Skip to content

Update the dependencies to CodeQL CLI 2.22.2. #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Update the dependencies to CodeQL CLI 2.22.2. #210

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4229a97
Update the dependencies to CodeQL CLI 2.22.2.
lcartey Jul 30, 2025
6f1567c
Update UI5 test dependencies
lcartey Jul 30, 2025
6ca2c51
Update qlt.conf.json to 2.22.2
lcartey Jul 30, 2025
2f48d3c
Address incompatibility introduced in CodeQL PR #19445.
lcartey Aug 1, 2025
cf3ade2
Merge branch 'main' into lcartey/update-dependencies
jeongsoolee09 Aug 4, 2025
6740358
Merge branch 'main' into lcartey/update-dependencies
data-douser Aug 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions javascript/frameworks/cap/lib/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,28 @@
---
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.1
codeql/dataflow:
version: 2.0.0
version: 2.0.11
codeql/javascript-all:
version: 2.4.0
version: 2.6.7
codeql/mad:
version: 1.0.16
version: 1.0.27
codeql/regex:
version: 1.0.16
version: 1.0.27
codeql/ssa:
version: 1.0.16
version: 2.0.3
codeql/threat-models:
version: 1.0.16
version: 1.0.27
codeql/tutorial:
version: 1.0.16
version: 1.0.27
codeql/typetracking:
version: 2.0.0
version: 2.0.11
codeql/util:
version: 2.0.3
version: 2.0.14
codeql/xml:
version: 1.0.16
version: 1.0.27
codeql/yaml:
version: 1.0.16
version: 1.0.27
compiled: false
24 changes: 13 additions & 11 deletions javascript/frameworks/cap/src/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,28 @@
---
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.1
codeql/dataflow:
version: 2.0.0
version: 2.0.11
codeql/javascript-all:
version: 2.4.0
version: 2.6.7
codeql/mad:
version: 1.0.16
version: 1.0.27
codeql/regex:
version: 1.0.16
version: 1.0.27
codeql/ssa:
version: 1.0.16
version: 2.0.3
codeql/threat-models:
version: 1.0.16
version: 1.0.27
codeql/tutorial:
version: 1.0.16
version: 1.0.27
codeql/typetracking:
version: 2.0.0
version: 2.0.11
codeql/util:
version: 2.0.3
version: 2.0.14
codeql/xml:
version: 1.0.16
version: 1.0.27
codeql/yaml:
version: 1.0.16
version: 1.0.27
compiled: false
24 changes: 13 additions & 11 deletions javascript/frameworks/cap/test/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,28 @@
---
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.1
codeql/dataflow:
version: 2.0.0
version: 2.0.11
codeql/javascript-all:
version: 2.4.0
version: 2.6.7
codeql/mad:
version: 1.0.16
version: 1.0.27
codeql/regex:
version: 1.0.16
version: 1.0.27
codeql/ssa:
version: 1.0.16
version: 2.0.3
codeql/threat-models:
version: 1.0.16
version: 1.0.27
codeql/tutorial:
version: 1.0.16
version: 1.0.27
codeql/typetracking:
version: 2.0.0
version: 2.0.11
codeql/util:
version: 2.0.3
version: 2.0.14
codeql/xml:
version: 1.0.16
version: 1.0.27
codeql/yaml:
version: 1.0.16
version: 1.0.27
compiled: false
1 change: 1 addition & 0 deletions ...ript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import advanced_security.javascript.frameworks.ui5.UI5View
import advanced_security.javascript.frameworks.ui5.RemoteFlowSources
import advanced_security.javascript.frameworks.ui5.dataflow.FlowSteps
private import StdLibDataFlow::DataFlow::PathGraph as DataFlowPathGraph
private import PatchDataFlow

/**
* A statically visible part of a local model's content that has a binding path referring to it in a control declaration acting as an HTML injection sink.
Expand Down
77 changes: 77 additions & 0 deletions ...frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/PatchDataFlow.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
/**
* This file patches an incompatibility introduced into the standard data flow library between
* class DataFlow::Configurations and `summmaryModels` added in models-as-data files, and likely
* introduced in this PR: https://github.com/github/codeql/pull/19445/files.
*/

import javascript
import semmle.javascript.dataflow.internal.FlowSummaryPrivate
private import semmle.javascript.frameworks.data.internal.ApiGraphModels as Shared

/**
* Holds if `path` is an input or output spec for a summary with the given `base` node.
*/
pragma[nomagic]
private predicate relevantInputOutputPath(API::InvokeNode base, AccessPath inputOrOutput) {
exists(string type, string input, string output, string path |
ModelOutput::resolvedSummaryBase(type, path, base) and
ModelOutput::relevantSummaryModel(type, path, input, output, _, _) and
inputOrOutput = [input, output]
)
}

/**
* Gets the API node for the first `n` tokens of the given input/output path, evaluated relative to `baseNode`.
*/
private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path, int n) {
relevantInputOutputPath(baseNode, path) and
(
n = 1 and
result = Shared::getSuccessorFromInvoke(baseNode, path.getToken(0))
or
result =
Shared::getSuccessorFromNode(getNodeFromInputOutputPath(baseNode, path, n - 1),
path.getToken(n - 1))
)
}

/**
* Gets the API node for the given input/output path, evaluated relative to `baseNode`.
*/
private API::Node getNodeFromInputOutputPath(API::InvokeNode baseNode, AccessPath path) {
result = getNodeFromInputOutputPath(baseNode, path, path.getNumToken())
}

private predicate summaryStep(API::Node pred, API::Node succ, string kind) {
exists(string type, string path, API::InvokeNode base, AccessPath input, AccessPath output |
ModelOutput::relevantSummaryModel(type, path, input, output, kind, _) and
ModelOutput::resolvedSummaryBase(type, path, base) and
pred = getNodeFromInputOutputPath(base, input) and
succ = getNodeFromInputOutputPath(base, output)
)
}

/**
* Like `ModelOutput::summaryStep` but with API nodes mapped to data-flow nodes.
*/
private predicate summaryStepNodes(DataFlow::Node pred, DataFlow::Node succ, string kind) {
exists(API::Node predNode, API::Node succNode |
summaryStep(predNode, succNode, kind) and
pred = predNode.asSink() and
succ = succNode.asSource()
)
}

/** Data flow steps induced by summary models of kind `value`. */
private class DataFlowStepFromSummary extends DataFlow::SharedFlowStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
summaryStepNodes(pred, succ, "value")
}
}

/** Taint steps induced by summary models of kind `taint`. */
private class TaintStepFromSummary extends TaintTracking::SharedTaintStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
summaryStepNodes(pred, succ, "taint")
}
}
24 changes: 13 additions & 11 deletions javascript/frameworks/ui5/lib/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,28 @@
---
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.1
codeql/dataflow:
version: 2.0.0
version: 2.0.11
codeql/javascript-all:
version: 2.4.0
version: 2.6.7
codeql/mad:
version: 1.0.16
version: 1.0.27
codeql/regex:
version: 1.0.16
version: 1.0.27
codeql/ssa:
version: 1.0.16
version: 2.0.3
codeql/threat-models:
version: 1.0.16
version: 1.0.27
codeql/tutorial:
version: 1.0.16
version: 1.0.27
codeql/typetracking:
version: 2.0.0
version: 2.0.11
codeql/util:
version: 2.0.3
version: 2.0.14
codeql/xml:
version: 1.0.16
version: 1.0.27
codeql/yaml:
version: 1.0.16
version: 1.0.27
compiled: false
24 changes: 13 additions & 11 deletions javascript/frameworks/ui5/src/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,28 @@
---
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.1
codeql/dataflow:
version: 2.0.0
version: 2.0.11
codeql/javascript-all:
version: 2.4.0
version: 2.6.7
codeql/mad:
version: 1.0.16
version: 1.0.27
codeql/regex:
version: 1.0.16
version: 1.0.27
codeql/ssa:
version: 1.0.16
version: 2.0.3
codeql/threat-models:
version: 1.0.16
version: 1.0.27
codeql/tutorial:
version: 1.0.16
version: 1.0.27
codeql/typetracking:
version: 2.0.0
version: 2.0.11
codeql/util:
version: 2.0.3
version: 2.0.14
codeql/xml:
version: 1.0.16
version: 1.0.27
codeql/yaml:
version: 1.0.16
version: 1.0.27
compiled: false
30 changes: 16 additions & 14 deletions javascript/frameworks/ui5/test/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,34 @@
---
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.1
codeql/dataflow:
version: 2.0.0
version: 2.0.11
codeql/javascript-all:
version: 2.4.0
version: 2.6.7
codeql/javascript-queries:
version: 1.4.0
version: 2.0.0
codeql/mad:
version: 1.0.16
version: 1.0.27
codeql/regex:
version: 1.0.16
version: 1.0.27
codeql/ssa:
version: 1.0.16
version: 2.0.3
codeql/suite-helpers:
version: 1.0.16
version: 1.0.27
codeql/threat-models:
version: 1.0.16
version: 1.0.27
codeql/tutorial:
version: 1.0.16
version: 1.0.27
codeql/typetracking:
version: 2.0.0
version: 2.0.11
codeql/typos:
version: 1.0.16
version: 1.0.27
codeql/util:
version: 2.0.3
version: 2.0.14
codeql/xml:
version: 1.0.16
version: 1.0.27
codeql/yaml:
version: 1.0.16
version: 1.0.27
compiled: false
5 changes: 4 additions & 1 deletion javascript/frameworks/ui5/test/qlpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@ version: 0.7.0
extractor: javascript
dependencies:
codeql/javascript-all: "^2.4.0"
codeql/javascript-queries: "^1.2.0"
# We use this dependency to run the standard Log Injection query to ensure that
# no overlap occurs with the SAP UI5 queries. We therefore allow any version
# greater than or equal to 1.2.0, as major breaking changes are not a concern.
codeql/javascript-queries: ">1.2.0"
advanced-security/javascript-sap-ui5-queries: "^0.7.0"
advanced-security/javascript-sap-ui5-models: "^0.7.0"
advanced-security/javascript-sap-ui5-all: "^0.7.0"
24 changes: 13 additions & 11 deletions javascript/frameworks/xsjs/lib/codeql-pack.lock.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,28 @@
---
lockVersion: 1.0.0
dependencies:
codeql/concepts:
version: 0.0.1
codeql/dataflow:
version: 2.0.0
version: 2.0.11
codeql/javascript-all:
version: 2.4.0
version: 2.6.7
codeql/mad:
version: 1.0.16
version: 1.0.27
codeql/regex:
version: 1.0.16
version: 1.0.27
codeql/ssa:
version: 1.0.16
version: 2.0.3
codeql/threat-models:
version: 1.0.16
version: 1.0.27
codeql/tutorial:
version: 1.0.16
version: 1.0.27
codeql/typetracking:
version: 2.0.0
version: 2.0.11
codeql/util:
version: 2.0.3
version: 2.0.14
codeql/xml:
version: 1.0.16
version: 1.0.27
codeql/yaml:
version: 1.0.16
version: 1.0.27
compiled: false
Loading
Loading