This repository contains CodeQL models and queries for SAP JavaScript frameworks:
- CAP https://cap.cloud.sap
- UI5 https://sapui5.hana.ondemand.com
- XSJS https://www.npmjs.com/package/@sap/async-xsjs
- advanced-security/javascript-sap-cap-queries
- advanced-security/javascript-sap-ui5-queries
- advanced-security/javascript-sap-async-xsjs-queries
Analyzing a repository with Code Scanning
Example workflow file:
jobs:
analyze-javascript:
name: Analyze
runs-on: 'ubuntu-latest'
permissions:
security-events: write
- name: Compile CDS files
run: |
npm install -g @sap/cds-dk
for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
do
cds compile $cds_file \
-2 json \
-o "$cds_file.json" \
--locations
done
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript
config-file: .github/codeql/codeql-config.yaml
- name: Perform CodeQL Analysis
id: analyze
uses: github/codeql-action/analyze@v3
env:
LGTM_INDEX_XML_MODE: all
LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"Example configuration file:
name: "My CodeQL config"
packs:
# Use these packs for JavaScript and TypeScript analysis
javascript:
- codeql/javascript-queries:codeql-suites/javascript-security-extended.qls
- advanced-security/javascript-sap-xsjs-queries:codeql-suites/javascript-security-extended.qls
- advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls
- advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls
paths-ignore:
- "**/node_modules"- Include and index XML, JSON and CDS files by setting the necessary environment variables:
export LGTM_INDEX_XML_MODE='ALL'
export LGTM_INDEX_FILETYPES=$'.json:JSON\n.cds:JSON'- Compile all the CDS files using the SAP cds toolkit
npm install -g @sap/cds-dk
for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
do
cds compile $cds_file \
-2 json \
-o "$cds_file.json" \
--locations
done- Build the database as usual
codeql database create <DB_NAME> --language=javascript- Analyze the database using one or more packs
codeql database analyze <DB_NAME> --format=sarif-latest --output=<OUTPUT_FILE> \
--download advanced-security/javascript-sap-cap-queries \
advanced-security/javascript-sap-ui5-queries \
advanced-security/javascript-sap-xsjs-queriesThe following example invocation of codeql database create includes the --command option to invoke the CDS extractor as an extension of the javascript extractor, which is used by codeql to create the database. The pre-finalize.sh script is a minimal wrapper around the codeql database index-files command, which we expect to run the extractors/cds/tools/index-files.js script to index the JSON files pre-generated by the CDS extractor.
The below example assumes that:
- The
SAP-samples/cloud-cap-samplesrepository has been cloned to a sibling directory of the one containing the this repository. - The
SAP-samples/cloud-cap-samplesrepository is intended as the source code root (i.e. target project) for the database. - The database directory (e.g.,
~/codeql-home/databases/cloud-cap-samples-real) is either absent or empty.
_d="$(pwd)" && codeql database create \
--command="${_d}/extractors/javascript/tools/pre-finalize.sh" \
--language="javascript" \
--search-path="${_d}/extractors/" \
--source-root="${_d}/../cloud-cap-samples/" \
-- ~/codeql-home/databases/cloud-cap-samples-realNOTES:
- The
--source-rootoption must be adjusted to match the actual location of the target project (e.g., GitHub repository). - The database directory path (last argument) must be adjusted to match the desired location of the created database.
- Running the above command multiple times with the same database directory will result in an error. The
--overwritecommand-line option can be used to avoid this error. - See
codeql database create -h -vfor verbose command help.
This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.
See CODEOWNERS.
See SUPPORT.