From 675c1a3e1d464474d1ecaa9adaae8eac7a399de7 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:31:12 -0500 Subject: [PATCH 1/5] Create codeql-synthetics.yml --- configs/codeql-synthetics.yml | 114 ++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 configs/codeql-synthetics.yml diff --git a/configs/codeql-synthetics.yml b/configs/codeql-synthetics.yml new file mode 100644 index 00000000..01342f3b --- /dev/null +++ b/configs/codeql-synthetics.yml @@ -0,0 +1,114 @@ +# Use this configuration file when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This configuration will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. + +name: "Synthetic Apps All Queries Config" + +# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models +threat-models: local + +# start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries +disable-default-queries: true + +packs: + # All queries from the CodeQL Built in packs (including low/no precision queries) + - codeql/cpp-queries:. + - codeql/csharp-queries:. + - codeql/go-queries:. + - codeql/java-queries:. + - codeql/javascript-queries:. + - codeql/python-queries:. + - codeql/ruby-queries:. + - codeql/swift-queries:. + + # OSS queries from the default suites + + ### GitHub Security Lab### + # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) + - githubsecuritylab/codeql-cpp-queries + - githubsecuritylab/codeql-csharp-queries + - githubsecuritylab/codeql-go-queries + - githubsecuritylab/codeql-java-queries + - githubsecuritylab/codeql-javascript-queries + - githubsecuritylab/codeql-python-queries + - githubsecuritylab/codeql-ruby-queries + + # Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs + - githubsecuritylab/codeql-java-queries:suites/java-local.qls + - githubsecuritylab/codeql-python-queries:suites/python-local.qls + + # Data extensions via Community Packs for libraries (library ext models are those generated by the corresponding queries in src) https://github.com/GitHubSecurityLab/CodeQL-Community-Packs + - githubsecuritylab/codeql-csharp-library-sources + - githubsecuritylab/codeql-java-library-sources + + # Data extensions via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs + - githubsecuritylab/codeql-csharp-extensions + - githubsecuritylab/codeql-java-extensions + + ### Trail of Bits ### + # Queris via packs: https://github.com/trailofbits/codeql-queries (default suites include security + crypto + - trailofbits/cpp-queries + - trailofbits/go-queries + +# Start with Security Experimental (lightly documented: https://github.com/github/codeql/pull/11702) : https://github.com/github/codeql/blob/main/misc/suite-helpers/security-experimental-selectors.yml +# - precision ( low + Low or EXCLUDED precision) +# + problem.severity: recommendation +# - restriction of no experimental folder +# - restriction of audit/debugging queries from community packs +query-filters: + - include: + kind: + - problem + - path-problem + tags contain: + - security + - include: + kind: + - diagnostic + - include: + kind: + - metric + tags contain: + - summary + - exclude: + deprecated: // + - exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ + - exclude: + tags contain: + - modeleditor + - modelgenerator + # Exclude audit queries from the CodeQL Built in packs + - exclude: + id: + - cpp/untrusted-data-to-external-api + - cs/untrusted-data-to-external-api + - go/untrusted-data-to-external-api + - java/untrusted-data-to-external-api + - js/untrusted-data-to-external-api + - py/untrusted-data-to-external-api + + # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) + - exclude: + tags contain: + - debugging + - audit + +#Additional extractor excludes: https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42 +paths-ignore: + # Python + - "vendor/**" + - "examples/**" + - "tests/**" + + # JavaScript + - "node_modules" + - "**/*.test.js" + - "**/*.test.tsx" + - "**/*.spec.ts" + - "**/*.spec.tsx" + - "dist" From 2a7e7842bff358bad7d9d5c4f7bfee6da3d05c72 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:49:57 -0500 Subject: [PATCH 2/5] Update README.md --- configs/README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/configs/README.md b/configs/README.md index f5f60f96..24ff5069 100644 --- a/configs/README.md +++ b/configs/README.md @@ -1,13 +1,20 @@ # Community Configurations -## Default / CodeQL +## [Default / CodeQL](default.yml) The `default.yml` configuration is the default config file used to make it easy to use the CodeQL Community Packs. -## Audit +## [Audit](audit.yml) The `audit.yml` configuration is used primary to audit code by running a number of audit queries with CodeQL. These are based on the suite in each language suites folder called `{LANG}-audit.qls` > [!NOTE] > Current Ruby and Swift are not supported + +## [Synthetics](synthetics.yml) + +This `synthetics.yml` configuration is intended for analyzing synthetic code samples. This configuration uses all possible queries from the CodeQL built in packs, the CodeQL Community Packs, and additional OSS queries and data extensions. It includes more queries than the built-in `security-experimental.qls` suite, providing a more thorough analysis at the cost of longer analysis times and potential false positives. It includes: +- queries marked as `@precision: low` or missing a precision +- queries marked as `@problem.severity: recommendation` +- queries in `\experimental\` folders From bbb28626529f7646bf34477f8910b3175195cf69 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:50:17 -0500 Subject: [PATCH 3/5] Rename codeql-synthetics.yml to synthetics.yml --- configs/{codeql-synthetics.yml => synthetics.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename configs/{codeql-synthetics.yml => synthetics.yml} (100%) diff --git a/configs/codeql-synthetics.yml b/configs/synthetics.yml similarity index 100% rename from configs/codeql-synthetics.yml rename to configs/synthetics.yml From 74d3ae5c352683bdc017adc8d2b79106eacfcb91 Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 20 Feb 2024 11:23:33 -0500 Subject: [PATCH 4/5] Clarify audit vs synthetic configs --- configs/README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/configs/README.md b/configs/README.md index 24ff5069..3cb0ae1f 100644 --- a/configs/README.md +++ b/configs/README.md @@ -6,7 +6,8 @@ The `default.yml` configuration is the default config file used to make it easy ## [Audit](audit.yml) -The `audit.yml` configuration is used primary to audit code by running a number of audit queries with CodeQL. +The `audit.yml` configuration is used primary to audit code by running a number of audit queries with CodeQL. Many queries here will be executed using partial path queries - not looking for full source/sink flows. Use these very broad queries or even [partial flow paths](https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/) to help deduce where the taint might be breaking and to discover areas for potential customization enhancement. + These are based on the suite in each language suites folder called `{LANG}-audit.qls` > [!NOTE] @@ -14,7 +15,9 @@ These are based on the suite in each language suites folder called `{LANG}-audit ## [Synthetics](synthetics.yml) -This `synthetics.yml` configuration is intended for analyzing synthetic code samples. This configuration uses all possible queries from the CodeQL built in packs, the CodeQL Community Packs, and additional OSS queries and data extensions. It includes more queries than the built-in `security-experimental.qls` suite, providing a more thorough analysis at the cost of longer analysis times and potential false positives. It includes: +This `synthetics.yml` configuration is intended for analyzing synthetic ([intentionally vulnerable](https://owasp.org/www-project-vulnerable-web-applications-directory/)) code samples. This configuration uses all possible security queries/extensions from the CodeQL built in packs, the CodeQL Community Packs, and additional OSS packs. It also includes the queries from the built-in `security-experimental.qls` suite with additional lower precision/experimental queries: - queries marked as `@precision: low` or missing a precision - queries marked as `@problem.severity: recommendation` - queries in `\experimental\` folders + +This configuration will provide a more thorough analysis at the cost of longer analysis times and potential false positives. Consider using the `audit.yml` configuration to look for additional false negative scenarios. From 312d8b8db8d555ea4801b20508abf84ab7e3490a Mon Sep 17 00:00:00 2001 From: Chad Bentz <1760475+felickz@users.noreply.github.com> Date: Tue, 20 Feb 2024 11:35:25 -0500 Subject: [PATCH 5/5] Update README.md --- configs/README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/configs/README.md b/configs/README.md index 3cb0ae1f..35363851 100644 --- a/configs/README.md +++ b/configs/README.md @@ -2,11 +2,14 @@ ## [Default / CodeQL](default.yml) -The `default.yml` configuration is the default config file used to make it easy to use the CodeQL Community Packs. +The `default.yml` configuration is the default config file used to make it easy to use the CodeQL Community Packs. The queries included here are pulled in from the language `default suites` automatically when referencing the community packs. The default suites as specified in each language's `{LANG}/src/qlpack.yml`. The standard configuration is: +```yml +defaultSuiteFile: suites/{LANG}.qls +``` ## [Audit](audit.yml) -The `audit.yml` configuration is used primary to audit code by running a number of audit queries with CodeQL. Many queries here will be executed using partial path queries - not looking for full source/sink flows. Use these very broad queries or even [partial flow paths](https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/) to help deduce where the taint might be breaking and to discover areas for potential customization enhancement. +The `audit.yml` configuration is used primarily to conduct a security assessment of potentially vulnerable code, by running a number of audit queries with CodeQL. Many of these queries operate on partial path queries, thus not seeking complete source/sink flows. Use these wide-ranging queries or [partial flow paths](https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/) as tools to infer potential taint disruptions and identify opportunities for customization improvements. These are based on the suite in each language suites folder called `{LANG}-audit.qls` @@ -15,7 +18,7 @@ These are based on the suite in each language suites folder called `{LANG}-audit ## [Synthetics](synthetics.yml) -This `synthetics.yml` configuration is intended for analyzing synthetic ([intentionally vulnerable](https://owasp.org/www-project-vulnerable-web-applications-directory/)) code samples. This configuration uses all possible security queries/extensions from the CodeQL built in packs, the CodeQL Community Packs, and additional OSS packs. It also includes the queries from the built-in `security-experimental.qls` suite with additional lower precision/experimental queries: +This `synthetics.yml` configuration is intended for analyzing synthetic ([intentionally vulnerable](https://owasp.org/www-project-vulnerable-web-applications-directory/)) code samples for vulnerabilities. This configuration uses all possible security queries/extensions from the CodeQL built in packs, the CodeQL Community Packs, and additional OSS packs. It also includes the queries from the built-in `security-experimental.qls` suite with additional lower precision/experimental queries: - queries marked as `@precision: low` or missing a precision - queries marked as `@problem.severity: recommendation` - queries in `\experimental\` folders