#!/bin/bash -e #* Following are the steps needed to build a codeql db using different versions of # the codeql cli. # # Some files from prior runs are found in ./data/codeql-dataflow-sql-injection/ # usage=" This script's purpose is to run the sarif-cli against SARIF files produced by different versions of the codeql cli. This script is intended for interactive use only. Take one block at a time, run it, and check results as you go. A (subset) of this script may be automated in the future. " echo "$0: Interactive use only" echo "$usage" exit 1 #* Use virtual environment. See README for setup. source ~/local/sarif-cli/.venv/bin/activate #* What can we use? gh codeql list-versions #* History open https://github.com/github/codeql-cli-binaries/blob/HEAD/CHANGELOG.md #* Get repo cd ~/local/sarif-cli git clone git@github.com:hohn/codeql-dataflow-sql-injection.git cd codeql-dataflow-sql-injection/ #* Choose v2.14.0 v2.13.5 v2.13.4 v2.13.3 v2.13.1 v2.13.0 v2.12.7 v2.12.6 v2.11.6 v2.10.5 v2.9.4 CLI_VERSION=v2.9.4 CLI_VERSION=v2.12.7 CLI_VERSION=v2.13.5 CLI_VERSION=v2.14.0 gh codeql set-version $CLI_VERSION #* Build vanilla DB cd ~/local/sarif-cli/codeql-dataflow-sql-injection rm -fR sqlidb codeql database create --language=cpp -s . -j 8 -v sqlidb --command='./build.sh' cp -r sqlidb sqlidb-$CLI_VERSION #* Pack compatibility with CLI function codeql-complib() { if [ -z "$1" ]; then echo "Usage: codeql-complib " return 1 fi curl --silent https://raw.githubusercontent.com/github/codeql/codeql-cli/v$(codeql version --format=json | jq -r .version)/$1/ql/lib/qlpack.yml | grep version | cut -d':' -f2 | sed 's/^[ ]*//' } # Create the qlpack file using commands: cd ~/local/sarif-cli # Bug: drops the codeql- prefix rm -fR dataflow-sql-injection codeql pack init codeql-dataflow-sql-injection cp -f dataflow-sql-injection/qlpack.yml codeql-dataflow-sql-injection/ # Add correct library dependency codeql pack add --dir=codeql-dataflow-sql-injection codeql/cpp-all@"$(codeql-complib cpp)" cat codeql-dataflow-sql-injection/qlpack.yml #* Install packs cd ~/local/sarif-cli/codeql-dataflow-sql-injection rm -f *lock* codeql pack install #* Run the analyze command with options # cd ~/local/sarif-cli/codeql-dataflow-sql-injection codeql database analyze \ -v \ --sarif-category santa-chap \ --ram=16000 \ -j8 \ --format=sarif-latest \ --output sqlidb-$CLI_VERSION.sarif \ -- \ sqlidb-$CLI_VERSION \ SqlInjection.ql # Verify cli version in SARIF output SAVER=`jq -r '.runs |.[] |.tool.driver.semanticVersion ' sqlidb-$CLI_VERSION.sarif` printf "db %s\ncli %s\n" $SAVER $CLI_VERSION if [ v$SAVER != $CLI_VERSION ] ; then echo "---: codeql version inconsistency" fi # Check sarif-category flag grep -A2 automationDetails sqlidb-$CLI_VERSION.sarif #* Insert versionControlProvenance cd ~/local/sarif-cli/codeql-dataflow-sql-injection sarif-insert-vcp sqlidb-$CLI_VERSION.sarif > sqlidb-$CLI_VERSION-1.sarif #* Get CSV. cd ~/local/sarif-cli/codeql-dataflow-sql-injection sarif-extract-scans-runner --input-signature CLI - > /dev/null <