{"id":29668029,"url":"https://github.com/advanced-security/codeql-sap-js","last_synced_at":"2026-02-16T22:11:36.532Z","repository":{"id":265045336,"uuid":"655754626","full_name":"advanced-security/codeql-sap-js","owner":"advanced-security","description":"CodeQL models for SAP JavaScript frameworks CAP, UI5 and XSJS","archived":false,"fork":false,"pushed_at":"2025-07-17T17:51:01.000Z","size":26286,"stargazers_count":6,"open_issues_count":8,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-07-17T17:58:14.202Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/advanced-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-06-19T14:27:17.000Z","updated_at":"2025-07-15T20:10:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"01b3c8bd-93ac-43e2-adc9-bf6f56e2738d","html_url":"https://github.com/advanced-security/codeql-sap-js","commit_stats":null,"previous_names":["advanced-security/codeql-sap-js"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/advanced-security/codeql-sap-js","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-sap-js","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-sap-js/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-sap-js/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-sap-js/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/advanced-security","download_url":"https://codeload.github.com/advanced-security/codeql-sap-js/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/advanced-security%2Fcodeql-sap-js/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266535695,"owners_count":23944275,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-07-22T17:05:48.704Z","updated_at":"2026-02-16T22:11:36.492Z","avatar_url":"https://github.com/advanced-security.png","language":"TypeScript","readme":"# CodeQL: SAP JavaScript frameworks\n\n[cloud-cap-samples]: https://github.com/SAP-samples/cloud-cap-samples\n\nThis repository contains [CodeQL](https://codeql.github.com/) models and queries for SAP JavaScript frameworks:\n\n- [CAP](javascript/frameworks/cap) [https://cap.cloud.sap](https://cap.cloud.sap/)\n- [UI5](javascript/frameworks/ui5) [https://sapui5.hana.ondemand.com](https://sapui5.hana.ondemand.com/)\n- [XSJS](./javascript/frameworks/xsjs/README.md) [https://www.npmjs.com/package/@sap/async-xsjs](https://www.npmjs.com/package/@sap/async-xsjs)\n\n## Published CodeQl packs\n\n- [advanced-security/javascript-sap-cap-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-cap-queries)\n- [advanced-security/javascript-sap-ui5-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-ui5-queries)\n- [advanced-security/javascript-sap-async-xsjs-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-async-xsjs-queries)\n\n## Usage\n\n### Analyzing a repository with [Code Scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-query-packs)\n\nExample workflow file:\n\n```yaml\njobs:\n  analyze-javascript:\n    name: Analyze\n    runs-on: 'ubuntu-latest'\n    permissions:\n      security-events: write\n\n    - name: Compile CDS files\n      run: |\n        npm install -g @sap/cds-dk\n        for cds_file in $(find . -type f \\( -iname '*.cds' \\) -print)\n          do\n            cds compile $cds_file \\\n              -2 json \\\n              -o \"$cds_file.json\" \\\n              --locations\n          done\n      \n    - name: Initialize CodeQL\n      uses: github/codeql-action/init@v3\n      with:\n        languages: javascript\n        config-file: .github/codeql/codeql-config.yaml\n\n    - name: Perform CodeQL Analysis\n      id: analyze\n      uses: github/codeql-action/analyze@v3\n      env:\n        LGTM_INDEX_XML_MODE: all\n        LGTM_INDEX_FILETYPES: \".json:JSON\\n.cds:JSON\"\n```\n\nExample configuration file:\n\n```yaml\nname: \"My CodeQL config\"\n\npacks:\n  # Use these packs for JavaScript and TypeScript analysis\n  javascript:\n    - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls\n    - advanced-security/javascript-sap-xsjs-queries:codeql-suites/javascript-security-extended.qls\n    - advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls\n    - advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls\n\npaths-ignore:\n  - \"**/node_modules\"\n```\n\n### Building and analyzing the CodeQL database with the CodeQL CLI\n\n1. Include and index XML, JSON and CDS files by setting the necessary environment variables:\n\n```shell\nexport LGTM_INDEX_XML_MODE='ALL'\nexport LGTM_INDEX_FILETYPES=$'.json:JSON\\n.cds:JSON'\n```\n\n2. Compile all the CDS files using the SAP cds toolkit\n\n```shell\nnpm install -g @sap/cds-dk\nfor cds_file in $(find . -type f \\( -iname '*.cds' \\) -print)\n  do\n    cds compile $cds_file \\\n      -2 json \\\n      -o \"$cds_file.json\" \\\n      --locations\n  done\n```\n\n3. Build the database [as usual](https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/database-create)\n\n```shell\ncodeql database create \u003cDB_NAME\u003e --language=javascript\n```\n\n4. Analyze the database using one or more packs\n\n```shell\ncodeql database analyze \u003cDB_NAME\u003e --format=sarif-latest --output=\u003cOUTPUT_FILE\u003e \\\n  --download advanced-security/javascript-sap-cap-queries \\\n             advanced-security/javascript-sap-ui5-queries \\\n             advanced-security/javascript-sap-xsjs-queries\n```\n\n### Example `codeql database create` with CDS Extractor Invocation\n\nThe following example invocation of `codeql database create` includes the `--command` option to invoke the CDS extractor as an extension of the `javascript` extractor, which is used by `codeql` to create the database. The `pre-finalize.sh` script is a minimal wrapper around the `codeql database index-files` command, which we expect to run the `extractors/cds/tools/index-files.js` script to index the JSON files pre-generated by the CDS extractor.\n\nThe below example assumes that:\n\n- The [`SAP-samples/cloud-cap-samples`][cloud-cap-samples] repository has been cloned to a sibling directory of the one containing the this repository.\n- The [`SAP-samples/cloud-cap-samples`][cloud-cap-samples] repository is intended as the source code root (i.e. target project) for the database.\n- The database directory (e.g., `~/codeql-home/databases/cloud-cap-samples-real`) is either absent or empty.\n\n```shell\n_d=\"$(pwd)\" \u0026\u0026 codeql database create \\\n  --command=\"${_d}/extractors/javascript/tools/pre-finalize.sh\" \\\n  --language=\"javascript\" \\\n  --search-path=\"${_d}/extractors/\" \\\n  --source-root=\"${_d}/../cloud-cap-samples/\" \\\n  -- ~/codeql-home/databases/cloud-cap-samples-real\n```\n\nNOTES:\n\n- The `--source-root` option must be adjusted to match the actual location of the target project (e.g., GitHub repository).\n- The database directory path (last argument) must be adjusted to match the desired location of the created database.\n- Running the above command multiple times with the same database directory will result in an error. The `--overwrite` command-line option can be used to avoid this error.\n- See `codeql database create -h -v` for verbose command help.\n\n## License\n\nThis project is licensed under the terms of the MIT open source license. Please refer to [MIT](LICENSE.txt) for the full terms.\n\n## Maintainers\n\nSee [CODEOWNERS](CODEOWNERS).\n\n## Support\n\nSee [SUPPORT](SUPPORT.md).\n","funding_links":[],"categories":["Customization \u0026 Query Development"],"sub_categories":["CodeQL Extractors"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fcodeql-sap-js","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadvanced-security%2Fcodeql-sap-js","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadvanced-security%2Fcodeql-sap-js/lists"}