From d386e5da450df514b6669b8254248ae01cd35bcb Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Wed, 26 Jul 2023 13:47:58 -0700 Subject: [PATCH] Add tests for 2.14.0; include versioned SARIF and CSV files in the repository --- build-multiple-codeql-versions.sh | 6 +- .../sqlidb-v2.12.7-1.sarif | 255 +++++++++++++++ .../sqlidb-v2.12.7-1.sarif.csv | 3 + .../sqlidb-v2.13.5-1.sarif | 309 ++++++++++++++++++ .../sqlidb-v2.13.5-1.sarif.csv | 3 + .../sqlidb-v2.14.0-1.sarif | 309 ++++++++++++++++++ .../sqlidb-v2.14.0-1.sarif.csv | 3 + .../sqlidb-v2.9.4-1.sarif | 255 +++++++++++++++ .../sqlidb-v2.9.4-1.sarif.csv | 3 + 9 files changed, 1145 insertions(+), 1 deletion(-) create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif.csv create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif.csv create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif.csv create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif create mode 100644 data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif.csv diff --git a/build-multiple-codeql-versions.sh b/build-multiple-codeql-versions.sh index aeec21e..96f974c 100644 --- a/build-multiple-codeql-versions.sh +++ b/build-multiple-codeql-versions.sh @@ -2,6 +2,8 @@ #* Following are the steps needed to build a codeql db using different versions of # the codeql cli # +# Some files from prior runs are found in ./data/codeql-dataflow-sql-injection/ +# echo '$0: Interactive use only' exit 1 @@ -35,6 +37,7 @@ v2.9.4 CLI_VERSION=v2.9.4 CLI_VERSION=v2.12.7 CLI_VERSION=v2.13.5 +CLI_VERSION=v2.14.0 gh codeql set-version $CLI_VERSION #* Build vanilla DB @@ -60,6 +63,7 @@ codeql pack init codeql-dataflow-sql-injection cp -f dataflow-sql-injection/qlpack.yml codeql-dataflow-sql-injection/ # Add correct library dependency codeql pack add --dir=codeql-dataflow-sql-injection codeql/cpp-all@"$(codeql-complib cpp)" +cat codeql-dataflow-sql-injection/qlpack.yml #* Install packs cd ~/local/sarif-cli/codeql-dataflow-sql-injection @@ -82,7 +86,7 @@ codeql database analyze \ # Verify cli version in SARIF output SAVER=`jq -r '.runs |.[] |.tool.driver.semanticVersion ' sqlidb-$CLI_VERSION.sarif` -echo $SAVER +printf "db %s\ncli %s\n" $SAVER $CLI_VERSION if [ v$SAVER != $CLI_VERSION ] ; then echo "---: codeql version inconsistency" diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif b/data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif new file mode 100644 index 0000000..bbb6a94 --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif @@ -0,0 +1,255 @@ +{ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.12.7", + "rules": [ + { + "id": "cpp/SQLIVulnerable", + "name": "cpp/SQLIVulnerable", + "shortDescription": { + "text": "SQLI Vulnerability" + }, + "fullDescription": { + "text": "Using untrusted strings in a sql query allows sql injection attacks." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "properties": { + "description": "Using untrusted strings in a sql query allows sql injection attacks.", + "id": "cpp/SQLIVulnerable", + "kind": "path-problem", + "name": "SQLI Vulnerability", + "problem.severity": "warning" + } + } + ] + }, + "extensions": [ + { + "name": "legacy-upgrades", + "semanticVersion": "0.0.0", + "locations": [ + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.12.7/legacy-upgrades/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.12.7/legacy-upgrades/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + }, + { + "name": "codeql-dataflow-sql-injection", + "semanticVersion": "0.0.1", + "locations": [ + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + } + ] + }, + "artifacts": [ + { + "location": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + ], + "results": [ + { + "ruleId": "cpp/SQLIVulnerable", + "ruleIndex": 0, + "rule": { + "id": "cpp/SQLIVulnerable", + "index": 0 + }, + "message": { + "text": "Possible SQL injection" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "9a8bc91bbc363391:1", + "primaryLocationStartColumnFingerprint": "22" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 52, + "startColumn": 32, + "endColumn": 35 + } + }, + "message": { + "text": "ref arg buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 60, + "startColumn": 12, + "endColumn": 15 + } + }, + "message": { + "text": "buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 93, + "startColumn": 12, + "endColumn": 25 + } + }, + "message": { + "text": "call to get_user_info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 95, + "startColumn": 20, + "endColumn": 24 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 68, + "startColumn": 31, + "endColumn": 35 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + }, + "message": { + "text": "query" + } + } + } + ] + } + ] + } + ] + } + ], + "automationDetails": { + "id": "santa-chap/" + }, + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarif-latest" + }, + "versionControlProvenance": [ + { + "repositoryUri": "vcp-no-uri", + "revisionId": "vcp-no-revid" + } + ] + } + ] +} diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif.csv b/data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif.csv new file mode 100644 index 0000000..7f79aff --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.12.7-1.sarif.csv @@ -0,0 +1,3 @@ +sarif_file,level,levelcode,message,extra_info +sqlidb-v2.12.7-1.sarif,WARNING,4,Input sarif contains extra unneccesary properties.,"Extra properties: type fields: ['description', 'kind', 'precision', 'problem.severity', 'security-severity', 'sub-severity', 'tags', 'uri']" +sqlidb-v2.12.7-1.sarif,SUCCESS,0,File successfully processed., diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif b/data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif new file mode 100644 index 0000000..9b3a99a --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif @@ -0,0 +1,309 @@ +{ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.13.5", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + } + ], + "rules": [ + { + "id": "cpp/SQLIVulnerable", + "name": "cpp/SQLIVulnerable", + "shortDescription": { + "text": "SQLI Vulnerability" + }, + "fullDescription": { + "text": "Using untrusted strings in a sql query allows sql injection attacks." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "properties": { + "description": "Using untrusted strings in a sql query allows sql injection attacks.", + "id": "cpp/SQLIVulnerable", + "kind": "path-problem", + "name": "SQLI Vulnerability", + "problem.severity": "warning" + } + } + ] + }, + "extensions": [ + { + "name": "legacy-upgrades", + "semanticVersion": "0.0.0", + "locations": [ + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.13.5/legacy-upgrades/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.13.5/legacy-upgrades/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + }, + { + "name": "codeql-dataflow-sql-injection", + "semanticVersion": "0.0.1", + "locations": [ + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + } + ] + }, + "invocations": [ + { + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + } + ], + "executionSuccessful": true + } + ], + "artifacts": [ + { + "location": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + ], + "results": [ + { + "ruleId": "cpp/SQLIVulnerable", + "ruleIndex": 0, + "rule": { + "id": "cpp/SQLIVulnerable", + "index": 0 + }, + "message": { + "text": "Possible SQL injection" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "9a8bc91bbc363391:1", + "primaryLocationStartColumnFingerprint": "22" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 52, + "startColumn": 32, + "endColumn": 35 + } + }, + "message": { + "text": "ref arg buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 60, + "startColumn": 12, + "endColumn": 15 + } + }, + "message": { + "text": "buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 93, + "startColumn": 12, + "endColumn": 25 + } + }, + "message": { + "text": "call to get_user_info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 95, + "startColumn": 20, + "endColumn": 24 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 68, + "startColumn": 31, + "endColumn": 35 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + }, + "message": { + "text": "query" + } + } + } + ] + } + ] + } + ] + } + ], + "automationDetails": { + "id": "santa-chap/" + }, + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarif-latest" + }, + "versionControlProvenance": [ + { + "repositoryUri": "vcp-no-uri", + "revisionId": "vcp-no-revid" + } + ] + } + ] +} diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif.csv b/data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif.csv new file mode 100644 index 0000000..72e53f8 --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.13.5-1.sarif.csv @@ -0,0 +1,3 @@ +sarif_file,level,levelcode,message,extra_info +sqlidb-v2.13.5-1.sarif,WARNING,4,Input sarif contains extra unneccesary properties.,"Extra properties: type fields: ['artifacts', 'automationDetails', 'columnKind', 'invocations', 'newlineSequences', 'properties', 'results', 'tool', 'versionControlProvenance']type fields: ['name', 'notifications', 'organization', 'rules', 'semanticVersion']type fields: ['description', 'kind', 'precision', 'problem.severity', 'security-severity', 'sub-severity', 'tags', 'uri']" +sqlidb-v2.13.5-1.sarif,SUCCESS,0,File successfully processed., diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif b/data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif new file mode 100644 index 0000000..bf3dafe --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif @@ -0,0 +1,309 @@ +{ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.14.0", + "notifications": [ + { + "id": "cpp/baseline/expected-extracted-files", + "name": "cpp/baseline/expected-extracted-files", + "shortDescription": { + "text": "Expected extracted files" + }, + "fullDescription": { + "text": "Files appearing in the source archive that are expected to be extracted." + }, + "defaultConfiguration": { + "enabled": true + }, + "properties": { + "tags": [ + "expected-extracted-files", + "telemetry" + ] + } + } + ], + "rules": [ + { + "id": "cpp/SQLIVulnerable", + "name": "cpp/SQLIVulnerable", + "shortDescription": { + "text": "SQLI Vulnerability" + }, + "fullDescription": { + "text": "Using untrusted strings in a sql query allows sql injection attacks." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "properties": { + "description": "Using untrusted strings in a sql query allows sql injection attacks.", + "id": "cpp/SQLIVulnerable", + "kind": "path-problem", + "name": "SQLI Vulnerability", + "problem.severity": "warning" + } + } + ] + }, + "extensions": [ + { + "name": "legacy-upgrades", + "semanticVersion": "0.0.0", + "locations": [ + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.14.0/legacy-upgrades/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.14.0/legacy-upgrades/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + }, + { + "name": "codeql-dataflow-sql-injection", + "semanticVersion": "0.0.1", + "locations": [ + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + } + ] + }, + "invocations": [ + { + "toolExecutionNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + } + ], + "message": { + "text": "" + }, + "level": "none", + "descriptor": { + "id": "cpp/baseline/expected-extracted-files", + "index": 0 + }, + "properties": { + "formattedMessage": { + "text": "" + } + } + } + ], + "executionSuccessful": true + } + ], + "artifacts": [ + { + "location": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + ], + "results": [ + { + "ruleId": "cpp/SQLIVulnerable", + "ruleIndex": 0, + "rule": { + "id": "cpp/SQLIVulnerable", + "index": 0 + }, + "message": { + "text": "Possible SQL injection" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "9a8bc91bbc363391:1", + "primaryLocationStartColumnFingerprint": "22" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 52, + "startColumn": 32, + "endColumn": 35 + } + }, + "message": { + "text": "ref arg buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 60, + "startColumn": 12, + "endColumn": 15 + } + }, + "message": { + "text": "buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 93, + "startColumn": 12, + "endColumn": 25 + } + }, + "message": { + "text": "call to get_user_info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 95, + "startColumn": 20, + "endColumn": 24 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 68, + "startColumn": 31, + "endColumn": 35 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + }, + "message": { + "text": "query" + } + } + } + ] + } + ] + } + ] + } + ], + "automationDetails": { + "id": "santa-chap/" + }, + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarif-latest" + }, + "versionControlProvenance": [ + { + "repositoryUri": "vcp-no-uri", + "revisionId": "vcp-no-revid" + } + ] + } + ] +} diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif.csv b/data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif.csv new file mode 100644 index 0000000..44cb5f2 --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.14.0-1.sarif.csv @@ -0,0 +1,3 @@ +sarif_file,level,levelcode,message,extra_info +sqlidb-v2.14.0-1.sarif,WARNING,4,Input sarif contains extra unneccesary properties.,"Extra properties: type fields: ['artifacts', 'automationDetails', 'columnKind', 'invocations', 'newlineSequences', 'properties', 'results', 'tool', 'versionControlProvenance']type fields: ['name', 'notifications', 'organization', 'rules', 'semanticVersion']type fields: ['description', 'kind', 'precision', 'problem.severity', 'security-severity', 'sub-severity', 'tags', 'uri']" +sqlidb-v2.14.0-1.sarif,SUCCESS,0,File successfully processed., diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif b/data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif new file mode 100644 index 0000000..3cdbc7b --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif @@ -0,0 +1,255 @@ +{ + "$schema": "https://json.schemastore.org/sarif-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL", + "organization": "GitHub", + "semanticVersion": "2.9.4", + "rules": [ + { + "id": "cpp/SQLIVulnerable", + "name": "cpp/SQLIVulnerable", + "shortDescription": { + "text": "SQLI Vulnerability" + }, + "fullDescription": { + "text": "Using untrusted strings in a sql query allows sql injection attacks." + }, + "defaultConfiguration": { + "enabled": true, + "level": "warning" + }, + "properties": { + "description": "Using untrusted strings in a sql query allows sql injection attacks.", + "id": "cpp/SQLIVulnerable", + "kind": "path-problem", + "name": "SQLI Vulnerability", + "problem.severity": "warning" + } + } + ] + }, + "extensions": [ + { + "name": "legacy-upgrades", + "semanticVersion": "0.0.0", + "locations": [ + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.9.4/legacy-upgrades/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/.local/share/gh/extensions/gh-codeql/dist/release/v2.9.4/legacy-upgrades/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + }, + { + "name": "sample/cpp-sql-injection", + "semanticVersion": "0.0.1", + "locations": [ + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/", + "description": { + "text": "The QL pack root directory." + } + }, + { + "uri": "file:///Users/hohn/local/sarif-cli/codeql-dataflow-sql-injection/qlpack.yml", + "description": { + "text": "The QL pack definition file." + } + } + ] + } + ] + }, + "artifacts": [ + { + "location": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + } + } + ], + "results": [ + { + "ruleId": "cpp/SQLIVulnerable", + "ruleIndex": 0, + "rule": { + "id": "cpp/SQLIVulnerable", + "index": 0 + }, + "message": { + "text": "Possible SQL injection" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + } + } + ], + "partialFingerprints": { + "primaryLocationLineHash": "9a8bc91bbc363391:1", + "primaryLocationStartColumnFingerprint": "22" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 52, + "startColumn": 32, + "endColumn": 35 + } + }, + "message": { + "text": "ref arg buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 60, + "startColumn": 12, + "endColumn": 15 + } + }, + "message": { + "text": "buf" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 93, + "startColumn": 12, + "endColumn": 25 + } + }, + "message": { + "text": "call to get_user_info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 95, + "startColumn": 20, + "endColumn": 24 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 68, + "startColumn": 31, + "endColumn": 35 + } + }, + "message": { + "text": "info" + } + } + }, + { + "location": { + "physicalLocation": { + "artifactLocation": { + "uri": "add-user.c", + "uriBaseId": "%SRCROOT%", + "index": 0 + }, + "region": { + "startLine": 84, + "startColumn": 27, + "endColumn": 32 + } + }, + "message": { + "text": "query" + } + } + } + ] + } + ] + } + ] + } + ], + "automationDetails": { + "id": "santa-chap/" + }, + "columnKind": "utf16CodeUnits", + "properties": { + "semmle.formatSpecifier": "sarif-latest" + }, + "versionControlProvenance": [ + { + "repositoryUri": "vcp-no-uri", + "revisionId": "vcp-no-revid" + } + ] + } + ] +} diff --git a/data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif.csv b/data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif.csv new file mode 100644 index 0000000..a0e81ad --- /dev/null +++ b/data/codeql-dataflow-sql-injection/sqlidb-v2.9.4-1.sarif.csv @@ -0,0 +1,3 @@ +sarif_file,level,levelcode,message,extra_info +sqlidb-v2.9.4-1.sarif,WARNING,4,Input sarif contains extra unneccesary properties.,"Extra properties: type fields: ['description', 'kind', 'precision', 'problem.severity', 'security-severity', 'sub-severity', 'tags', 'uri']" +sqlidb-v2.9.4-1.sarif,SUCCESS,0,File successfully processed.,