Skip to content

CodeQL models for SAP JavaScript frameworks CAP, UI5 and XSJS

License

Notifications You must be signed in to change notification settings

advanced-security/codeql-sap-js

Repository files navigation

CodeQL: SAP JavaScript frameworks

This repository contains CodeQL models and queries for SAP JavaScript frameworks:

Published CodeQl packs

Usage

Analyzing a repository with Code Scanning

Example workflow file:

jobs:
  analyze-javascript:
    name: Analyze
    runs-on: 'ubuntu-latest'
    permissions:
      security-events: write

    - name: Compile CDS files
      run: |
        npm install -g @sap/cds-dk
        for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
          do
            cds compile $cds_file \
              -2 json \
              -o "$cds_file.json" \
              --locations
          done
      
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: javascript
        config-file: .github/codeql/codeql-config.yaml

    - name: Perform CodeQL Analysis
      id: analyze
      uses: github/codeql-action/analyze@v3
      env:
        LGTM_INDEX_XML_MODE: all
        LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"

Example configuration file:

name: "My CodeQL config"

packs:
  # Use these packs for JavaScript and TypeScript analysis
  javascript:
    - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls
    - advanced-security/javascript-sap-xsjs-queries:codeql-suites/javascript-security-extended.qls
    - advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls
    - advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls

paths-ignore:
  - "**/node_modules"

Building and analyzing the CodeQL database with the CodeQL CLI

  1. Include and index XML, JSON and CDS files by setting the necessary environment variables:
export LGTM_INDEX_XML_MODE='ALL'
export LGTM_INDEX_FILETYPES=$'.json:JSON\n.cds:JSON'
  1. Compile all the CDS files using the SAP cds toolkit
npm install -g @sap/cds-dk
for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
  do
    cds compile $cds_file \
      -2 json \
      -o "$cds_file.json" \
      --locations
  done
  1. Build the database as usual
codeql database create <DB_NAME> --language=javascript
  1. Analyze the database using one or more packs
codeql database analyze <DB_NAME> --format=sarif-latest --output=<OUTPUT_FILE> \
  --download advanced-security/javascript-sap-cap-queries \
             advanced-security/javascript-sap-ui5-queries \
             advanced-security/javascript-sap-xsjs-queries

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Maintainers

See CODEOWNERS

Support

See SUPPORT