advanced-security · jeongsoolee09 · Feb 19, 2025 · Feb 12, 2025 · Feb 12, 2025 · Feb 12, 2025
diff --git a/.github/workflows/run-codeql-unit-tests-javascript.yml b/.github/workflows/run-codeql-unit-tests-javascript.yml
@@ -81,7 +81,8 @@ jobs:
         run: |
           if ! command -v cds &> /dev/null
           then
-            npm install -g @sap/cds-dk
+            ## Workaround for https://github.tools.sap/cap/issues/issues/17840
+            npm install -g @sap/[email protected]
           fi
 
       # Compile .cds files to .cds.json files.
@@ -97,8 +98,8 @@ jobs:
               echo "I am compiling $cds_file"
               cds compile $cds_file \
                 -2 json \
-                -o "$cds_file.json" \
-                --locations
+                --locations \
+                > "$cds_file.json" 2> "$cds_file.err"
             done
             popd
           done

diff --git a/extractors/cds/tools/index-files.sh b/extractors/cds/tools/index-files.sh
@@ -36,7 +36,7 @@ then
     # directory.
     #
     # We also ensure we skip node_modules, as we can end up in a recursive loop
-    find . -type d -name node_modules -prune -false -o -type f \( -iname 'package.json' \) -exec grep -ql '@sap/cds' {} \; -execdir bash -c "grep -q \"^\$(pwd)\(/\|$\)\" \"$response_file\"" \; -execdir bash -c "echo \"Installing @sap/cds-dk into \$(pwd) to enable CDS compilation.\"" \; -execdir npm install --silent @sap/cds-dk \; -execdir npm install --silent \;
+    find . -type d -name node_modules -prune -false -o -type f \( -iname 'package.json' \) -exec grep -ql '@sap/cds' {} \; -execdir bash -c "grep -q \"^\$(pwd)\(/\|$\)\" \"$response_file\"" \; -execdir bash -c "echo \"Installing @sap/cds-dk into \$(pwd) to enable CDS compilation.\"" \; -execdir npm install --silent @sap/cds-dk@8.6.1 \; -execdir npm install --silent \;
 
     # Use the npx command to dynamically install the cds development kit (@sap/cds-dk) package if necessary,
     # which then provides the cds command line tool in directories which are not covered by the package.json
@@ -52,7 +52,7 @@ echo "Processing CDS files to JSON"
 # the same name
 while IFS= read -r cds_file; do
     echo "Processing CDS file $cds_file to:"
-    if ! $cds_command compile "$cds_file" -2 json -o "$cds_file.json" --locations 2> "$cds_file.err"; then
+    if ! $cds_command compile "$cds_file" -2 json --locations > "$cds_file.json" 2> "$cds_file.err"; then
         stderr_truncated=`grep "^\[ERROR\]" "$cds_file.err" | tail -n 4`
         error_message=$'Could not compile the file '"$cds_file"$'.\nReported error(s):\n```\n'"$stderr_truncated"$'\n```'
         echo "$error_message"

diff --git a/javascript/frameworks/cap/ext/qlpack.yml b/javascript/frameworks/cap/ext/qlpack.yml
@@ -1,6 +1,6 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-models
-version: 0.3.0
+version: 0.4.0
 extensionTargets:
-  codeql/javascript-all: "^2.0.0"
+  codeql/javascript-all: "^2.4.0"
diff --git a/javascript/frameworks/cap/lib/codeql-pack.lock.yml b/javascript/frameworks/cap/lib/codeql-pack.lock.yml
@@ -2,23 +2,25 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.1.2
-  codeql/javascript-all:
     version: 2.0.0
+  codeql/javascript-all:
+    version: 2.4.0
   codeql/mad:
-    version: 1.0.8
+    version: 1.0.16
   codeql/regex:
-    version: 1.0.8
+    version: 1.0.16
   codeql/ssa:
-    version: 1.0.8
+    version: 1.0.16
+  codeql/threat-models:
+    version: 1.0.16
   codeql/tutorial:
-    version: 1.0.8
+    version: 1.0.16
   codeql/typetracking:
-    version: 1.0.8
+    version: 2.0.0
   codeql/util:
-    version: 1.0.8
+    version: 2.0.3
   codeql/xml:
-    version: 1.0.8
+    version: 1.0.16
   codeql/yaml:
-    version: 1.0.8
+    version: 1.0.16
 compiled: false
diff --git a/javascript/frameworks/cap/lib/qlpack.yml b/javascript/frameworks/cap/lib/qlpack.yml
@@ -1,9 +1,9 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-all
-version: 0.3.0
+version: 0.4.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.0.0"
-  advanced-security/javascript-sap-cap-models: "^0.3.0"
+  codeql/javascript-all: "^2.4.0"
+  advanced-security/javascript-sap-cap-models: "^0.4.0"
diff --git a/javascript/frameworks/cap/src/codeql-pack.lock.yml b/javascript/frameworks/cap/src/codeql-pack.lock.yml
@@ -2,23 +2,25 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.1.2
-  codeql/javascript-all:
     version: 2.0.0
+  codeql/javascript-all:
+    version: 2.4.0
   codeql/mad:
-    version: 1.0.8
+    version: 1.0.16
   codeql/regex:
-    version: 1.0.8
+    version: 1.0.16
   codeql/ssa:
-    version: 1.0.8
+    version: 1.0.16
+  codeql/threat-models:
+    version: 1.0.16
   codeql/tutorial:
-    version: 1.0.8
+    version: 1.0.16
   codeql/typetracking:
-    version: 1.0.8
+    version: 2.0.0
   codeql/util:
-    version: 1.0.8
+    version: 2.0.3
   codeql/xml:
-    version: 1.0.8
+    version: 1.0.16
   codeql/yaml:
-    version: 1.0.8
+    version: 1.0.16
 compiled: false
diff --git a/javascript/frameworks/cap/src/qlpack.yml b/javascript/frameworks/cap/src/qlpack.yml
@@ -1,11 +1,11 @@
 ---
 library: false
 name: advanced-security/javascript-sap-cap-queries
-version: 0.3.0
+version: 0.4.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.0.0"
-  advanced-security/javascript-sap-cap-models: "^0.3.0"
-  advanced-security/javascript-sap-cap-all: "^0.3.0"
+  codeql/javascript-all: "^2.4.0"
+  advanced-security/javascript-sap-cap-models: "^0.4.0"
+  advanced-security/javascript-sap-cap-all: "^0.4.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls
diff --git a/javascript/frameworks/cap/test/codeql-pack.lock.yml b/javascript/frameworks/cap/test/codeql-pack.lock.yml
@@ -2,23 +2,25 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 1.1.2
-  codeql/javascript-all:
     version: 2.0.0
+  codeql/javascript-all:
+    version: 2.4.0
   codeql/mad:
-    version: 1.0.8
+    version: 1.0.16
   codeql/regex:
-    version: 1.0.8
+    version: 1.0.16
   codeql/ssa:
-    version: 1.0.8
+    version: 1.0.16
+  codeql/threat-models:
+    version: 1.0.16
   codeql/tutorial:
-    version: 1.0.8
+    version: 1.0.16
   codeql/typetracking:
-    version: 1.0.8
+    version: 2.0.0
   codeql/util:
-    version: 1.0.8
+    version: 2.0.3
   codeql/xml:
-    version: 1.0.8
+    version: 1.0.16
   codeql/yaml:
-    version: 1.0.8
+    version: 1.0.16
 compiled: false
diff --git a/javascript/frameworks/cap/test/qlpack.yml b/javascript/frameworks/cap/test/qlpack.yml
@@ -1,9 +1,9 @@
 ---
 name: advanced-security/javascript-sap-cap-queries-tests
-version: 0.3.0
+version: 0.4.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.0.0"
-  advanced-security/javascript-sap-cap-queries: "^0.3.0"
-  advanced-security/javascript-sap-cap-models: "^0.3.0"
-  advanced-security/javascript-sap-cap-all: "^0.3.0"
+  codeql/javascript-all: "^2.4.0"
+  advanced-security/javascript-sap-cap-queries: "^0.4.0"
+  advanced-security/javascript-sap-cap-models: "^0.4.0"
+  advanced-security/javascript-sap-cap-all: "^0.4.0"
diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected
@@ -1,3 +1,7 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (CqlInjection.ql:14,8-27)
+WARNING: type 'Configuration' has been deprecated and may be removed in future (CqlInjection.ql:19,33-61)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,29-47)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,56-74)
 nodes
 | cqlinjection.js:7:34:7:36 | req |
 | cqlinjection.js:7:34:7:36 | req |

diff --git a/...on/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected b/...on/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected
@@ -1,3 +1,6 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88)
 nodes
 edges
 #select
diff --git a/...t/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected b/...t/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected
@@ -1,3 +1,6 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88)
 nodes
 edges
 #select
diff --git a/...-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected b/...-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected
@@ -1,3 +1,6 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88)
 nodes
 edges
 #select
diff --git a/...-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected b/...-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected
@@ -1,3 +1,6 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88)
 nodes
 | srv/service2.js:6:29:6:31 | msg |
 | srv/service2.js:6:29:6:31 | msg |

diff --git a/...-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected b/...-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected
@@ -1,3 +1,6 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88)
 nodes
 | srv/service1.js:6:33:6:35 | req |
 | srv/service1.js:6:33:6:35 | req |

diff --git a/...njection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected b/...njection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected
@@ -1,3 +1,6 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88)
 nodes
 | srv/service1.js:6:33:6:35 | req |
 | srv/service1.js:6:33:6:35 | req |

diff --git a/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected b/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected
@@ -1,8 +1,12 @@
+WARNING: module 'PathGraph' has been deprecated and may be removed in future (SensitiveExposure.ql:17,8-27)
+WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposure.ql:50,42-70)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,41-59)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,68-86)
 nodes
 | sensitive-exposure.js:9:32:9:42 | Sample.name |
 | sensitive-exposure.js:9:32:9:42 | Sample.name |
 | sensitive-exposure.js:9:32:9:42 | Sample.name |
 edges
 | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name |
 #select
-| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:4:8 | {\\n      ...       } | name |
+| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:4:8 | {\\n      ...       } | name |
diff --git a/javascript/frameworks/ui5/ext/qlpack.yml b/javascript/frameworks/ui5/ext/qlpack.yml
@@ -1,8 +1,8 @@
 ---
 library: true
 name: advanced-security/javascript-sap-ui5-models
-version: 0.6.0
+version: 0.7.0
 extensionTargets:
-  codeql/javascript-all: "^2.0.0"
+  codeql/javascript-all: "^2.4.0"
 dataExtensions:
   - "*.model.yml"
diff --git a/...ript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/...ript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
@@ -83,8 +83,8 @@ class ODataServiceModel extends UI5ExternalModel {
     this instanceof NewNode and
     (
       exists(RequiredObject oDataModel |
-        oDataModel.flowsTo(this.getCalleeNode()) and
-        oDataModel.getDependencyType() = "sap/ui/model/odata/v2/ODataModel"
+        oDataModel.asSourceNode().flowsTo(this.getCalleeNode()) and
+        oDataModel.getDependency() = "sap/ui/model/odata/v2/ODataModel"
       )
       or
       this.getCalleeName() = "ODataModel"