Merge branch 'main' into knewbury01/e2-pii-cap

Author: knewbury01

.github/actions/install-codeql/action.yml

@@ -2,9 +2,9 @@ name: "My CodeQL config"
 
 queries:
   - uses: security-extended
-  # for ui5/cap queries
   - uses: ./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls
   - uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
+  - uses: ./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls
 
 paths-ignore:
   - "**/frameworks/*/test/models"

.github/actions/install-qlt/action.yml

@@ -22,7 +22,7 @@ jobs:
 
       - name: Install QLT
         id: install-qlt
-        uses: ./.github/actions/install-qlt
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
         with:
           qlt-version: 'latest'
           add-to-path: true
@@ -47,7 +47,7 @@ jobs:
 
       - name: Install QLT
         id: install-qlt
-        uses: ./.github/actions/install-qlt
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
         with:
           qlt-version: 'latest'
           add-to-path: true
@@ -134,7 +134,7 @@ jobs:
 
       - name: Install QLT
         id: install-qlt
-        uses: ./.github/actions/install-qlt
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
         with:
           qlt-version: 'latest'
           add-to-path: true

.github/codeql/codeql-config.yaml

@@ -1,38 +1,5 @@
-# SAP UI5 with CodeQL
-
-CodeQL queries and supporting models for the SAP UI5 JavaScript framework
-
-### Queries
-- [XSS](javascript/frameworks/UI5/src/UI5Xss/UI5Xss.ql)
-- [Log Injection](javascript/frameworks/UI5/src/UI5LogInjection/UI5LogInjection.ql)
-- [Clickjacking](javascript/frameworks/UI5/src/UI5Clickjacking/UI5Clickjacking.ql)
- 
-### Modeled UI5 framework elements
- - UI5 AMD-style components (also via jQuery)
- - MVC elements: 
-    - UI5 Controllers and Data Models (literal/external JSON models)
-    - UI5 [declarative Views](DeclarativeApp.png) (XML/JSON/HTML/JS)
-    - Library/custom UI5 Controls
-    - Project naming conventions (e.g. Control-Renderer)
-  - Source/Sink definition via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97)
-  - Controls inheritance via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L42-L59)
-
-### Supported Features with tests
-The following tables list the main supported features with corresponding test cases
-#### Detecting XSS and Log injection vulnerabilities
-|test | library controls | [MaD sources sinks](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97) | custom controls | UI5View | JS dataflow | HTML APIs | sanitizer | acc.path via handler |
-| - | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
-| [xss-html-control](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1033) | ✅︎ | ✅︎ | | XMLView |
-| [xss-custom-control-api1](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1051)| ✅︎ | ✅︎ | ✅︎ | XMLView | | classic |
-| [xss-custom-control-api2](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/250)| ✅︎ | ✅︎ | ✅︎ | XMLView | | DOM |
-| [xss-json-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/247)<br/>[xss-html-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/245)<br/>[xss-js-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/246) | ✅︎ | ✅︎ | | JsonView<br/>HTMLView<br/>JSView |
-| [log-html-control-df](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/275) | ✅︎ | ✅︎ | |XMLView| ✅︎ |
-| [sanitized](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/277)| ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ | DOM | ✅︎ |
-| [xss-event-handlers](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/335)| ✅︎ | ✅︎ | ✅︎ | XMLView | | | | ✅︎ |
-
-#### Detecting Clickjacking vulnerabilities
-| test | secure | insecure frameOptions | missing frameOptions |
-| - | :-: | :-: | :-: |
-| [clickjacking-deny-all](javascript/frameworks/UI5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html#L10) | ✅︎ | |
-| [clickjacking-allow-all:l9](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/240)<br/>[clickjacking-allow-all:l28](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/241) | | ✅︎ |
-| [clickjacking-default-all](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/330) | | | ✅︎ |
+# Overview
+[CodeQL](https://codeql.github.com/) models and queries for the SAP frameworks:
+- [CAP](javascript/frameworks/cap) (https://cap.cloud.sap/)
+- [UI5](javascript/frameworks/ui5) (https://sapui5.hana.ondemand.com/)
+- [XSJS](javascript/frameworks/xsjs) (https://www.npmjs.com/package/@sap/async-xsjs)

.github/workflows/javascript.sarif.expected

@@ -3,7 +3,7 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 0.2.0
 extensionTargets:
-  codeql/javascript-all: "^0.9.1"
-  codeql/javascript-queries: "^0.8.16"
+  codeql/javascript-all: "^1.1.0"
+  codeql/javascript-queries: "^1.0.3"
 dataExtensions:
   - "*.model.yml"

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -22,6 +22,12 @@ class CdsLogger extends MethodCallNode {
   string getName() { result = name }
 }
 
+class ConstantOnlyTemplateLiteral extends TemplateLiteral {
+  ConstantOnlyTemplateLiteral() {
+    forall(Expr e | e = this.getAnElement() | e instanceof TemplateElement)
+  }
+}
+
 /**
  * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
  */
@@ -31,7 +37,7 @@ class CdsLogSink extends DataFlow::Node {
       this = loggingMethod.getAnArgument() and
       loggingMethod.getMethodName() = ["trace", "debug", "info", "log", "warn", "error"] and
       not this.asExpr() instanceof Literal and
-      not this.asExpr() instanceof TemplateLiteral and
+      not this.asExpr() instanceof ConstantOnlyTemplateLiteral and
       loggingMethod.getReceiver().getALocalSource() = log
     )
   }

README.md

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.2.7
+    version: 1.0.3
   codeql/javascript-all:
-    version: 0.9.1
+    version: 1.1.0
   codeql/mad:
-    version: 0.2.16
+    version: 1.0.3
   codeql/regex:
-    version: 0.2.16
+    version: 1.0.3
   codeql/ssa:
-    version: 0.2.16
+    version: 1.0.3
   codeql/tutorial:
-    version: 0.2.16
+    version: 1.0.3
   codeql/typetracking:
-    version: 0.2.16
+    version: 1.0.3
   codeql/util:
-    version: 0.2.16
+    version: 1.0.3
   codeql/xml:
-    version: 0.0.3
+    version: 1.0.3
   codeql/yaml:
-    version: 0.2.16
+    version: 1.0.3
 compiled: false

javascript/frameworks/cap/ext/qlpack.yml

@@ -5,5 +5,5 @@ version: 0.2.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-all: "^1.1.0"
   advanced-security/javascript-sap-cap-models: "^0.2.0"