Draft content for VS Code extension

Author: felicitymay

docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst

@@ -5,8 +5,63 @@
 Using the CodeQL model editor
 =============================
 
-.. include:: ../reusables/beta-note-package-management.rst
+.. include:: ../reusables/beta-note-model-pack-editor-vsc.rst
 
 You can view, write, and edit all types of CodeQL packs in Visual Studio Code using the CodeQL extension. 
 
-TODO
+TODO - EDIT THIS CONTENT!
+
+About the CodeQL model editor
+-----------------------------
+
+The CodeQL model editor is a new feature in CodeQL for VS Code to support GitHub staff creating CodeQL models for libraries and frameworks written in Java and C#.
+
+The editor takes a CodeQL database and runs some telemetry queries to identify uses of APIs that can be used to reason about the dataflow through the codebase. There are two modes of operation:
+
+- Application mode: the editor identifies the external APIs used by the codebase. An external (or third party) API is any API that is not part of the CodeQL database you are analyzing. This mode is most useful for improving CodeQL results for the specific codebase.
+- Framework mode: the editor identifies the publicly accessible APIs in the codebase. This mode is most useful for improving the CodeQL results for any codebases that use those APIs.
+
+Setting up the CodeQL model editor
+----------------------------------
+
+To set up the CodeQL model editor, you need to be using CodeQL for VS Code 1.8.7 or later with the following settings: 
+
+.. code-block:: json
+
+   "codeQL.canary": true, CHECK THIS
+   "codeQL.model.editor": true,
+
+Open the user settings editor (JSON) using the command palette (Ctrl/Cmd+Shift+P) and using the command “Preferences: Open User Settings (JSON)”, add these two settings to the file.
+
+If you want to test the CodeQL model packs you generate in VS Code then this setting is also required:
+   ``"codeQL.runningQueries.useExtensionPacks": true`` CHECK THIS
+
+WHAT DOES ``"codeQL.model.llmGeneration": true,`` do?
+
+Using the CodeQL model editor
+-----------------------------
+
+The easiest way to explain this is by using an example, so we'll run through an example. This is the same example as used in the demo.
+
+#. Open your CodeQL workspace in VS Code, e.g., the vscode-codeql-starter workspace 
+#. Open the CodeQL extension and add the CodeQL database for dsp-testing/sql2o-example from GitHub
+#. Use the command palette to run the “CodeQL: Open Model Editor (Beta)” command
+#. The CodeQL model editor will open and run some telemetry queries to identify APIs in the code
+#. When the queries are complete, the APIs that have been identified are shown in the editor:
+   - By default the editor runs in application mode, so displays the external APIs used by the codebase. 
+   - If you switch to framework mode, the editor will display the publicly accessible APIs in the codebase.
+#. You can now start modeling the external API calls manually by selecting a model type and entering the correct values in each field, as defined in the Java models-as-data documentation
+#. You can generate the CodeQL automatically:
+   - If you are working in application mode click on “Model from source” and enter the name of the repo that contains the source code for the package you want to model. For example, in this case you can enter dsp-testing/sql2o-import to download the relevant CodeQL database and model any APIs from that repo
+   - If you are working in framework mode click on “Generate” to generate any models directly from the source code of the framework you are modeling.
+#. Once any modeling is complete, click “Save” or  “Save all”. You can now see that the calls are shown as supported. The generated models files are saved in your workspace at .github/codeql/extensions/<pack-name>, where the pack name is the same as the repo.
+   - If you are in application mode, the editor will create a separate model file for each package that you model.
+   - If you are in framework mode, the edit will generate a single model file for the entire framework.
+#. If you have set up VS Code to use data extensions (using the “codeQL.runningQueries.useExtensionPacks” setting), then you can also run a query and see that the unsafe calls are now detected.
+
+Known limitations
+-----------------
+
+Only Java is supported
+It's not possible to place the extension pack in a different directory than the root of a workspace folder
+

docs/codeql/codeql-for-visual-studio-code/working-with-codeql-packs-in-visual-studio-code.rst

@@ -17,29 +17,29 @@ There are three types of CodeQL pack, each with a specific purpose.
 
 - Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack.
 - Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.
-- Model packs are used to model dependencies that are not supported by the standard CodeQL libraries. When you add a model pack to your analysis, all extensible queries also explore the sources and sinks of the dependencies defined in the pack.
+- Model packs are used to model dependencies that are not supported by the standard CodeQL libraries. When you add a model pack to your analysis, all extensible queries also analyze the sources and sinks of the dependencies defined in the pack.
 
-Using standard CodeQL packs in Visual Studio Code
---------------------------------------------------------------
+Using the CodeQL packs shipped with the CLI in Visual Studio Code
+-----------------------------------------------------------------
 To install dependencies for a CodeQL pack in your Visual Studio Code workspace, run the **CodeQL: Install Pack Dependencies** command from the Command Palette and select the packs you want to install dependencies for.
 
 You can write and run query packs that depend on the CodeQL standard libraries, without needing to check out the standard libraries in your workspace. Instead, you can install only the dependencies required by the query packs you want to use.
 
-Working with CodeQL query packs in Visual Studio Code
--------------------------------------------------------
+Working with CodeQL query packs
+-------------------------------
 
 One of the main benefits of working with a CodeQL query pack is that all dependecies are resolved, not just those defined within the query and standard libraries.
 
 Creating and editing CodeQL query packs 
----------------------------------------
+'''''''''''''''''''''''''''''''''''''''
 To create a new query pack, you will need to use the CodeQL CLI from a terminal, which you can do within Visual Studio Code or outside of it with the ``codeql pack init`` command. Once you create an empty pack, you can edit the ``qlpack.yml`` file or run the ``codeql pack add`` command to add dependencies or change the name or version. For detailed information, see "`Creating and working with CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-and-working-with-codeql-packs>`__."
 
 You can create or edit queries in a CodeQL pack in Visual Studio Code as you would with any CodeQL query, using the standard code editing features such as autocomplete suggestions to find elements to use from the pack's dependencies. 
 
 You can then use the CodeQL CLI to publish your pack to share with others. For detailed information, see "`Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs>`__."
 
-Viewing CodeQL query packs and their dependencies in Visual Studio Code
------------------------------------------------------------------------
+Viewing CodeQL query packs and their dependencies
+'''''''''''''''''''''''''''''''''''''''''''''''''
 To download a query pack that someone else has created, run the **CodeQL: Download Packs** command from the Command Palette.
 You can download all the core query packs, or enter the full name of a specific pack to download. For example, to download the core queries for analyzing Java and Kotlin, enter ``codeql/java-queries``.
 
@@ -49,9 +49,11 @@ If you want to understand a query in a CodeQL pack better, you can open the quer
 
 To view the full definition of an element of a query, you can right-click and choose **Go to Definition**. If the library pack is present within the same Visual Studio Code workspace, this will take you to the definition within the workspace. Otherwise it will take you to the definition within your package cache, the shared location where downloaded dependencies are stored, which is in your home directory by default.
 
-Working with CodeQL model packs in Visual Studio Code
--------------------------------------------------------
+Working with CodeQL model packs
+-------------------------------
 
 The CodeQL extension for Visual Studio Code includes a dedicated editor for creating and editing model packs. 
 
 TODO a little more, but mostly about the general use, because editing will be in a new article.
+
+For headings use '''''''' in this section

docs/codeql/codeql-overview/codeql-glossary.rst

@@ -34,6 +34,19 @@ A database (or CodeQL database) is a directory containing:
 - log files generated during database creation, query
   execution, and other operations.
 
+.. _codeql-packs:
+
+CodeQL packs
+------------
+
+CodeQL packs are used to create, share, depend on, and run CodeQL queries, libraries, and models. You can publish your own CodeQL packs and download packs created by others. CodeQL query packs may contain queries, library files, query suites, and metadata. CodeQL library packs include one or more CodeQL libraries. CodeQL model packs include one or more data extension files that extend the core libraries by modeling additional libraries and frameworks (dependencies of your code base).
+
+.. _data-extensions::
+
+Data extensions
+---------------
+When you want to model the sources and sinks of a custom dependency, you can create a CodeQL library (``.qll`` file) and write queries that use it, but it's usually much simpler to create a data extension file. If you model the sources and sinks in data extension, you can use this information to expand the standard queries to cover your custom dependencies. You don't need to write any new queries.
+
 .. _dil:
 
 DIL

docs/codeql/reusables/beta-note-model-pack-editor-vsc.rst

@@ -0,0 +1,5 @@
+.. pull-quote::
+
+    Note
+
+    The CodeQL model editor and CodeQL model packs are currently in beta and subject to change. During the beta, model packs are supported only by Java/Kotlin analysis. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases.

docs/codeql/reusables/beta-note-model-packs-java.rst

@@ -0,0 +1,5 @@
+.. pull-quote::
+
+    Note
+
+    CodeQL model packs are currently in beta and subject to change. During the beta, model packs are supported only by Java/Kotlin analysis. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases.