WIP: debug missing field propagation for automationDetails.id

Create SARIF files with and without automationDetails.id for examination.

data/build-multiple-sarifs.sh

@@ -0,0 +1,120 @@
+#
+#* Following are the steps needed to build a codeql db and various SARIF analyses.
+# 
+echo '$0: Interactive use only'
+exit 1
+
+#* Where are we?
+codeql --version 
+
+#* Get repo 
+git clone git@github.com:hohn/codeql-dataflow-sql-injection.git
+cd codeql-dataflow-sql-injection/
+
+#* Build vanilla DB
+cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
+rm -fR sqlidb
+codeql database create --language=cpp -s . -j 8 -v sqlidb --command='./build.sh'
+ls sqlidb
+
+
+#* Pack compatibility with CLI
+#  Note workaround to avoid using --additional-packs
+function codeql-complib() {
+    if [ -z "$1" ]; then
+        echo "Usage: codeql-complib <language>"
+        return 1
+    fi
+    curl --silent https://raw.githubusercontent.com/github/codeql/codeql-cli/v$(codeql version --format=json | jq -r .version)/$1/ql/lib/qlpack.yml | grep version | cut -d':' -f2 | sed 's/^[ ]*//' 
+}
+
+: '
+0:$ codeql-complib cpp
+0.4.6
+
+Put the version into the qlpack:
+...
+dependencies:
+    codeql/cpp-all: ^0.4.6
+...
+
+Then
+    codeql pack install
+followed by
+    codeql database analyze 
+without 
+       --additional-packs $HOME/local/codeql-v2.11.6/   \
+
+
+Or create the qlpack file using commands:
+    codeql pack init foo
+    codeql pack add --dir=foo codeql/cpp-all@"$(codeql-complib cpp)"
+
+'
+
+#* Install packs
+cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
+rm -f *lock*
+codeql pack install
+
+#* Run the analyze command's plain version
+cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
+
+# Note workaround for using --additional-packs
+if false
+then
+   source ../scripts/grab.sh
+   grab v2.11.6 osx64 $HOME/local
+
+   codeql database analyze                                 \
+          -v                                               \
+          --ram=14000                                      \
+          -j12                                             \
+          --rerun                                          \
+          --format=sarif-latest                            \
+          --additional-packs $HOME/local/codeql-v2.11.6/   \
+          --output sqlidb-0.sarif                          \
+          --                                               \
+          sqlidb                                           \
+          SqlInjection.ql
+fi
+
+codeql database analyze                                 \
+       -v                                               \
+       --ram=14000                                      \
+       -j12                                             \
+       --rerun                                          \
+       --format=sarif-latest                            \
+       --output sqlidb-0.sarif                          \
+       --                                               \
+       sqlidb                                           \
+       SqlInjection.ql
+
+# This field should not be there:
+grep automationDetails sqlidb-0.sarif
+
+#* Run the analyze command with options
+#  but don't rerun the analysis.  We just want another SARIF file.
+#  
+cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
+
+codeql database analyze                         \
+       -v                                       \
+       --sarif-category mast-issue \
+       --ram=14000                              \
+       -j12                                     \
+       --format=sarif-latest                    \
+       --output sqlidb-1.sarif                  \
+       --                                       \
+       sqlidb                                   \
+       SqlInjection.ql
+
+# Now it's present:
+grep -A2 automationDetails sqlidb-1.sarif
+
+: '
+    "automationDetails" : {
+      "id" : "mast-issue/"
+    },
+'
+

notes/README.org

@@ -4,6 +4,9 @@
 
   Think of it as staging for [[../docs]].
 
+  Short notes start as sections in this README.  They will be moved if separate
+  file make more sense.
+
 ** The typegraphs
    The type graph files are derived from a sarif input file, with various options
    controlling output.
@@ -27,3 +30,64 @@
      ../../../bin/sarif-to-dot -td -nuf results.sarif | dot -Tpdf > typegraph-tdnuf.pdf
 
    #+END_SRC
+
+** The automationDetails.id
+   The =automationDetails.id= entry is produced by CodeQL when using the
+   =--sarif-category= flag.
+
+   Using
+   #+BEGIN_SRC text
+     0:$ codeql --version
+     CodeQL command-line toolchain release 2.12.6.
+   #+END_SRC
+
+   and running
+   #+BEGIN_SRC sh
+     cd ../data/codeql-dataflow-sql-injection/ &&
+           sarif-extract-scans-runner - > /dev/null <<EOF
+     sqlidb-0.sarif
+     EOF
+   #+END_SRC
+
+   results in
+   #+BEGIN_SRC text
+     hohn@gh-hohn ~/local/sarif-cli
+     0:$ cat data/codeql-dataflow-sql-injection/sqlidb-0.sarif.csv
+     sarif_file,level,levelcode,message,extra_info
+     sqlidb-0.sarif,WARNING,2,Input sarif is missing neccesary properties.,"Missing: {'versionControlProvenance', 'newlineSequences'}, "
+   #+END_SRC
+
+   An older version is needed.
+
+   #+BEGIN_SRC sh
+     export GITHUB_TOKEN=...
+
+     gh codeql list-versions
+     gh codeql download v2.12.7
+     gh codeql download v2.11.6
+     gh codeql download v2.10.5
+     gh codeql download v2.9.4
+
+     gh codeql install-stub 
+
+     gh codeql set-version v2.11.6
+   #+END_SRC
+
+   Some hacking around qlpacks is required; see
+   [[../data/build-multiple-sarifs.sh]], Pack compatibility with CLI.
+
+   Using that, I get sarif files to examine:
+   #+BEGIN_SRC text
+     hohn@gh-hohn ~/local/sarif-cli/data/codeql-dataflow-sql-injection
+     0:$ ls -la sqlidb*.sarif
+     -rw-r--r-- 1 hohn staff 6.2K Jul 11 10:39 sqlidb-0.sarif
+     -rw-r--r-- 1 hohn staff 6.3K Jul 11 10:40 sqlidb-1.sarif
+   #+END_SRC
+   and only the second has the additional field:
+   #+BEGIN_SRC sh
+     0:$ grep -A2 automationDetails sqlidb*.sarif
+     sqlidb-1.sarif:    "automationDetails" : {
+     sqlidb-1.sarif-      "id" : "mast-issue/"
+     sqlidb-1.sarif-    },
+   #+END_SRC
+

scripts/grab.sh

@@ -0,0 +1,40 @@
+# Reference urls:
+# https://github.com/github/codeql-cli-binaries/releases/download/v2.8.0/codeql-linux64.zip
+# https://github.com/github/codeql/archive/refs/tags/codeql-cli/v2.8.0.zip
+#
+# grab -- retrieve and extract codeql cli and library
+# Usage: grab version url prefix
+grab() {
+    version=$1; shift
+    platform=$1; shift
+    prefix=$1; shift
+    mkdir -p $prefix/codeql-$version &&
+        cd $prefix/codeql-$version || return
+
+    # Get cli
+    wget "https://github.com/github/codeql-cli-binaries/releases/download/$version/codeql-$platform.zip"
+    # Get lib
+    wget "https://github.com/github/codeql/archive/refs/tags/codeql-cli/$version.zip"
+    # Fix attributes
+    if [ `uname` = Darwin ] ; then
+        xattr -c *.zip
+    fi
+    # Extract
+    unzip -q codeql-$platform.zip
+    unzip -q $version.zip
+    # Rename library directory for VS Code
+    mv codeql-codeql-cli-$version/ ql
+    # remove archives?
+    # rm codeql-$platform.zip
+    # rm $version.zip
+}
+
+# grab v2.7.6 osx64 $HOME/local
+# grab v2.8.3 osx64 $HOME/local
+# grab v2.8.4 osx64 $HOME/local
+
+# grab v2.6.3 linux64 /opt
+
+# grab v2.6.3 osx64 $HOME/local
+# grab v2.4.6 osx64 $HOME/local
+ 

scripts/table-tests.sh

@@ -40,3 +40,12 @@ EOF
   sarif-aggregate-scans -i1 test-sas-files aggregated.scantables 
   sarif-pad-aggregate aggregated.scantables aggregated.scantables.padded
 )
+
+#* Tests for the automationDetails flag
+#** Simple run
+# This requires the tool setup, [[file:~/local/sarif-cli/README.md::Tool Setup]]
+( cd ../data/codeql-dataflow-sql-injection/ &&
+      sarif-extract-scans-runner - > /dev/null <<EOF
+sqlidb-0.sarif
+EOF
+)