hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ql4Ql: Re-factor the ql/mising-security-metadata query.

Browse Source
This commit is contained in:
Michael Nebel
2025-06-30 14:12:36 +02:00
parent 552e156468
commit cce17743bb
3 changed files with 40 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
ql/ql/src/codeql_ql/ast/Ast.qll
View File

@@ -202,25 +202,43 @@ class QueryDoc extends QLDoc {
override string getAPrimaryQlClass() { result = "QueryDoc" } override string getAPrimaryQlClass() { result = "QueryDoc" }
/** Gets the @kind for the query */ /** Gets the @kind for the query. */
string getQueryKind() { string getQueryKind() {
result = this.getContents().regexpCapture("(?s).*@kind ([\\w-]+)\\s.*", 1) result = this.getContents().regexpCapture("(?s).*@kind ([\\w-]+)\\s.*", 1)
} }
/** Gets the @name for the query */ /** Gets the @name for the query. */
string getQueryName() { string getQueryName() {
result = this.getContents().regexpCapture("(?s).*@name (.+?)(?=\\n).*", 1) result = this.getContents().regexpCapture("(?s).*@name (.+?)(?=\\n).*", 1)
} }
/** Gets the id part (without language) of the @id */ /** Gets the id part (without language) of the @id. */
string getQueryId() { string getQueryId() {
result = this.getContents().regexpCapture("(?s).*@id (\\w+)/([\\w\\-/]+)\\s.*", 2) result = this.getContents().regexpCapture("(?s).*@id (\\w+)/([\\w\\-/]+)\\s.*", 2)
} }
/** Gets the language of the @id */ /** Gets the language of the @id. */
string getQueryLanguage() { string getQueryLanguage() {
result = this.getContents().regexpCapture("(?s).*@id (\\w+)/([\\w\\-/]+)\\s.*", 1) result = this.getContents().regexpCapture("(?s).*@id (\\w+)/([\\w\\-/]+)\\s.*", 1)
} }
/** Gets the @precision for the query. */
string getQueryPrecision() {
result = this.getContents().regexpCapture("(?s).*@precision ([\\w\\-]+)\\s.*", 1)
}
/** Gets the @security-severity for the query. */
string getQuerySecuritySeverity() {
result = this.getContents().regexpCapture("(?s).*@security\\-severity ([\\d\\.]+)\\s.*", 1)
}
/** Gets the individual @tags for the query. */
string getQueryTags() {
exists(string tags | tags = this.getContents().regexpCapture("(?s).*@tags ([^@]+)", 1) |
result = tags.splitAt("*").trim() and
result.regexpMatch("[\\w\\s\\-]+")
)
}
} }
class BlockComment extends TBlockComment, Comment { class BlockComment extends TBlockComment, Comment {

49
ql/ql/src/queries/style/MissingSecurityMetadata.ql
View File

@@ -10,45 +10,30 @@
import ql import ql
predicate missingSecuritySeverity(QLDoc doc) { private predicate unInterestingLocation(File f) {
exists(string s | s = doc.getContents() | f.getRelativePath().matches("%/" + ["experimental", "examples", "test"] + "/%")
exists(string securityTag | securityTag = s.splitAt("@") |
securityTag.matches("tags%security%")
) and
exists(string precisionTag | precisionTag = s.splitAt("@") |
precisionTag.matches("precision %")
) and
not exists(string securitySeverity | securitySeverity = s.splitAt("@") |
securitySeverity.matches("security-severity %")
)
)
} }
predicate missingSecurityTag(QLDoc doc) { predicate missingSecuritySeverity(QueryDoc doc) {
exists(string s | s = doc.getContents() | doc.getQueryTags() = "security" and
exists(string securitySeverity | securitySeverity = s.splitAt("@") | exists(doc.getQueryPrecision()) and
securitySeverity.matches("security-severity %") not exists(doc.getQuerySecuritySeverity())
) and
exists(string precisionTag | precisionTag = s.splitAt("@") |
precisionTag.matches("precision %")
) and
not exists(string securityTag | securityTag = s.splitAt("@") |
securityTag.matches("tags%security%")
)
)
} }
from TopLevel t, string msg predicate missingSecurityTag(QueryDoc doc) {
exists(doc.getQuerySecuritySeverity()) and
exists(doc.getQueryPrecision()) and
not doc.getQueryTags() = "security"
}
from TopLevel t, QueryDoc doc, string msg
where where
t.getLocation().getFile().getBaseName().matches("%.ql") and doc = t.getQLDoc() and
not t.getLocation() not unInterestingLocation(t.getLocation().getFile()) and
.getFile()
.getRelativePath()
.matches("%/" + ["experimental", "examples", "test"] + "/%") and
( (
missingSecuritySeverity(t.getQLDoc()) and missingSecuritySeverity(doc) and
msg = "This query file is missing a `@security-severity` tag." msg = "This query file is missing a `@security-severity` tag."
or or
missingSecurityTag(t.getQLDoc()) and msg = "This query file is missing a `@tag security`." missingSecurityTag(doc) and msg = "This query file is missing a `@tags security`."
) )
select t, msg select t, msg

2
ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.expected
View File

@@ -1,2 +1,2 @@
| testcases/BadNoSecurity.ql:1:1:16:9 | TopLevel | This query file is missing a `@tag security`. | | testcases/BadNoSecurity.ql:1:1:16:9 | TopLevel | This query file is missing a `@tags security`. |
| testcases/BadNoSeverity.ql:1:1:16:9 | TopLevel | This query file is missing a `@security-severity` tag. | | testcases/BadNoSeverity.ql:1:1:16:9 | TopLevel | This query file is missing a `@security-severity` tag. |