From f558e858e70cffb3e6f0339ae0b5815f7b283f60 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 4 Nov 2022 10:44:14 +0000 Subject: [PATCH 1/7] ATM: Install `codeql` using new input to `fetch-codeql` Action --- .github/workflows/atm-check-queries-run.yml | 24 +++++++-------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/.github/workflows/atm-check-queries-run.yml b/.github/workflows/atm-check-queries-run.yml index bd0f6ffed83..8a2309b2cf7 100644 --- a/.github/workflows/atm-check-queries-run.yml +++ b/.github/workflows/atm-check-queries-run.yml @@ -19,38 +19,30 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Install CodeQL CLI - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh extensions install github/gh-codeql - gh codeql download + - name: Setup CodeQL + uses: ./.github/actions/fetch-codeql + with: + channel: release - name: Install ATM model pack - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -exu # Install ATM model pack - gh codeql pack install ${ATM_MODEL_PACK} + codeql pack install ${ATM_MODEL_PACK} # Retrieve model checksum - model_checksum=$(gh codeql resolve extensions ${ATM_MODEL_PACK}/${QUERY_SUITE} | jq -r '.models[0].checksum') + model_checksum=$(codeql resolve extensions ${ATM_MODEL_PACK}/${QUERY_SUITE} | jq -r '.models[0].checksum') # Trust the model so that we can use it in the ATM boosted queries mkdir -p "$HOME/.config/codeql" echo "--insecurely-execute-ml-model-checksums ${model_checksum}" >> "$HOME/.config/codeql/config" - name: Create test DB - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh codeql database create ${RUNNER_TEMP}/${DB_PATH} --source-root config/atm/ --language javascript + codeql database create ${RUNNER_TEMP}/${DB_PATH} --source-root config/atm/ --language javascript - name: Run ATM query suite - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh codeql database run-queries -vv -- ${RUNNER_TEMP}/${DB_PATH} ${ATM_MODEL_PACK}/${QUERY_SUITE} + codeql database run-queries -vv -- ${RUNNER_TEMP}/${DB_PATH} ${ATM_MODEL_PACK}/${QUERY_SUITE} From 35a4d315198557755957ad43fae09c5e0e9961ac Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 4 Nov 2022 10:46:06 +0000 Subject: [PATCH 2/7] ATM: Fix naming of query pack --- .github/workflows/atm-check-queries-run.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/atm-check-queries-run.yml b/.github/workflows/atm-check-queries-run.yml index 8a2309b2cf7..9294db84bfb 100644 --- a/.github/workflows/atm-check-queries-run.yml +++ b/.github/workflows/atm-check-queries-run.yml @@ -2,7 +2,7 @@ name: ATM Check Queries Run env: DB_PATH: test_db - ATM_MODEL_PACK: javascript/ql/experimental/adaptivethreatmodeling/src + QUERY_PACK: javascript/ql/experimental/adaptivethreatmodeling/src QUERY_SUITE: codeql-suites/javascript-atm-code-scanning.qls on: @@ -24,15 +24,15 @@ jobs: with: channel: release - - name: Install ATM model pack + - name: Install ATM model run: | set -exu - # Install ATM model pack - codeql pack install ${ATM_MODEL_PACK} + # Install dependencies of ATM query pack + codeql pack install ${QUERY_PACK} # Retrieve model checksum - model_checksum=$(codeql resolve extensions ${ATM_MODEL_PACK}/${QUERY_SUITE} | jq -r '.models[0].checksum') + model_checksum=$(codeql resolve extensions ${QUERY_PACK}/${QUERY_SUITE} | jq -r '.models[0].checksum') # Trust the model so that we can use it in the ATM boosted queries mkdir -p "$HOME/.config/codeql" @@ -44,5 +44,5 @@ jobs: - name: Run ATM query suite run: | - codeql database run-queries -vv -- ${RUNNER_TEMP}/${DB_PATH} ${ATM_MODEL_PACK}/${QUERY_SUITE} + codeql database run-queries -vv -- ${RUNNER_TEMP}/${DB_PATH} ${QUERY_PACK}/${QUERY_SUITE} From 7976d746b6c77c331d172cf525e0c227b66b9ddb Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 4 Nov 2022 10:49:05 +0000 Subject: [PATCH 3/7] ATM: Simplify DB path definition and improve quoting --- .github/workflows/atm-check-queries-run.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/atm-check-queries-run.yml b/.github/workflows/atm-check-queries-run.yml index 9294db84bfb..d0a1a6ac456 100644 --- a/.github/workflows/atm-check-queries-run.yml +++ b/.github/workflows/atm-check-queries-run.yml @@ -1,7 +1,6 @@ name: ATM Check Queries Run env: - DB_PATH: test_db QUERY_PACK: javascript/ql/experimental/adaptivethreatmodeling/src QUERY_SUITE: codeql-suites/javascript-atm-code-scanning.qls @@ -27,12 +26,12 @@ jobs: - name: Install ATM model run: | set -exu - - # Install dependencies of ATM query pack - codeql pack install ${QUERY_PACK} + + # Install dependencies of ATM query pack, i.e. the ATM model + codeql pack install "${QUERY_PACK}" # Retrieve model checksum - model_checksum=$(codeql resolve extensions ${QUERY_PACK}/${QUERY_SUITE} | jq -r '.models[0].checksum') + model_checksum=$(codeql resolve extensions "${QUERY_PACK}/${QUERY_SUITE}" | jq -r '.models[0].checksum') # Trust the model so that we can use it in the ATM boosted queries mkdir -p "$HOME/.config/codeql" @@ -40,9 +39,10 @@ jobs: - name: Create test DB run: | - codeql database create ${RUNNER_TEMP}/${DB_PATH} --source-root config/atm/ --language javascript + DB_PATH="${RUNNER_TEMP}/db" + codeql database create "${DB_PATH}" --source-root config/atm --language javascript + echo "DB_PATH=${DB_PATH}" >> "${GITHUB_ENV}" - name: Run ATM query suite run: | - codeql database run-queries -vv -- ${RUNNER_TEMP}/${DB_PATH} ${QUERY_PACK}/${QUERY_SUITE} - + codeql database run-queries -vv -- "${DB_PATH}" "${QUERY_PACK}/${QUERY_SUITE}" From 05dd161d761e0398ad4d9959d142fddd47d6ce18 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 4 Nov 2022 10:50:21 +0000 Subject: [PATCH 4/7] ATM: Use `database analyze` to check results interpretation too --- .github/workflows/atm-check-queries-run.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/atm-check-queries-run.yml b/.github/workflows/atm-check-queries-run.yml index d0a1a6ac456..972a1581c42 100644 --- a/.github/workflows/atm-check-queries-run.yml +++ b/.github/workflows/atm-check-queries-run.yml @@ -45,4 +45,10 @@ jobs: - name: Run ATM query suite run: | - codeql database run-queries -vv -- "${DB_PATH}" "${QUERY_PACK}/${QUERY_SUITE}" + codeql database analyze \ + --format sarif-latest \ + --output "${RUNNER_TEMP}/sarif.json" \ + -vv \ + -- \ + "${DB_PATH}" \ + "${QUERY_PACK}/${QUERY_SUITE}" From fe27e09a07f4e596334d4620548bd1ffc0561a6b Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 4 Nov 2022 10:57:00 +0000 Subject: [PATCH 5/7] ATM: Add codeowners entry for new workflow --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/CODEOWNERS b/CODEOWNERS index 6065852559b..a18b6a51305 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -40,6 +40,7 @@ WORKSPACE.bazel @github/codeql-ci-reviewers # Workflows /.github/workflows/ @github/codeql-ci-reviewers +/.github/workflows/atm-* @github/codeql-ml-powered-queries-reviewers /.github/workflows/go-* @github/codeql-go /.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers From 87f7b65052137cfc38bf41b9a92efa54c486f2e2 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 4 Nov 2022 11:14:28 +0000 Subject: [PATCH 6/7] ATM: Check the results of the queries too --- .github/workflows/atm-check-queries-run.yml | 47 +++++++++++++++++++-- 1 file changed, 43 insertions(+), 4 deletions(-) diff --git a/.github/workflows/atm-check-queries-run.yml b/.github/workflows/atm-check-queries-run.yml index 972a1581c42..ba6dd872f19 100644 --- a/.github/workflows/atm-check-queries-run.yml +++ b/.github/workflows/atm-check-queries-run.yml @@ -1,4 +1,4 @@ -name: ATM Check Queries Run +name: ATM Check Queries env: QUERY_PACK: javascript/ql/experimental/adaptivethreatmodeling/src @@ -12,7 +12,7 @@ on: workflow_dispatch: jobs: - run-atm-queries: + atm-check-queries: runs-on: ubuntu-latest steps: @@ -40,15 +40,54 @@ jobs: - name: Create test DB run: | DB_PATH="${RUNNER_TEMP}/db" - codeql database create "${DB_PATH}" --source-root config/atm --language javascript echo "DB_PATH=${DB_PATH}" >> "${GITHUB_ENV}" + codeql database create "${DB_PATH}" --source-root config/atm --language javascript + - name: Run ATM query suite run: | + SARIF_PATH="${RUNNER_TEMP}/sarif.json" + echo "SARIF_PATH=${SARIF_PATH}" >> "${GITHUB_ENV}" + codeql database analyze \ --format sarif-latest \ - --output "${RUNNER_TEMP}/sarif.json" \ + --output "${SARIF_PATH}" \ + --sarif-group-rules-by-pack \ -vv \ -- \ "${DB_PATH}" \ "${QUERY_PACK}/${QUERY_SUITE}" + + - name: Upload SARIF + uses: actions/upload-artifact@v3 + with: + name: javascript-ml-powered-queries.sarif + path: "${{ env.SARIF_PATH }}" + retention-days: 5 + + - name: Check results + run: | + # We should run at least the ML-powered queries in `expected_rules`. + expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" + + for rule in ${expected_rules}; do + found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | + flatten | .[].id] | any(. == $rule)' "${SARIF_PATH}") + if [[ "${found_rule}" != "true" ]]; then + echo "Expected SARIF output to contain rule '${rule}', but found no such rule." + exit 1 + else + echo "Found rule '${rule}'." + fi + done + + # We should have at least one alert from an ML-powered query. + num_alerts=$(jq '[.runs[0].results[] | + select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ + "${SARIF_PATH}") + if [[ "${num_alerts}" -eq 0 ]]; then + echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." + exit 1 + else + echo "Found ${num_alerts} alerts from ML-powered queries."; + fi From cbbff0c4013df5d044720244776094528af3b3a0 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Fri, 4 Nov 2022 11:19:50 +0000 Subject: [PATCH 7/7] ATM: Rename workflow Rename to take into account us now checking the results of the query suite too. --- ...{atm-check-queries-run.yml => atm-check-query-suite.yml} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename .github/workflows/{atm-check-queries-run.yml => atm-check-query-suite.yml} (96%) diff --git a/.github/workflows/atm-check-queries-run.yml b/.github/workflows/atm-check-query-suite.yml similarity index 96% rename from .github/workflows/atm-check-queries-run.yml rename to .github/workflows/atm-check-query-suite.yml index ba6dd872f19..7317746fe62 100644 --- a/.github/workflows/atm-check-queries-run.yml +++ b/.github/workflows/atm-check-query-suite.yml @@ -1,4 +1,4 @@ -name: ATM Check Queries +name: "ATM - Check query suite" env: QUERY_PACK: javascript/ql/experimental/adaptivethreatmodeling/src @@ -7,12 +7,12 @@ env: on: pull_request: paths: - - ".github/workflows/atm-check-queries-run.yml" + - ".github/workflows/atm-check-query-suite.yml" - "javascript/ql/experimental/adaptivethreatmodeling/**" workflow_dispatch: jobs: - atm-check-queries: + atm-check-query-suite: runs-on: ubuntu-latest steps: