Deals with external .cds files (#150)

- Update CodeQL version to v2.19.0
- Standardize query ids
- Include `.cds` files in the DB
- Implement `CdlObject` location in the `.cds` file
- Modified `EntityExposedWithoutAuthn` error message to include the name of the exposed element
- Modified `SensitiveExposure` error message to include the name of the exposed element

Author: mbaluda

.github/workflows/code_scanning.yml

@@ -12,7 +12,7 @@ on:
 
 env:
   LGTM_INDEX_XML_MODE: all
-  LGTM_INDEX_FILETYPES: ".json:JSON"
+  LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
 
 jobs:
   analyze-javascript:
@@ -52,7 +52,8 @@ jobs:
           echo "I am compiling $cds_file"
           cds compile $cds_file \
             -2 json \
-            -o "$cds_file.json"
+            -o "$cds_file.json" \
+            --locations
         done
 
     - name: Extract CodeQL bundle version from qlt.conf.json
@@ -66,7 +67,7 @@ jobs:
         config-file: ./.github/codeql/codeql-config.yaml
         tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
         debug: true
-
+    
     - name: Perform CodeQL Analysis
       id: analyze
       uses: github/codeql-action/analyze@v3

.github/workflows/javascript.sarif.expected

@@ -92,7 +92,8 @@ jobs:
             echo "I am compiling $cds_file"
             cds compile $cds_file \
               -2 json \
-              -o "$cds_file.json"
+              -o "$cds_file.json" \
+              --locations
           done
 
       - name: Run test suites

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -3,5 +3,4 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 0.3.0
 extensionTargets:
-  codeql/javascript-all: "^1.1.1"
-  codeql/javascript-queries: "^1.1.0"
+  codeql/javascript-all: "^2.0.0"

javascript/frameworks/cap/ext/qlpack.yml

@@ -5,6 +5,24 @@
 import javascript
 import advanced_security.javascript.frameworks.cap.CDS
 
+abstract class CdlObject extends JsonObject {
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    exists(Location loc, JsonValue locValue |
+      loc = this.getLocation() and
+      locValue = this.getPropValue("$location") and
+      path =
+        any(File f |
+          f.getAbsolutePath()
+              .matches("%" + locValue.getPropValue("file").getStringValue() + ".json")
+        ).getAbsolutePath().regexpReplaceAll("\\.json$", "") and
+      sl = locValue.getPropValue("line").getIntValue() and
+      sc = locValue.getPropValue("col").getIntValue() and
+      el = sl + 1 and
+      ec = 1
+    )
+  }
+}
+
 private newtype CdlKind =
   CdlServiceKind(string value) { value = "service" } or
   CdlEntityKind(string value) { value = "entity" } or
@@ -15,15 +33,15 @@ private newtype CdlKind =
 /**
  * Any CDL element, including entities, event, actions, and more.
  */
-class CdlDefinition extends JsonObject {
+class CdlDefinition extends CdlObject {
   CdlDefinition() { exists(JsonObject root | this = root.getPropValue("definitions")) }
 
   JsonObject getElement(string elementName) { result = this.getPropValue(elementName) }
 
   JsonObject getAnElement() { result = this.getElement(_) }
 }
 
-abstract class CdlElement extends JsonObject {
+abstract class CdlElement extends CdlObject {
   CdlKind kind;
   string name;
 
@@ -190,7 +208,7 @@ class CdlFunction extends CdlElement {
   }
 }
 
-class CdlAttribute extends JsonObject {
+class CdlAttribute extends CdlObject {
   string name;
 
   CdlAttribute() {
@@ -207,7 +225,7 @@ class CdlAttribute extends JsonObject {
 /**
  * a `CdlEntity` that is declared in a namespace
  */
-class NamespacedEntity extends JsonObject instanceof CdlEntity {
+class NamespacedEntity extends CdlObject instanceof CdlEntity {
   string namespace;
 
   NamespacedEntity() { this.getParent+().getPropValue("namespace").getStringValue() = namespace }
@@ -218,7 +236,7 @@ class NamespacedEntity extends JsonObject instanceof CdlEntity {
 /**
  * any `JsonValue` that has a `PersonalData` like annotation above it
  */
-abstract class SensitiveAnnotatedElement extends JsonValue {
+abstract class SensitiveAnnotatedElement extends CdlObject {
   abstract string getName();
 }
 
@@ -295,7 +313,7 @@ class RestrictAnnotation extends CdlAnnotation, JsonArray {
   RestrictCondition getARestrictCondition() { result = this.getElementValue(_) }
 }
 
-class RestrictCondition extends JsonObject {
+class RestrictCondition extends CdlObject {
   RestrictCondition() { exists(RestrictAnnotation restrict | this = restrict.getElementValue(_)) }
 
   predicate grants(string eventName) {

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.0.4
+    version: 1.1.2
   codeql/javascript-all:
-    version: 1.1.1
+    version: 2.0.0
   codeql/mad:
-    version: 1.0.4
+    version: 1.0.8
   codeql/regex:
-    version: 1.0.4
+    version: 1.0.8
   codeql/ssa:
-    version: 1.0.4
+    version: 1.0.8
   codeql/tutorial:
-    version: 1.0.4
+    version: 1.0.8
   codeql/typetracking:
-    version: 1.0.4
+    version: 1.0.8
   codeql/util:
-    version: 1.0.4
+    version: 1.0.8
   codeql/xml:
-    version: 1.0.4
+    version: 1.0.8
   codeql/yaml:
-    version: 1.0.4
+    version: 1.0.8
 compiled: false

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -5,5 +5,5 @@ version: 0.3.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^1.1.1"
+  codeql/javascript-all: "^2.0.0"
   advanced-security/javascript-sap-cap-models: "^0.3.0"

javascript/frameworks/cap/lib/qlpack.yml

@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 6
  * @precision high
- * @id js/default-user-is-privileged
+ * @id js/cap-default-user-is-privileged
  * @tags security
  */
 

javascript/frameworks/cap/src/bad-authn-authz/DefaultUserIsPrivileged/DefaultUserIsPrivileged.ql

@@ -6,27 +6,26 @@
  * @problem.severity warning
  * @security-severity 6
  * @precision high
- * @id js/entity-exposed-without-authentication
+ * @id js/cap-entity-exposed-without-authentication
  * @tags security
  */
 
 import advanced_security.javascript.frameworks.cap.CAPNoAuthzQuery
 
-/*
- * TODO: Revamp this predicate after we start to natively support CDS.
- * string getClickableText(CdlElement cdlElement) {
- *  cdlElement instanceof CdlService and result = "CDS service"
- *  or
- *  cdlElement instanceof CdlEntity and result = "CDS entity"
- *  or
- *  cdlElement instanceof CdlAction and result = "CDS action"
- *  or
- *  cdlElement instanceof CdlFunction and result = "CDS function"
- * }
- */
+string getClickableText(CdlElement cdlElement) {
+  cdlElement instanceof CdlService and result = "CDS service"
+  or
+  cdlElement instanceof CdlEntity and result = "CDS entity"
+  or
+  cdlElement instanceof CdlAction and result = "CDS action"
+  or
+  cdlElement instanceof CdlFunction and result = "CDS function"
+}
 
 from CdlElement cdlElement
 where
   cdlElement instanceof CdlElementWithoutJsAuthn and
   cdlElement instanceof CdlElementWithoutCdsAuthn
-select cdlElement, "This CDS definition is exposed without any authentication."
+select cdlElement,
+  "The " + getClickableText(cdlElement) + " `" + cdlElement.getName() +
+    "` is exposed without any authentication."

javascript/frameworks/cap/src/bad-authn-authz/EntityExposedWithoutAuthn/EntityExposedWithoutAuthn.ql

@@ -5,7 +5,7 @@
  * @problem.severity error
  * @security-severity 6
  * @precision high
- * @id js/unnecessarily-granted-privileged-access-rights
+ * @id js/cap-unnecessarily-granted-privileged-access-rights
  * @tags security
  */