Merge pull request #2 from nicolaswill/knewbury01/JCA-sample

Implement first stage cryptography modelling and queries
2026-04-29 02:35:15 +02:00 · 2025-04-30 16:39:56 +02:00
parent 27c7bf3047 2b1b90ccc4
commit 83617e099f
47 changed files with 8862 additions and 276 deletions
--- a/misc/scripts/cryptography/cbom.sh
+++ b/misc/scripts/cryptography/cbom.sh
@@ -1,8 +1,8 @@
 #!/bin/bash

-CODEQL_PATH="/Users/nicolaswill/Library/Application Support/Code/User/globalStorage/github.vscode-codeql/distribution5/codeql/codeql"
-DATABASE_PATH="/Users/nicolaswill/openssl_codeql/openssl/openssl_db"
-QUERY_FILE="/Users/nicolaswill/pqc/codeql/cpp/ql/src/experimental/Quantum/CBOMGraph.ql"
+CODEQL_PATH="/Users/nicolaswill/.local/share/gh/extensions/gh-codeql/dist/release/v2.20.4/codeql"
+DATABASE_PATH="/Users/nicolaswill/pqc/gpt-crypto-test-cases/gpt_ai_gen_jca_test_cases_db"
+QUERY_FILE="/Users/nicolaswill/pqc/codeql/java/ql/src/experimental/Quantum/PrintCBOMGraph.ql"
 OUTPUT_DIR="graph_output"

 python3 generate_cbom.py -c "$CODEQL_PATH" -d "$DATABASE_PATH" -q "$QUERY_FILE" -o "$OUTPUT_DIR"
--- a/misc/scripts/cryptography/generate_cbom.py
+++ b/misc/scripts/cryptography/generate_cbom.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3

 import os
+import re
 import sys
 import argparse
 import subprocess
@@ -39,8 +40,7 @@ def convert_dgml_to_dot(dgml_file, dot_file):

    # Form dot element sequence
    body_l = ["digraph cbom {",
-              "node [shape=box];",
-              "rankdir=LR;"
+              "node [shape=box];"
    ]

    # Process nodes
@@ -56,6 +56,9 @@ def convert_dgml_to_dot(dgml_file, dot_file):
            else:
                label_parts.append(f"{key}={value}")
        label = "\\n".join(label_parts)
+        # Escape forward slashes and double quotes
+        label = label.replace("/", "\\/")
+        label = label.replace("\"", "\\\"")
        prop_l = [f'label="{label}"']
        node_s = f'nd_{node_id} [{", ".join(prop_l)}];'
        body_l.append(node_s)
@@ -63,8 +66,11 @@ def convert_dgml_to_dot(dgml_file, dot_file):
    # Process edges
    for edge in root.find("{http://schemas.microsoft.com/vs/2009/dgml}Links"):
        att = edge.attrib
+        edge_label = att.get("Label", "")
+        edge_label = edge_label.replace("/", "\\/")
+        edge_label = edge_label.replace("\"", "\\\"")
        edge_s = 'nd_{} -> nd_{} [label="{}"];'.format(
-            att["Source"], att["Target"], att.get("Label", ""))
+            att["Source"], att["Target"], edge_label)
        body_l.append(edge_s)

    body_l.append("}")
@@ -81,6 +87,7 @@ def main():
    parser.add_argument("-c", "--codeql", required=True, help="Path to CodeQL CLI executable.")
    parser.add_argument("-d", "--database", required=True, help="Path to the CodeQL database.")
    parser.add_argument("-q", "--query", required=True, help="Path to the .ql query file.")
+    parser.add_argument("--queryid", required=True, help="Query ID for the analysis.")
    parser.add_argument("-o", "--output", required=True, help="Output directory for analysis results.")
    
    args = parser.parse_args()
@@ -89,7 +96,13 @@ def main():
    run_codeql_analysis(args.codeql, args.database, args.query, args.output)

    # Locate DGML file
-    dgml_file = os.path.join(args.output, "cbomgraph.dgml")
+    ALLOWED_QUERY_ID = re.compile(r'^[a-zA-Z0-9_\-]+$')
+
+    if not ALLOWED_QUERY_ID.match(args.queryid):
+        print("Invalid query_id provided: '%s'. Allowed characters: letters, digits, '_', and '-'.", args.queryid)
+        sys.exit(1)
+
+    dgml_file = os.path.join(args.output, "java", '{}.dgml'.format(args.queryid))
    dot_file = dgml_file.replace(".dgml", ".dot")

    if os.path.exists(dgml_file):