hohn/sarif-cli
1
0
Fork 0
mirror of https://github.com/hohn/sarif-cli.git synced 2025-12-16 09:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove repls; add scripts/test-vcp.sh

Browse Source
This commit is contained in:
Michael Hohn
2023-07-13 16:03:01 -07:00
committed by =Michael Hohn
parent f1a70dd023
commit c299321ab8
5 changed files with 294 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
data/codeql-dataflow-sql-injection/sqlidb-0.sarif Normal file
View File

@@ -0,0 +1,246 @@
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "CodeQL",
"organization": "GitHub",
"semanticVersion": "2.9.4",
"rules": [
{
"id": "cpp/SQLIVulnerable",
"name": "cpp/SQLIVulnerable",
"shortDescription": {
"text": "SQLI Vulnerability"
},
"fullDescription": {
"text": "Using untrusted strings in a sql query allows sql injection attacks."
},
"defaultConfiguration": {
"enabled": true,
"level": "warning"
},
"properties": {
"description": "Using untrusted strings in a sql query allows sql injection attacks.",
"id": "cpp/SQLIVulnerable",
"kind": "path-problem",
"name": "SQLI Vulnerability",
"problem.severity": "warning"
}
}
]
},
"extensions": [
{
"name": "legacy-upgrades",
"semanticVersion": "0.0.0",
"locations": [
{
"uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.9.4/legacy-upgrades/",
"description": {
"text": "The QL pack root directory."
}
},
{
"uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.9.4/legacy-upgrades/qlpack.yml",
"description": {
"text": "The QL pack definition file."
}
}
]
},
{
"name": "sample/cpp-sql-injection",
"semanticVersion": "0.0.1",
"locations": [
{
"uri": "file:///Users/hohn/local/sarif-cli/data/codeql-dataflow-sql-injection/",
"description": {
"text": "The QL pack root directory."
}
},
{
"uri": "file:///Users/hohn/local/sarif-cli/data/codeql-dataflow-sql-injection/qlpack.yml",
"description": {
"text": "The QL pack definition file."
}
}
]
}
]
},
"artifacts": [
{
"location": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
}
}
],
"results": [
{
"ruleId": "cpp/SQLIVulnerable",
"ruleIndex": 0,
"rule": {
"id": "cpp/SQLIVulnerable",
"index": 0
},
"message": {
"text": "Possible SQL injection"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 84,
"startColumn": 27,
"endColumn": 32
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "9a8bc91bbc363391:1",
"primaryLocationStartColumnFingerprint": "22"
},
"codeFlows": [
{
"threadFlows": [
{
"locations": [
{
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 52,
"startColumn": 32,
"endColumn": 35
}
},
"message": {
"text": "ref arg buf"
}
}
},
{
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 60,
"startColumn": 12,
"endColumn": 15
}
},
"message": {
"text": "buf"
}
}
},
{
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 93,
"startColumn": 12,
"endColumn": 25
}
},
"message": {
"text": "call to get_user_info"
}
}
},
{
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 95,
"startColumn": 20,
"endColumn": 24
}
},
"message": {
"text": "info"
}
}
},
{
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 68,
"startColumn": 31,
"endColumn": 35
}
},
"message": {
"text": "info"
}
}
},
{
"location": {
"physicalLocation": {
"artifactLocation": {
"uri": "add-user.c",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 84,
"startColumn": 27,
"endColumn": 32
}
},
"message": {
"text": "query"
}
}
}
]
}
]
}
]
}
],
"columnKind": "utf16CodeUnits",
"properties": {
"semmle.formatSpecifier": "sarif-latest"
}
}
]
}

3
sarif_cli/scan_tables.py
View File

@@ -105,9 +105,6 @@ def joins_for_projects(basetables, external_info):
# Force all column types to ensure appropriate formatting
res1 = res.astype(ScanTablesTypes.projects).reset_index(drop=True)
# XX: automationDetails?
import IPython
IPython.embed(header="spot 11")
#
return res1

4
sarif_cli/signature.py
View File

@@ -257,10 +257,6 @@ def fillsig_dict(args, elem, context):
if 'results' in elem.keys() and not 'automationDetails' in elem.keys():
#want this to be blank if not present- ie no submodule info added/no sarif-category used
full_elem['automationDetails'] = {'id' : "no-value-for-ad"}
# XX: automationDetails?
import IPython
IPython.embed(header="spot 2")
#
if {'locations', 'message', 'partialFingerprints', 'ruleId',
'ruleIndex'}.issubset(elem.keys()):

4
sarif_cli/table_joins_CLI.py
View File

@@ -336,10 +336,6 @@ def joins_for_project_single(tgraph):
.drop(columns=['automationDetails', 'struct_id'])
.rename(columns={"id": "automationDetails"}))
#
# XX: automationDetails?
import IPython
IPython.embed(header="spot 3")
#
#newlines there or not - handle
if 'newlineSequences' in project_df_temp1:
project_df_temp2 = project_df_temp1.drop(columns=['newlineSequences'])

48
scripts/test-vcp.sh Normal file
View File

@@ -0,0 +1,48 @@
#
# The automationDetails.id entry is produced by CodeQL when using the
# =--sarif-category= flag.
#
# This is a simple end-to-end test to ensure it appears after CSV conversion.
#
#* Two databases, one with and one without
# --sarif-category mast-issue
cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
ls -la sqlidb-0.sarif sqlidb-1.sarif
grep -A2 automationDetails sqlidb-0.sarif sqlidb-1.sarif
source ~/local/sarif-cli/.venv/bin/activate
function get-csv() {
#* Insert versionControlProvenance
sarif-insert-vcp $1.sarif > $1.1.sarif
#* Get CSV.
cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
sarif-extract-scans-runner --input-signature CLI - > /dev/null <<EOF
$1.1.sarif
EOF
#* List CSV messages
cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
head -4 $1.1.sarif.csv
#* List CSV output
ls -la $1.1*
find $1.1.sarif.scantables -print
}
cd ~/local/sarif-cli/data/codeql-dataflow-sql-injection
get-csv sqlidb-0
get-csv sqlidb-1
function check-flag() {
#* Look for the flag value
ag -C1 mast-issue ${1}
#* Look for the flag label
ag -C1 automationDetails ${1}
}
#* Flag should be absent. csv has undefined value.
check-flag 'sqlidb-0*'
#* Flag should be present
check-flag 'sqlidb-1.1*'