hohn/sarif-cli
1
0
Fork 0
mirror of https://github.com/hohn/sarif-cli.git synced 2025-12-15 17:03:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
mh-experimental-1
sarif-cli/build-multiple-codeql-versions.sh
Michael Hohn 07ed4bf11e Add 'usage' to build-multiple-codeql-versions.sh
2023-07-27 09:18:46 -07:00

137 lines
3.9 KiB
Bash
Raw Permalink Blame History

#!/bin/bash -e
#* Following are the steps needed to build a codeql db using different versions of
# the codeql cli.
#
# Some files from prior runs are found in ./data/codeql-dataflow-sql-injection/
#
usage="
This script's purpose is to run the sarif-cli against SARIF files
produced by different versions of the codeql cli.
This script is intended for interactive use only. Take one block at a time,
run it, and check results as you go.
A (subset) of this script may be automated in the future.
"
echo "$0: Interactive use only"
echo "$usage"
exit 1
#* Use virtual environment. See README for setup.
source ~/local/sarif-cli/.venv/bin/activate
#* What can we use?
gh codeql list-versions
#* History
open https://github.com/github/codeql-cli-binaries/blob/HEAD/CHANGELOG.md
#* Get repo
cd ~/local/sarif-cli
git clone git@github.com:hohn/codeql-dataflow-sql-injection.git
cd codeql-dataflow-sql-injection/
#* Choose
v2.14.0
v2.13.5
v2.13.4
v2.13.3
v2.13.1
v2.13.0
v2.12.7
v2.12.6
v2.11.6
v2.10.5
v2.9.4
CLI_VERSION=v2.9.4
CLI_VERSION=v2.12.7
CLI_VERSION=v2.13.5
CLI_VERSION=v2.14.0
gh codeql set-version $CLI_VERSION
#* Build vanilla DB
cd ~/local/sarif-cli/codeql-dataflow-sql-injection
rm -fR sqlidb
codeql database create --language=cpp -s . -j 8 -v sqlidb --command='./build.sh'
cp -r sqlidb sqlidb-$CLI_VERSION
#* Pack compatibility with CLI
function codeql-complib() {
if [ -z "$1" ]; then
echo "Usage: codeql-complib <language>"
return 1
fi
curl --silent https://raw.githubusercontent.com/github/codeql/codeql-cli/v$(codeql version --format=json | jq -r .version)/$1/ql/lib/qlpack.yml | grep version | cut -d':' -f2 | sed 's/^[ ]*//'
}
# Create the qlpack file using commands:
cd ~/local/sarif-cli
# Bug: drops the codeql- prefix
rm -fR dataflow-sql-injection
codeql pack init codeql-dataflow-sql-injection
cp -f dataflow-sql-injection/qlpack.yml codeql-dataflow-sql-injection/
# Add correct library dependency
codeql pack add --dir=codeql-dataflow-sql-injection codeql/cpp-all@"$(codeql-complib cpp)"
cat codeql-dataflow-sql-injection/qlpack.yml
#* Install packs
cd ~/local/sarif-cli/codeql-dataflow-sql-injection
rm -f *lock*
codeql pack install
#* Run the analyze command with options
#
cd ~/local/sarif-cli/codeql-dataflow-sql-injection
codeql database analyze \
-v \
--sarif-category santa-chap \
--ram=16000 \
-j8 \
--format=sarif-latest \
--output sqlidb-$CLI_VERSION.sarif \
-- \
sqlidb-$CLI_VERSION \
SqlInjection.ql
# Verify cli version in SARIF output
SAVER=`jq -r '.runs |.[] |.tool.driver.semanticVersion ' sqlidb-$CLI_VERSION.sarif`
printf "db %s\ncli %s\n" $SAVER $CLI_VERSION
if [ v$SAVER != $CLI_VERSION ] ;
then
echo "---: codeql version inconsistency"
fi
# Check sarif-category flag
grep -A2 automationDetails sqlidb-$CLI_VERSION.sarif
#* Insert versionControlProvenance
cd ~/local/sarif-cli/codeql-dataflow-sql-injection
sarif-insert-vcp sqlidb-$CLI_VERSION.sarif > sqlidb-$CLI_VERSION-1.sarif
#* Get CSV.
cd ~/local/sarif-cli/codeql-dataflow-sql-injection
sarif-extract-scans-runner --input-signature CLI - > /dev/null <<EOF
sqlidb-$CLI_VERSION-1.sarif
EOF
#* Check CSV messages for success
cd ~/local/sarif-cli/codeql-dataflow-sql-injection
head -4 sqlidb-$CLI_VERSION-1.sarif.csv
grep -qi success sqlidb-$CLI_VERSION-1.sarif.csv || {
echo "---: sarif-cli failure: sqlidb-$CLI_VERSION-1.sarif*"
}
#* CSV output
# ls -la sqlidb-$CLI_VERSION-1*
# find sqlidb-$CLI_VERSION-1*.scantables -print
#* Summary
cd ~/local/sarif-cli/codeql-dataflow-sql-injection
#** SARIF files
ls sqlidb-v*.sarif
#** CSV conversion info
ls sqlidb-v2.*.sarif.csv*
tail -2 sqlidb-v2.*.sarif.csv*
Reference in New Issue View Git Blame Copy Permalink