Skip to content

Commit

Permalink
[8.x] [CodeQL] Local run script (#194272) (#197989)
Browse files Browse the repository at this point in the history 
# Backport

This will backport the following commits from `main` to `8.x`:
- [[CodeQL] Local run script
(#194272)](#194272)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Elena
Shostak","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-28T12:40:27Z","message":"[CodeQL]
Local run script (#194272)\n\n## Summary\r\n\r\nThis PR introduces a
script that allows developers to run CodeQL\r\nanalysis locally. It uses
a Docker container with prebuilt CodeQL\r\nqueries to facilitate easy
setup and execution.\r\nThe script has the following key steps:\r\n-
Creating a CodeQL database from the source code. The database
is\r\nessentially a representation of the codebase that CodeQL uses to
analyze\r\nfor potential issues.\r\n- Running the analysis on the
created database,\r\n`javascript-security-and-quality` suit is
used.\r\n\r\n### Usage\r\n```\r\nbash scripts/codeql/quick_check.sh -s
path/to/your-source-dir\r\n```\r\nFor example\r\n```\r\nbash
scripts/codeql/quick_check.sh -s
./x-pack/plugins/security_solution/public/common/components/ml/conditional_links\r\n```\r\n\r\nThe
`-s` option allows you to specify the path to the source
code\r\ndirectory that you wish to analyze.\r\n\r\n### Why custom Docker
file?\r\nChecked the ability to use MSFT image for local
run\r\nhttps://github.com/microsoft/codeql-container. Turned out it has
several\r\nproblems:\r\n1. The published one has an error with
[execute\r\npermissions](https://github.com/microsoft/codeql-container/issues/53).\r\n2.
Container has outdated nodejs version, so it didn't parse our
syntax\r\n(like `??`) and failed.\r\n3. The technique used in the
repository to download the CodeQL binaries\r\nand precompile the queries
is outdated in the sense that GitHub now\r\noffers pre-compiled queries
you can just download. Follow
this\r\n[comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512).\r\n\r\nTaking
this into consideration I have created a lightweight docker
image\r\nwithout extraneous dependencies for go/.net/java.\r\n\r\n##
Context and interdependencies issues\r\nThere are issues sometimes when
analyze run returns no results,\r\nparticularly when analyzing a single
folder.\r\nIt might be due to the missing context for the data flow
graph CodeQL\r\ngenerates or context for interdependencies. This is
actually a trade off\r\nof running it locally for a subset of source
directories. We need to\r\nexplicitly state that in the documentation
and advise to expand the\r\nscope of source code directories involved
for local scan.\r\n\r\nDocumentation for triaging issues will be updated
separately.\r\n\r\n__Closes:
https://github.com/elastic/kibana/issues/195740__","sha":"9dd4205639ed16f9086a7c5d70e077b6db21d73b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","enhancement","release_note:skip","v9.0.0","backport:prev-minor"],"title":"[CodeQL]
Local run
script","number":194272,"url":"https://github.com/elastic/kibana/pull/194272","mergeCommit":{"message":"[CodeQL]
Local run script (#194272)\n\n## Summary\r\n\r\nThis PR introduces a
script that allows developers to run CodeQL\r\nanalysis locally. It uses
a Docker container with prebuilt CodeQL\r\nqueries to facilitate easy
setup and execution.\r\nThe script has the following key steps:\r\n-
Creating a CodeQL database from the source code. The database
is\r\nessentially a representation of the codebase that CodeQL uses to
analyze\r\nfor potential issues.\r\n- Running the analysis on the
created database,\r\n`javascript-security-and-quality` suit is
used.\r\n\r\n### Usage\r\n```\r\nbash scripts/codeql/quick_check.sh -s
path/to/your-source-dir\r\n```\r\nFor example\r\n```\r\nbash
scripts/codeql/quick_check.sh -s
./x-pack/plugins/security_solution/public/common/components/ml/conditional_links\r\n```\r\n\r\nThe
`-s` option allows you to specify the path to the source
code\r\ndirectory that you wish to analyze.\r\n\r\n### Why custom Docker
file?\r\nChecked the ability to use MSFT image for local
run\r\nhttps://github.com/microsoft/codeql-container. Turned out it has
several\r\nproblems:\r\n1. The published one has an error with
[execute\r\npermissions](https://github.com/microsoft/codeql-container/issues/53).\r\n2.
Container has outdated nodejs version, so it didn't parse our
syntax\r\n(like `??`) and failed.\r\n3. The technique used in the
repository to download the CodeQL binaries\r\nand precompile the queries
is outdated in the sense that GitHub now\r\noffers pre-compiled queries
you can just download. Follow
this\r\n[comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512).\r\n\r\nTaking
this into consideration I have created a lightweight docker
image\r\nwithout extraneous dependencies for go/.net/java.\r\n\r\n##
Context and interdependencies issues\r\nThere are issues sometimes when
analyze run returns no results,\r\nparticularly when analyzing a single
folder.\r\nIt might be due to the missing context for the data flow
graph CodeQL\r\ngenerates or context for interdependencies. This is
actually a trade off\r\nof running it locally for a subset of source
directories. We need to\r\nexplicitly state that in the documentation
and advise to expand the\r\nscope of source code directories involved
for local scan.\r\n\r\nDocumentation for triaging issues will be updated
separately.\r\n\r\n__Closes:
https://github.com/elastic/kibana/issues/195740__","sha":"9dd4205639ed16f9086a7c5d70e077b6db21d73b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194272","number":194272,"mergeCommit":{"message":"[CodeQL]
Local run script (#194272)\n\n## Summary\r\n\r\nThis PR introduces a
script that allows developers to run CodeQL\r\nanalysis locally. It uses
a Docker container with prebuilt CodeQL\r\nqueries to facilitate easy
setup and execution.\r\nThe script has the following key steps:\r\n-
Creating a CodeQL database from the source code. The database
is\r\nessentially a representation of the codebase that CodeQL uses to
analyze\r\nfor potential issues.\r\n- Running the analysis on the
created database,\r\n`javascript-security-and-quality` suit is
used.\r\n\r\n### Usage\r\n```\r\nbash scripts/codeql/quick_check.sh -s
path/to/your-source-dir\r\n```\r\nFor example\r\n```\r\nbash
scripts/codeql/quick_check.sh -s
./x-pack/plugins/security_solution/public/common/components/ml/conditional_links\r\n```\r\n\r\nThe
`-s` option allows you to specify the path to the source
code\r\ndirectory that you wish to analyze.\r\n\r\n### Why custom Docker
file?\r\nChecked the ability to use MSFT image for local
run\r\nhttps://github.com/microsoft/codeql-container. Turned out it has
several\r\nproblems:\r\n1. The published one has an error with
[execute\r\npermissions](https://github.com/microsoft/codeql-container/issues/53).\r\n2.
Container has outdated nodejs version, so it didn't parse our
syntax\r\n(like `??`) and failed.\r\n3. The technique used in the
repository to download the CodeQL binaries\r\nand precompile the queries
is outdated in the sense that GitHub now\r\noffers pre-compiled queries
you can just download. Follow
this\r\n[comment](https://github.com/microsoft/codeql-container/issues/53#issuecomment-1875879512).\r\n\r\nTaking
this into consideration I have created a lightweight docker
image\r\nwithout extraneous dependencies for go/.net/java.\r\n\r\n##
Context and interdependencies issues\r\nThere are issues sometimes when
analyze run returns no results,\r\nparticularly when analyzing a single
folder.\r\nIt might be due to the missing context for the data flow
graph CodeQL\r\ngenerates or context for interdependencies. This is
actually a trade off\r\nof running it locally for a subset of source
directories. We need to\r\nexplicitly state that in the documentation
and advise to expand the\r\nscope of source code directories involved
for local scan.\r\n\r\nDocumentation for triaging issues will be updated
separately.\r\n\r\n__Closes:
https://github.com/elastic/kibana/issues/195740__","sha":"9dd4205639ed16f9086a7c5d70e077b6db21d73b"}}]}]
BACKPORT-->

Co-authored-by: Elena Shostak <[email protected]>
  • Loading branch information
@kibanamachine @elena-shostak
kibanamachine and elena-shostak authored Oct 28, 2024
1 parent d05a2e9 commit 9a7dafc
Show file tree
Hide file tree
Showing 3 changed files with 167 additions and 1 deletion.
3 changes: 2 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,4 +157,5 @@ x-pack/test/security_solution_playwright/playwright-report/
x-pack/test/security_solution_playwright/blob-report/
x-pack/test/security_solution_playwright/playwright/.cache/
x-pack/test/security_solution_playwright/.auth/
x-pack/test/security_solution_playwright/.env
x-pack/test/security_solution_playwright/.env
.codeql
39 changes: 39 additions & 0 deletions scripts/codeql/codeql.dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
FROM ubuntu:latest

ENV DEBIAN_FRONTEND=noninteractive

ARG USERNAME=codeql
ARG CODEQL_VERSION="v2.19.0"
ENV CODEQL_HOME /usr/local/codeql-home

RUN apt-get update && \
apt-get install -y --no-install-recommends \
passwd \
adduser \
bash \
curl \
git \
unzip \
nodejs \
jq

RUN adduser --home ${CODEQL_HOME} ${USERNAME}

RUN curl -Lk "https://github.com/github/codeql-action/releases/download/codeql-bundle-${CODEQL_VERSION}/codeql-bundle-linux64.tar.gz" -o codeql.tar.gz \
&& mkdir -p ${CODEQL_HOME} \
&& tar -xvzf codeql.tar.gz -C ${CODEQL_HOME} \
&& rm codeql.tar.gz

RUN chmod +x ${CODEQL_HOME}/codeql/codeql

RUN chown -R ${USERNAME}:${USERNAME} ${CODEQL_HOME}

USER ${USERNAME}

ENV PATH="${CODEQL_HOME}/codeql:${PATH}"

RUN echo $PATH && codeql --version

WORKDIR /workspace

ENTRYPOINT ["/bin/bash", "-c"]
126 changes: 126 additions & 0 deletions scripts/codeql/quick_check.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
#!/bin/bash

LANGUAGE="javascript"
CODEQL_DIR=".codeql"
DATABASE_PATH="$CODEQL_DIR/database"
QUERY_OUTPUT="$DATABASE_PATH/results.sarif"
OUTPUT_FORMAT="sarif-latest"
DOCKER_IMAGE="codeql-env"
BASE_DIR="$(cd "$(dirname "$0")"; pwd)"

# Colors
bold=$(tput bold)
reset=$(tput sgr0)
red=$(tput setaf 1)
green=$(tput setaf 2)
blue=$(tput setaf 4)
yellow=$(tput setaf 3)

while getopts ":s:r:" opt; do
case $opt in
s) SRC_DIR="$OPTARG" ;;
r) CODEQL_DIR="$OPTARG"; DATABASE_PATH="$CODEQL_DIR/database"; QUERY_OUTPUT="$DATABASE_PATH/results.sarif" ;;
\?) echo "Invalid option -$OPTARG" >&2; exit 1 ;;
:) echo "Option -$OPTARG requires an argument." >&2; exit 1 ;;
esac
done

if [ -z "$SRC_DIR" ]; then
echo "Usage: $0 -s <source_dir> [-r <results_dir>]"
exit 1
fi

mkdir -p "$CODEQL_DIR"

# Check the architecture
ARCH=$(uname -m)
PLATFORM_FLAG=""

# CodeQL CLI binary does not support arm64 architecture, setting the platform to linux/amd64
if [[ "$ARCH" == "arm64" ]]; then
PLATFORM_FLAG="--platform linux/amd64"
fi

if [[ "$(docker images -q $DOCKER_IMAGE 2> /dev/null)" == "" ]]; then
echo "Docker image $DOCKER_IMAGE not found. Building locally..."
docker build $PLATFORM_FLAG -t "$DOCKER_IMAGE" -f "$BASE_DIR/codeql.dockerfile" "$BASE_DIR"
if [ $? -ne 0 ]; then
echo "${red}Docker image build failed.${reset}"
exit 1
fi
fi

cleanup_database() {
echo "Deleting contents of $CODEQL_DIR."
rm -rf "$CODEQL_DIR"/*
}

SRC_DIR="$(cd "$(dirname "$SRC_DIR")"; pwd)/$(basename "$SRC_DIR")"
CODEQL_DIR="$(cd "$(dirname "$CODEQL_DIR")"; pwd)/$(basename "$CODEQL_DIR")"
DATABASE_PATH="$(cd "$(dirname "$DATABASE_PATH")"; pwd)/$(basename "$DATABASE_PATH")"

# Step 1: Run the Docker container to create a CodeQL database from the source code.
echo "Creating a CodeQL database from the source code: $SRC_DIR"
docker run $PLATFORM_FLAG --rm -v "$SRC_DIR":/workspace/source-code \
-v "${DATABASE_PATH}":/workspace/shared $DOCKER_IMAGE \
"codeql database create /workspace/shared/codeql-db --language=javascript --source-root=/workspace/source-code --overwrite"

if [ $? -ne 0 ]; then
echo "CodeQL database creation failed."
cleanup_database
exit 1
fi

echo "Analyzing a CodeQL database: $DATABASE_PATH"
# Step 2: Run the Docker container to analyze the CodeQL database.
docker run $PLATFORM_FLAG --rm -v "${DATABASE_PATH}":/workspace/shared $DOCKER_IMAGE \
"codeql database analyze --format=${OUTPUT_FORMAT} --output=/workspace/shared/results.sarif /workspace/shared/codeql-db javascript-security-and-quality.qls"

if [ $? -ne 0 ]; then
echo "CodeQL database analysis failed."
cleanup_database
exit 1
fi

# Step 3: Print summary of SARIF results
echo "Analysis complete. Results saved to $QUERY_OUTPUT"
if command -v jq &> /dev/null; then
vulnerabilities=$(jq -r '.runs[] | select(.results | length > 0)' "$QUERY_OUTPUT")

if [[ -z "$vulnerabilities" ]]; then
echo "${blue}${bold}No vulnerabilities found in the SARIF results.${reset}"
else
echo "${yellow}${bold}Summary of SARIF results:${reset}"
jq -r '
.runs[] |
.results[] as $result |
.tool.driver.rules[] as $rule |
select($rule.id == $result.ruleId) |
"Rule: \($result.ruleId)\nMessage: \($result.message.text)\nFile: \($result.locations[].physicalLocation.artifactLocation.uri)\nLine: \($result.locations[].physicalLocation.region.startLine)\nSecurity Severity: \($rule.properties."security-severity" // "N/A")\n"' "$QUERY_OUTPUT" |
while IFS= read -r line; do
case "$line" in
Rule:*)
echo "${red}${bold}$line${reset}"
;;
Message:*)
echo "${green}$line${reset}"
;;
File:*)
echo "${blue}$line${reset}"
;;
Line:*)
echo "${yellow}$line${reset}"
;;
Security\ Severity:*)
echo "${yellow}$line${reset}"
;;
*)
echo "$line"
;;
esac
done
fi
else
echo "${red}${bold}Please install jq to display a summary of the SARIF results.${reset}"
echo "${bold}You can view the full results in the SARIF file using a SARIF viewer.${reset}"
fi

0 comments on commit 9a7dafc

Please sign in to comment.