GitHubSecurityLab · pwntester · Sep 15, 2023 · Sep 14, 2023 · Sep 14, 2023 · Sep 14, 2023
diff --git a/.github/scripts/pr-compile.sh b/.github/scripts/pr-compile.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+LANGUAGE=${2}
+# to stop recompiling all queries if multiple files are modified
+LIBRARY_SCANNED=false
+
+echo "[+] Compiling all queries in $LANGUAGE"
+gh codeql query compile --threads=0 --check-only "./$LANGUAGE/"
+
+for file in $(gh pr view "$PR_NUMBER" --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # if the file is a query file .ql or .qll
+    if [[ "$file" == $LANGUAGE/**.ql ]]; then
+        echo "[+] Compiling $file (in $LANGUAGE)"
+
+        # compile the query
+        gh codeql query compile --threads=0 --check-only --warnings=error "./$file"
+
+    # if lib folder is modified
+    elif [[ "$file" == $LANGUAGE/lib/* ]] && [[ $LIBRARY_SCANNED == false ]]; then
+        echo "[+] Libray changed, compiling all queries in $LANGUAGE"
+        gh codeql query compile --threads=0 --check-only --warnings=error "./$LANGUAGE/"
+        # set LIBRARY_SCANNED to true to prevent recompiling
+        LIBRARY_SCANNED=true
+
+    fi
+done
+
+echo "[+] Complete"
diff --git a/.github/scripts/pr-suites-packs.sh b/.github/scripts/pr-suites-packs.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+LANGUAGE=${2}
+PACK_COMPILED=false
+
+for file in $(gh pr view "$PR_NUMBER" --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # suite folder 
+    if [[ "$file" == $LANGUAGE/suites/**.qls ]]; then
+        echo "[+] Compiling Suite: $file"
+        gh codeql resolve queries "$file"
+
+    # qlpack file and lock file
+    elif [[ "$file" == $LANGUAGE/qlpack.yml ]] || [[ "$file" == $LANGUAGE/codeql-pack.lock.yml ]]; then
+        if [[ "$PACK_COMPILED" == true ]]; then
+            continue
+        fi 
+        echo "[+] Compiling Pack: $LANGUAGE"
+        # install deps
+        gh codeql pack install "$LANGUAGE"
+        # compile / create pack
+        gh codeql pack create "$LANGUAGE"
+
+        # if the version of the pack is changed, comment in the PR
+        PUBLISHED_VERSION=$(gh api /orgs/advanced-security/packages/container/codeql-"$LANGUAGE"/versions --jq '.[0].metadata.container.tags[0]')
+        CURRENT_VERSION=$(grep version "$LANGUAGE"/qlpack.yml | awk '{print $2}')
+
+        if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            echo "[+] New version of pack detected: $PUBLISHED_VERSION (pub) != $CURRENT_VERSION (cur)"
+
+            comment="New version of pack \`advanced-security/codeql-$LANGUAGE\` will be created on merge: \`$PUBLISHED_VERSION\`->\`$CURRENT_VERSION\`"
+
+            if [[ ! $(gh pr view "$PR_NUMBER" --json comments --jq '.comments.[].body' | grep "$comment") ]]; then
+                echo "[+] Commenting on PR"
+                gh pr comment "$PR_NUMBER" \
+                    --body "$comment"
+
+            fi
+
+        fi
+
+        PACK_COMPILED=true
+
+    fi
+done
+
+echo "[+] Complete"
diff --git a/.github/scripts/pr-tests.sh b/.github/scripts/pr-tests.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+LANGUAGE=${2}
+
+if [[ ! -d ./${LANGUAGE}/test/ ]]; then
+    echo "[!] No tests found for $LANGUAGE, skipping"
+    exit 0
+fi
+
+echo "[+] Compiling all queries in $LANGUAGE"
+gh codeql query compile --threads=0 --check-only "./$LANGUAGE/"
+
+for file in $(gh pr view "$PR_NUMBER" --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # if a change in the test folder is detected (only for the current language)
+    if [[ "$file" == $LANGUAGE/test/** ]]; then
+        echo "[+] Test $file changed"
+        TEST_DIR=$(dirname "$file")
+        # run tests in the folder the change occured in
+        gh codeql test run "$TEST_DIR"
+
+    # if the files is a query file .ql or .qll
+    elif [[ "$file" == $LANGUAGE/**.ql ]] || [[ "$file" == $LANGUAGE/**.qll ]] ; then
+        echo "[+] Query $file changed (in $LANGUAGE)"
+
+        SRC_DIR=$(realpath --relative-to="./${LANGUAGE}/src" "$file")
+        TEST_DIR=./${LANGUAGE}/test/${SRC_DIR}
+
+        if [[ -d "$TEST_DIR" ]]; then
+            echo "[+] Running tests for $file -> $TEST_DIR"
+            gh codeql test run "$TEST_DIR"
+
+        else
+            echo "[!] No tests found at $TEST_DIR"
+        fi
+    # if language lib folder is modified
+    elif [[ "$file" == $LANGUAGE/lib/** ]]; then
+        echo "[+] Library changed, running all tests in $LANGUAGE"
+        TEST_DIR=./${LANGUAGE}/test/
+
+        if [[ -d "$TEST_DIR" ]]; then
+            echo "[+] Running tests for $file -> $TEST_DIR"
+            gh codeql test run "$TEST_DIR"
+        else
+            echo "[!] No tests found for $file (in $LANGUAGE)"
+        fi
+
+    fi
+
+done
+
+echo "[+] Complete"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,94 @@
+name: Build CodeQL Packs 
+
+on:
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+jobs:
+  compile:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # language: [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        language: [ 'java' ]
+
+    steps:
+      - uses: actions/checkout@v3
+        # with:
+        #   submodules: true
+
+      # Conditionally run actions based on files modified by PR, feature branch or pushed commits
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+        id: changes
+        with:
+          filters: |
+            src:
+              - '${{ matrix.language }}/**'
+
+      - name: Install CodeQL
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh extension install github/gh-codeql
+          gh codeql pack download "codeql/${{ matrix.language }}-queries"
+          gh codeql pack install "${{ matrix.language }}/lib"
+          gh codeql pack install "${{ matrix.language }}/src"
+          gh codeql pack install "${{ matrix.language }}/test"
+
+      - name: Compile Queries
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          ./.github/scripts/pr-compile.sh ${{ github.event.number }} ${{ matrix.language }}
+
+      - name: Test Queries
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          ./.github/scripts/pr-tests.sh ${{ github.event.number }} ${{ matrix.language }}
+
+      - name: Compile / Check Suites & Packs
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          ./.github/scripts/pr-suites-packs.sh ${{ github.event.number }} ${{ matrix.language }}
+
+  extensions:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # language: [ 'csharp', 'java', 'javascript' ]
+        language: [ 'java' ]
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+        id: changes
+        with:
+          filters: |
+            src:
+              - '${{ matrix.language }}/ext/**'
+
+      - name: Install CodeQL
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh extension install github/gh-codeql
+          gh codeql pack install "${{ matrix.language }}/ext/"
+          gh codeql pack install "${{ matrix.language }}/ext-library-sources/"
+          gh codeql pack create "${{ matrix.language }}/ext/"
+          gh codeql pack create "${{ matrix.language }}/ext-library-sources/"
+
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,112 @@
+name: Publish CodeQL Packs
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+
+  queries:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java"] 
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: "Check and publish codeql-LANG-queries (src) pack"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-queries/versions --jq '.[0].metadata.container.tags[0]')
+          CURRENT_VERSION=$(grep version ${{ matrix.language }}/src/qlpack.yml | awk '{print $2}')
+
+          if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            gh extension install github/gh-codeql
+            gh codeql pack install "${{ matrix.language }}/src"
+            gh codeql pack publish "${{ matrix.language }}/src"
+          fi
+
+  library:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java"] 
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: "Check and publish codeql-LANG-libs (lib) pack"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-libs/versions --jq '.[0].metadata.container.tags[0]')
+          CURRENT_VERSION=$(grep version ${{ matrix.language }}/lib/qlpack.yml | awk '{print $2}')
+
+          if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            gh extension install github/gh-codeql
+            gh codeql pack install "${{ matrix.language }}/lib"
+            gh codeql pack publish "${{ matrix.language }}/lib"
+          fi
+
+  extensions:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java"]
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Check and publish codeql-LANG-extensions (ext) pack
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-extensions/versions --jq '.[0].metadata.container.tags[0]')
+          CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext/qlpack.yml | awk '{print $2}')
+
+          if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            gh extension install github/gh-codeql
+            gh codeql pack install "${{ matrix.language }}/ext"
+            gh codeql pack publish "${{ matrix.language }}/ext"
+          fi
+
+  library_sources_extensions:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java"]
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Check and publish codeql-LANG-library-sources (ext-library-sources) pack
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PUBLISHED_VERSION=$(gh api /orgs/githubsecuritylab/packages/container/codeql-${{ matrix.language }}-library-sources/versions --jq '.[0].metadata.container.tags[0]')
+          CURRENT_VERSION=$(grep version ${{ matrix.language }}/ext-library-sources/qlpack.yml | awk '{print $2}')
+
+          if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
+            gh extension install github/gh-codeql
+            gh codeql pack install "${{ matrix.language }}/ext-library-sources"
+            gh codeql pack publish "${{ matrix.language }}/ext-library-sources"
+          fi
diff --git a/codeql-workspace.yml b/codeql-workspace.yml
@@ -0,0 +1,2 @@
+provide:
+- java/**/qlpack.yml
diff --git a/java/ext-library-sources/codeql-pack.lock.yml b/java/ext-library-sources/codeql-pack.lock.yml
@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false
diff --git a/java/ext/library_sources/generated/.gitkeep → ...library-sources/models/generated/.gitkeep b/java/ext/library_sources/generated/.gitkeep → ...library-sources/models/generated/.gitkeep
diff --git a/java/ext-library-sources/models/generated/alfio.controller.form.model.yml b/java/ext-library-sources/models/generated/alfio.controller.form.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["alfio.controller.form", "ReservationForm", True, "setPromoCode", "(String)", "", "Parameter[0]", "remote", "manual"]
diff --git a/java/ext-library-sources/models/generated/alfio.manager.system.model.yml b/java/ext-library-sources/models/generated/alfio.manager.system.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["alfio.manager.system", "ExternalConfiguration", True, "getSingle", "(String)", "", "Parameter[0]", "remote", "manual"]
diff --git a/java/ext-library-sources/models/generated/alluxio.collections.model.yml b/java/ext-library-sources/models/generated/alluxio.collections.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["alluxio.collections", "LockPool<String>", True, "get", "(String,LockMode)", "", "Parameter[0]", "remote", "manual"]
+      - ["alluxio.collections", "TwoKeyConcurrentMap<Long,String,Long,SortedMap<String,Long>>", True, "addInnerValue", "(Long,String,Long)", "", "Parameter[1]", "remote", "manual"]
+      - ["alluxio.collections", "TwoKeyConcurrentMap<Long,String,Long,SortedMap<String,Long>>", True, "removeInnerValue", "(Long,String)", "", "Parameter[1]", "remote", "manual"]
diff --git a/java/ext-library-sources/models/generated/alluxio.job.wire.model.yml b/java/ext-library-sources/models/generated/alluxio.job.wire.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["alluxio.job.wire", "Status", False, "valueOf", "(String)", "", "Parameter[0]", "remote", "manual"]