Create a CodeQL query pack
carlspring opened this issue · 3 comments
carlspring commented
Task Description
We need to set up a CodeQL query pack so that it can be used in Github Workflows.
Open Questions
Notes
- The CodeQL CLI does not provide an option to remove or overwrite versions of published query packs. The will appear under the user's Packages section of their profile. They can be removed manually from there.
- There is no concept of snapshot versions.
Task List
The following tasks will need to be carried out:
- Investigate what needs to be done.
- Add some CodeQL queries.
- Initialize a CodeQL rule pack.
- Set up a PAT token.
- Publish the CodeQL rule pack.
- Figure out what needs to be done to package
qhelpfiles. - Make the published package publicly available.
- Test the fix
- Make the CodeQL workflow in carlspring/vertx-vulns use this.
- Update the documentation.
Useful Commands
- To initialize a query pack, the following must be executed in the root of the Git repository:
codeql pack init [github-org|github-user]/query-pack-name
- To generate the Markdown for the
qhelpfiles:
codeql generate query-help *.qhelp --format=markdown -o .
- To create a query pack:
codeql pack create
- To install the required dependencies run the following inside the query pack directory:
codeql pack install
- To publish the query pack:
- Generate a token that has the following permissions:
- Execute and pass in the token:
codeql pack publish --github-auth-stdin --allow-prerelease
Enter value for --github-auth-stdin (Authenticate to the github.com Container registry by passing a github.com GitHub Apps token or personal access token via standard input.):
Running on packs: carlspring/vertx-codeql-queries.
Bundling and then publishing qlpack located at '/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries'.
WARNING: 'this' is not bound in the body of this characteristic predicate (/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries/.codeql/pack/carlspring/vertx-codeql-queries/1.0.0/insecure-http-server.ql:21,3-18)
WARNING: Unused variable expr (/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries/.codeql/pack/carlspring/vertx-codeql-queries/1.0.0/insecure-http-server.ql:28,51-55)
WARNING: Unused variable format (/java/work/sap/ghas/vertx-codeql/vertx-codeql-queries/vertx-codeql-queries/.codeql/pack/carlspring/vertx-codeql-queries/1.0.0/insecure-http-server.ql:28,76-82)
Bundled qlpack created at '/tmp/codeql-docker1039785471392063553/.Docker Package Manager/vertx-codeql-queries.1.0.0.tgz'.
Packaging> Package 'carlspring/vertx-codeql-queries@1.0.0' will be published to registry 'https://ghcr.io/v2/' as 'carlspring/vertx-codeql-queries'.
Packaging> Package 'carlspring/vertx-codeql-queries@1.0.0' will be published locally to /home/carlspring/.codeql/packages/carlspring/vertx-codeql-queries/1.0.0
Publish successful.
- To create a database for a git repository containing code that should be analyzed (for example after a clone of carlspring/vertx-vulns and inside the root of the cloned repository) :
codeql database create vertx-vulns --language=java
- To analyze a CodeQL database using a query pack:
codeql database analyze vertx-vulns carlspring/vertx-codeql-queries
Incurred Costs
Task Relationships
This task:
- Is a sub-task of:
- Depends on:
- Is a follow-up of:
- Relates to:
Resources
Useful Links
- CodeQL CLI:
- Semver
- List of packages for the user
Points of Contact
intrigus-lgtm commented
Generate a token that has the following permissions:
Just curious, can you not use one of the PAT v2 tokens that should offer more fine granular permissions?
carlspring commented
There's no need for that anymore, as the package is and will be public, but that is now just for the record.
carlspring commented
Implemented.