From 92cdcb325748df48cc7a773b68e01e1fda7a7379 Mon Sep 17 00:00:00 2001
From: Michael Hohn <hohn@github.com>
Date: Wed, 29 Sep 2021 13:03:36 -0700
Subject: [PATCH] initial example

---
 LICENSE             | 21 ++++++++++++++++
 QueryInfo.ql        | 18 ++++++++++++++
 README.org          | 58 +++++++++++++++++++++++++++++++++++++++++++++
 build.sh            |  2 ++
 clean.sh            |  3 +++
 info-supplement.csv |  3 +++
 qlpack.yml          |  3 +++
 simple.c            |  5 ++++
 8 files changed, 113 insertions(+)
 create mode 100644 LICENSE
 create mode 100644 QueryInfo.ql
 create mode 100644 README.org
 create mode 100755 build.sh
 create mode 100755 clean.sh
 create mode 100644 info-supplement.csv
 create mode 100644 qlpack.yml
 create mode 100644 simple.c

diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..a1b4609
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Michael Hohn
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/QueryInfo.ql b/QueryInfo.ql
new file mode 100644
index 0000000..16bd8a4
--- /dev/null
+++ b/QueryInfo.ql
@@ -0,0 +1,18 @@
+/**
+ * @kind problem
+ * @id sample/read-external-data
+*/
+
+import cpp
+import external.ExternalArtifact
+
+class InfoSupplement extends ExternalData {
+  InfoSupplement() { this.getDataPath().matches("%/info-%.csv") }
+
+  int getId() { result = this.getFieldAsInt(0) }
+
+  string getName() { result = this.getField(1) }
+}
+
+from InfoSupplement d
+select d.getDataPath(), "Found id:" + d.getId() + " name:" + d.getName()
diff --git a/README.org b/README.org
new file mode 100644
index 0000000..951c774
--- /dev/null
+++ b/README.org
@@ -0,0 +1,58 @@
+* External data additions to CodeQL database
+  This minimal example builds a codeql database containing both C code and CSV
+  data read from a file, then runs a simple query to list the CSV entries. 
+
+** Common setup
+   In this snippet, adjust the codeql path for your own setup, then paste it in
+   bash/zsh/ksh:
+   #+BEGIN_SRC sh
+     # Add codeql cli tools to path
+     export PATH=$HOME/local/vmsync/codeql250:"$PATH"
+
+     SRCDIR=$(pwd)
+     DB=$SRCDIR/cpp-simple-$(echo $$).db
+
+     test -d "$DB" && rm -fR "$DB"
+     mkdir -p "$DB"
+   #+END_SRC
+
+** Create the CodeQL database
+   Create the CodeQL database via 
+   #+BEGIN_SRC sh
+     # The usual command is just 
+     #   cd $SRCDIR && codeql database create -l cpp -s $SRCDIR -j 8 -v $DB --command='./build.sh'
+     # but here we need the expanded version to include csv data
+     # 
+     # 
+     codeql database init -l cpp -s $SRCDIR $DB
+     # Optional: include non-CSV code
+     codeql database trace-command -v $DB './build.sh'
+     codeql database index-files -l csv --include "*.csv" $DB
+     codeql database finalize $DB
+
+     # Bundle it if desired
+     codeql database bundle -o $DB.zip $DB
+   #+END_SRC
+
+   Run
+   : codeql database index-files -vvvv -h
+   for more descriptions of the available options, including the syntax for
+   include/exclude globs and working directory to find CSV files in.
+  
+** Run a query using ExternalData
+   #+BEGIN_SRC sh
+     # Run the query and keep report results in cpp-simple.sarif
+     codeql database analyze                         \
+            -v                                       \
+            --rerun                                  \
+            --format=sarif-latest                    \
+            --output cpp-simple.sarif                \
+            --                                       \
+            $DB                                      \
+            $SRCDIR/QueryInfo.ql
+
+     # Check for the data
+     grep Foo cpp-simple.sarif
+     : should be "text" : "Found id:0 name:Foo\nFound id:1 name:Bar"
+   #+END_SRC
+
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..3bac551
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+clang -Wall simple.c -o simple
diff --git a/clean.sh b/clean.sh
new file mode 100755
index 0000000..cbfc865
--- /dev/null
+++ b/clean.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+rm -fr simple cpp-simple-*.db/
+
diff --git a/info-supplement.csv b/info-supplement.csv
new file mode 100644
index 0000000..c0cd28d
--- /dev/null
+++ b/info-supplement.csv
@@ -0,0 +1,3 @@
+id,name
+0,Foo
+1,Bar
\ No newline at end of file
diff --git a/qlpack.yml b/qlpack.yml
new file mode 100644
index 0000000..8e6c9cf
--- /dev/null
+++ b/qlpack.yml
@@ -0,0 +1,3 @@
+name: cpp-sql-injection
+version: 0.0.1
+libraryPathDependencies: codeql-cpp
diff --git a/simple.c b/simple.c
new file mode 100644
index 0000000..9f8e576
--- /dev/null
+++ b/simple.c
@@ -0,0 +1,5 @@
+#include <stdio.h>
+
+int main(int argc, char* argv[]) {
+    printf("hello from simple\n");
+}