Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/advanced-security/codeql-sap-js

CodeQL models for SAP JavaScript frameworks CAP, UI5 and XSJS
https://github.com/advanced-security/codeql-sap-js

Last synced: 6 months ago
JSON representation

CodeQL models for SAP JavaScript frameworks CAP, UI5 and XSJS

Awesome Lists containing this project

README 

          
# CodeQL: SAP JavaScript frameworks



[cloud-cap-samples]: https://github.com/SAP-samples/cloud-cap-samples



This repository contains [CodeQL](https://codeql.github.com/) models and queries for SAP JavaScript frameworks:



- [CAP](javascript/frameworks/cap) [https://cap.cloud.sap](https://cap.cloud.sap/)

- [UI5](javascript/frameworks/ui5) [https://sapui5.hana.ondemand.com](https://sapui5.hana.ondemand.com/)

- [XSJS](./javascript/frameworks/xsjs/README.md) [https://www.npmjs.com/package/@sap/async-xsjs](https://www.npmjs.com/package/@sap/async-xsjs)



## Published CodeQl packs



- [advanced-security/javascript-sap-cap-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-cap-queries)

- [advanced-security/javascript-sap-ui5-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-ui5-queries)

- [advanced-security/javascript-sap-async-xsjs-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-async-xsjs-queries)



## Usage



### Analyzing a repository with [Code Scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-query-packs)



Example workflow file:



```yaml

jobs:

  analyze-javascript:

    name: Analyze

    runs-on: 'ubuntu-latest'

    permissions:

      security-events: write



    - name: Compile CDS files

      run: |

        npm install -g @sap/cds-dk

        for cds_file in $(find . -type f \( -iname '*.cds' \) -print)

          do

            cds compile $cds_file \

              -2 json \

              -o "$cds_file.json" \

              --locations

          done

      

    - name: Initialize CodeQL

      uses: github/codeql-action/init@v3

      with:

        languages: javascript

        config-file: .github/codeql/codeql-config.yaml



    - name: Perform CodeQL Analysis

      id: analyze

      uses: github/codeql-action/analyze@v3

      env:

        LGTM_INDEX_XML_MODE: all

        LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"

```



Example configuration file:



```yaml

name: "My CodeQL config"



packs:

  # Use these packs for JavaScript and TypeScript analysis

  javascript:

    - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls

    - advanced-security/javascript-sap-xsjs-queries:codeql-suites/javascript-security-extended.qls

    - advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls

    - advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls



paths-ignore:

  - "**/node_modules"

```



### Building and analyzing the CodeQL database with the CodeQL CLI



1. Include and index XML, JSON and CDS files by setting the necessary environment variables:



```shell

export LGTM_INDEX_XML_MODE='ALL'

export LGTM_INDEX_FILETYPES=$'.json:JSON\n.cds:JSON'

```



2. Compile all the CDS files using the SAP cds toolkit



```shell

npm install -g @sap/cds-dk

for cds_file in $(find . -type f \( -iname '*.cds' \) -print)

  do

    cds compile $cds_file \

      -2 json \

      -o "$cds_file.json" \

      --locations

  done

```



3. Build the database [as usual](https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/database-create)



```shell

codeql database create  --language=javascript

```



4. Analyze the database using one or more packs



```shell

codeql database analyze  --format=sarif-latest --output= \

  --download advanced-security/javascript-sap-cap-queries \

             advanced-security/javascript-sap-ui5-queries \

             advanced-security/javascript-sap-xsjs-queries

```



### Example `codeql database create` with CDS Extractor Invocation



The following example invocation of `codeql database create` includes the `--command` option to invoke the CDS extractor as an extension of the `javascript` extractor, which is used by `codeql` to create the database. The `pre-finalize.sh` script is a minimal wrapper around the `codeql database index-files` command, which we expect to run the `extractors/cds/tools/index-files.js` script to index the JSON files pre-generated by the CDS extractor.



The below example assumes that:



- The [`SAP-samples/cloud-cap-samples`][cloud-cap-samples] repository has been cloned to a sibling directory of the one containing the this repository.

- The [`SAP-samples/cloud-cap-samples`][cloud-cap-samples] repository is intended as the source code root (i.e. target project) for the database.

- The database directory (e.g., `~/codeql-home/databases/cloud-cap-samples-real`) is either absent or empty.



```shell

_d="$(pwd)" && codeql database create \

  --command="${_d}/extractors/javascript/tools/pre-finalize.sh" \

  --language="javascript" \

  --search-path="${_d}/extractors/" \

  --source-root="${_d}/../cloud-cap-samples/" \

  -- ~/codeql-home/databases/cloud-cap-samples-real

```



NOTES:



- The `--source-root` option must be adjusted to match the actual location of the target project (e.g., GitHub repository).

- The database directory path (last argument) must be adjusted to match the desired location of the created database.

- Running the above command multiple times with the same database directory will result in an error. The `--overwrite` command-line option can be used to avoid this error.

- See `codeql database create -h -v` for verbose command help.



## License



This project is licensed under the terms of the MIT open source license. Please refer to [MIT](LICENSE.txt) for the full terms.



## Maintainers



See [CODEOWNERS](CODEOWNERS).



## Support



See [SUPPORT](SUPPORT.md).