "*", "input.script", "code-injection", "manual"]

ql/lib/ext/ahmadnassri_action-changed-files.model.yml

@@ -1,7 +1,7 @@
 extensions:
   - addsTo:
       pack: githubsecuritylab/actions-all
-      extensible: sourceModel
+      extensible: actionsSourceModel
     data:
       - ["ahmadnassri/action-changed-files", "*", "output.files", "filename", "manual"]
       - ["ahmadnassri/action-changed-files", "*", "output.json", "json", "manual"]