hohn/sarif-cli
1
0
Fork 0
mirror of https://github.com/hohn/sarif-cli.git synced 2025-12-16 09:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
62ec56948edbbab60fa1066a4db721a679f74ce5
sarif-cli/notes
History
Michael Hohn 62ec56948e WIP: debug missing field propagation for automationDetails.id 
Create SARIF files with and without automationDetails.id for examination.
2023-07-11 10:45:15 -07:00
..
adding-to-typegraph.org
Added field to multi-file signature; the steps are documented in adding-to-typegraph.org
2022-03-15 12:30:05 -07:00
derived-tables.drawio
interim: sarif-extract-multi table outputs and future table diagrams
2022-04-08 14:13:24 -07:00
derived-tables.svg
Add svg snapshot of derived-tables.drawio
2022-05-02 10:45:26 -07:00
gathering-api-information.org
explore parts of the github API via distinct connection layers.
2022-04-18 21:20:43 -07:00
l3style.css
Expand current and planned table description
2022-04-19 12:00:54 -07:00
raw-nested-types.pdf
sarif-extract-multi: extract combined tables from multiple sarif files
2022-03-11 23:00:53 -08:00
README.org
WIP: debug missing field propagation for automationDetails.id
2023-07-11 10:45:15 -07:00
sarif-structure-from-sarif-to-dot.pdf
sarif-to-dot: cleanup for and preparation for sarif table extraction
2022-02-01 22:42:25 -08:00
state-and-tables.drawio
WIP: assemble derived 'results' table
2022-05-13 17:01:18 -07:00
tables-info.py
Description of current and upcoming tables and their information sources
2022-04-20 15:22:20 -07:00
tables.org
scan table change: the results.query_id is the @id from the CodeQL query
2022-08-11 16:56:20 -07:00
typegraph-multi-with-tables.pdf
Full revision of the base tables derived from multiple sarif input files
2022-03-23 16:37:41 -07:00
typegraph-multi.pdf
Added field to multi-file signature; the steps are documented in adding-to-typegraph.org
2022-03-15 12:30:05 -07:00
typegraph-td.pdf
Include all typegraph samples, from raw to refined
2022-07-14 18:29:21 -07:00
typegraph-tdn.pdf
Include all typegraph samples, from raw to refined
2022-07-14 18:29:21 -07:00
typegraph-tdnu.pdf
Include all typegraph samples, from raw to refined
2022-07-14 18:29:21 -07:00
typegraph-tdnuf.pdf
Include all typegraph samples, from raw to refined
2022-07-14 18:29:21 -07:00
typegraph.pdf
sarif-extract-tables: initial version, reproduces known output as table
2022-02-08 20:04:28 -08:00
unique-ids.ipynb
Add snowflake implementation
2022-04-11 19:24:12 -07:00

README.org

The notes directory

This directory is for notes that may be useful, but aren't complete enough to serve as documentation in their current state.

Think of it as staging for ../docs.

Short notes start as sections in this README. They will be moved if separate file make more sense.

The typegraphs

The type graph files are derived from a sarif input file, with various options controlling output.

To produce dot maps of a sarif file type graph, from raw (largest) to fully filled (most compact):

  cd ../data/treeio/2022-02-25

  # Everything:
  ../../../bin/sarif-to-dot -t -d  results.sarif | dot -Tpdf > typegraph-td.pdf

  # Suppress edges to int/bool/string types in dot graph
  ../../../bin/sarif-to-dot -td -n results.sarif | dot -Tpdf > typegraph-tdn.pdf

  # Additionally, only report unique array entry signatures
  ../../../bin/sarif-to-dot -td -nu results.sarif | dot -Tpdf > typegraph-tdnu.pdf

  # Additionally, fill in missing (optional) entries in sarif input before other steps.
  ../../../bin/sarif-to-dot -td -nuf results.sarif | dot -Tpdf > typegraph-tdnuf.pdf

The automationDetails.id

The automationDetails.id entry is produced by CodeQL when using the --sarif-category flag.

Using

  0:$ codeql --version
  CodeQL command-line toolchain release 2.12.6.

and running

  cd ../data/codeql-dataflow-sql-injection/ &&
        sarif-extract-scans-runner - > /dev/null <<EOF
  sqlidb-0.sarif
  EOF

results in

  hohn@gh-hohn ~/local/sarif-cli
  0:$ cat data/codeql-dataflow-sql-injection/sqlidb-0.sarif.csv
  sarif_file,level,levelcode,message,extra_info
  sqlidb-0.sarif,WARNING,2,Input sarif is missing neccesary properties.,"Missing: {'versionControlProvenance', 'newlineSequences'}, "

An older version is needed.

  export GITHUB_TOKEN=...

  gh codeql list-versions
  gh codeql download v2.12.7
  gh codeql download v2.11.6
  gh codeql download v2.10.5
  gh codeql download v2.9.4

  gh codeql install-stub 

  gh codeql set-version v2.11.6

Some hacking around qlpacks is required; see ../data/build-multiple-sarifs.sh, Pack compatibility with CLI.

Using that, I get sarif files to examine:

  hohn@gh-hohn ~/local/sarif-cli/data/codeql-dataflow-sql-injection
  0:$ ls -la sqlidb*.sarif
  -rw-r--r-- 1 hohn staff 6.2K Jul 11 10:39 sqlidb-0.sarif
  -rw-r--r-- 1 hohn staff 6.3K Jul 11 10:40 sqlidb-1.sarif

and only the second has the additional field:

  0:$ grep -A2 automationDetails sqlidb*.sarif
  sqlidb-1.sarif:    "automationDetails" : {
  sqlidb-1.sarif-      "id" : "mast-issue/"
  sqlidb-1.sarif-    },