WIP fixes for CDS extractor rewrite

data-douser · data-douser · commit aed1fc6e22f0 · 2025-01-29T16:17:44.000-07:00
First attempt at fixing `Indirect uncontrolled command line` code
scanning alerts for the `index-fils.js` script.

Improves error handling and improves the reliability and security of
code that creates child (exec/spawn) processes.

Attempts to improve the passing of env vars to child processes,
especially for the `LGTM_INDEX_FILTERS` env var.

WIP because CDS extractor invocation is still failing to identify
.cds.json files. Possible problem in the way env vars are passed
within the javascript extractor autobuilder shell script (to the JVM
launched by the javascript extractor autobuilder).
diff --git a/extractors/cds/tools/autobuild.cmd b/extractors/cds/tools/autobuild.cmd
@@ -1,6 +1,6 @@
 @echo off
 
-type NUL && "%CODEQL_DIST%\codeql" database index-files ^
+type NUL && "%CODEQL_DIST%\codeql.exe" database index-files ^
     --include-extension=.cds ^
     --language cds ^
     --prune **\node_modules\**\* ^
@@ -9,4 +9,4 @@ type NUL && "%CODEQL_DIST%\codeql" database index-files ^
     -- ^
     "%CODEQL_EXTRACTOR_CDS_WIP_DATABASE%"
 
-exit /b %ERRORLEVEL%
+exit /b %ERRORLEVEL%
diff --git a/extractors/cds/tools/autobuild.sh b/extractors/cds/tools/autobuild.sh
@@ -15,4 +15,4 @@ exec "${CODEQL_DIST}/codeql" database index-files \
     --prune **/.eslint/**/* \
     --total-size-limit=10m \
     -- \
-    "$CODEQL_EXTRACTOR_CDS_WIP_DATABASE"
+    "$CODEQL_EXTRACTOR_CDS_WIP_DATABASE"
diff --git a/extractors/cds/tools/index-files.js b/extractors/cds/tools/index-files.js
@@ -1,7 +1,8 @@
-const { execSync, spawnSync } = require('child_process');
+const { execFileSync, execSync, spawnSync } = require('child_process');
 const { existsSync, readFileSync, statSync } = require('fs');
 const { arch, platform } = require('os');
 const { dirname, join, resolve } = require('path');
+const { quote } = require('shell-quote');
 
 console.log('Indexing CDS files');
 
@@ -11,32 +12,55 @@ const osPlatform = platform();
 const osPlatformArch = arch();
 console.log(`Detected OS platform=${osPlatform} : arch=${osPlatformArch}`);
 const autobuildScriptName = osPlatform === 'win32' ? 'autobuild.cmd' : 'autobuild.sh';
+const autobuildScriptPath = join(
+    process.env.CODEQL_EXTRACTOR_JAVASCRIPT_ROOT, 'tools', autobuildScriptName
+);
 const codeqlExe = osPlatform === 'win32' ? 'codeql.exe' : 'codeql';
-const codeqlExePath = join(process.env.CODEQL_DIST, codeqlExe);
-const npmInstallCmdWithArgs = 'npm install --quiet --no-audit --no-fund --no-package-lock';
+const codeqlExePath = join(quote([process.env.CODEQL_DIST]), codeqlExe);
 
-// If the response file does not exist, terminate.
+/**
+ * Terminate early if:
+ *   - the javascript extractor autobuild script does not exist; or
+ *   - the codeql executable does not exist; or
+ *   - the input responseFile does not exist; or
+ *   - the input responseFile is empty or could not be parsed as a list of file paths.
+ */
+if (!existsSync(autobuildScriptPath)) {
+    console.warn(`'${codeqlExe} database index-files --language cds' terminated early as autobuild script '${autobuildScriptPath}' does not exist.`);
+    process.exit(0);
+}
+if (!existsSync(codeqlExePath)) {
+    console.warn(`'${codeqlExe} database index-files --language cds' terminated early as codeql executable '${codeqlExePath}' does not exist.`);
+    process.exit(0);
+}
 if (!existsSync(responseFile)) {
-    console.log(`'codeql database index-files --language cds' terminated early as response file '${responseFile}' does not exist. This is because no CDS files were selected or found.`);
+    console.warn(`'${codeqlExe} database index-files --language cds' terminated early as response file '${responseFile}' does not exist. This is because no CDS files were selected or found.`);
     process.exit(0);
 }
 
-// Read the response file and split it into lines, removing (filter(Boolean)) empty lines.
-const responseFiles = readFileSync(responseFile, 'utf-8').split('\n').filter(Boolean);
-// If the response file is empty, terminate.
-if (statSync(responseFile).size === 0 || !responseFiles) {
-    console.log(`'codeql database index-files --language cds' terminated early as response file '${responseFile}' is empty. This is because no CDS files were selected or found.`);
+let responseFiles = [];
+try {
+    // Read the response file and split it into lines, removing (filter(Boolean)) empty lines.
+    responseFiles = readFileSync(responseFile, 'utf-8').split('\n').filter(Boolean);
+    if (statSync(responseFile).size === 0 || responseFiles.length === 0) {
+        console.warn(`'${codeqlExe} database index-files --language cds' terminated early as response file '${responseFile}' is empty. This is because no CDS files were selected or found.`);
+        process.exit(0);
+    }
+} catch (err) {
+    console.warn(`'${codeqlExe} database index-files --language cds' terminated early as response file '${responseFile}' could not be read due to an error: ${err}`);
     process.exit(0);
 }
 
 // Determine if we have the cds commands available. If not, install the cds develpment kit
 // (cds-dk) in the appropriate directories and use npx to run the cds command from there.
 let cdsCommand = 'cds';
 try {
-    execSync('cds --version', { stdio: 'ignore' });
+    execFileSync('cds', ['--version'], { stdio: 'ignore' });
 } catch {
     console.log('Pre-installing cds compiler');
 
+    // Use a JS `Set` to avoid duplicate processing of the same directory.
+    const packageJsonDirs = new Set();
     /**
      * Find all the directories containing a package.json with a dependency on `@sap/cds`,
      * where the directory contains at least one of the files listed in the response file
@@ -52,22 +76,51 @@ try {
      *
      * We also ensure we skip node_modules, as we can end up in a recursive loop.
      */
-    const packageJsonDirs = new Set();
     responseFiles.forEach(file => {
-        let dir = dirname(file);
+        let dir = dirname(quote([file]));
         while (dir !== resolve(dir, '..')) {
-            if (existsSync(join(dir, 'package.json')) && readFileSync(join(dir, 'package.json'), 'utf-8').includes('@sap/cds')) {
-                packageJsonDirs.add(dir);
-                break;
+            const packageJsonPath = join(dir, 'package.json');
+            if (existsSync(packageJsonPath)) {
+                const rawData = readFileSync(packageJsonPath, 'utf-8');
+                const packageJsonData = JSON.parse(rawData);
+                // Check if the 'name' and 'dependencies' properties are present in the
+                // package.json file at packageJsonPath.
+                if (
+                    packageJsonData.name &&
+                    packageJsonData.dependencies &&
+                    typeof packageJsonData.dependencies === 'object'
+                ) {
+                    const dependencyNames = Object.keys(packageJsonData.dependencies);
+                    if (
+                        dependencyNames.includes('@sap/cds')
+                        &&
+                        dependencyNames.includes('@sap/cds-dk')
+                    ) {
+                        packageJsonDirs.add(dir);
+                        break;
+                    }
+                }
             }
+            // Move up one directory level and try again to find a package.json file
+            // for the response file.
             dir = resolve(dir, '..');
         }
     });
 
-    packageJsonDirs.forEach(dir => {
-        console.log(`Installing @sap/cds-dk into ${dir} to enable CDS compilation.`);
-        execSync(`${npmInstallCmdWithArgs} @sap/cds-dk`, { cwd: dir });
-        execSync(npmInstallCmdWithArgs, { cwd: dir });
+    // TODO : revise this check as the equality is probably not guaranteed.
+    if (responseFiles.length !== packageJsonDirs.length) {
+        console.warn(
+            `WARN: mismatch between number of response files (${responseFiles.length}) and package.json directories (${packageJsonDirs.length})`
+        );
+    }
+
+    packageJsonDirs.forEach((dir) => {
+        console.log(`Installing node packages into ${dir} to enable CDS compilation.`);
+        execFileSync(
+            'npm',
+            ['install', '--quiet', '--no-audit', '--no-fund'],
+            { cwd: dir, stdio: 'inherit' }
+        );
     });
 
     /**
@@ -84,22 +137,46 @@ console.log('Processing CDS files to JSON');
  * Run the cds compile command on each file in the response files list, outputting the
  * compiled JSON to a file with the same name but with a .json extension appended.
  */
-responseFiles.forEach(cdsFile => {
-    const cdsJsonFile = `${cdsFile}.json`;
-    console.log(`Processing CDS file ${cdsFile} to: ${cdsJsonFile}`);
-    const result = spawnSync(cdsCommand, ['compile', cdsFile, '-2', 'json', '-o', cdsJsonFile, '--locations'], { shell: true });
+responseFiles.forEach(rawCdsFilePath => {
+    const cdsFilePath = quote([rawCdsFilePath]);
+    const cdsJsonFilePath = `${cdsFilePath}.json`;
+    console.log(`Processing CDS file ${cdsFilePath} to: ${cdsJsonFilePath}`);
+    const result = spawnSync(
+        cdsCommand,
+        ['compile', cdsFilePath, '-2', 'json', '-o', cdsJsonFilePath, '--locations'],
+        { shell: true }
+    );
     if (result.error || result.status !== 0) {
-        const stderrTruncated = result.stderr.toString().split('\n').filter(line => line.startsWith('[ERROR]')).slice(-4).join('\n');
-        const errorMessage = `Could not compile the file ${cdsFile}.\nReported error(s):\n\`\`\`\n${stderrTruncated}\n\`\`\``;
+        const stderrTruncated = quote(
+            result.stderr.toString().split('\n').filter(line => line.startsWith('[ERROR]')).slice(-4).join('\n'));
+        const errorMessage = `Could not compile the file ${cdsFilePath}.\nReported error(s):\n\`\`\`\n${stderrTruncated}\n\`\`\``;
         console.log(errorMessage);
-        execSync(`${codeqlExePath} database add-diagnostic --extractor-name cds --ready-for-status-page --source-id=cds/compilation-failure --source-name="Failure to compile one or more SAP CAP CDS files" --severity=error --markdown-message="${errorMessage}" --file-path="${cdsFile}" -- "${process.env.CODEQL_EXTRACTOR_CDS_WIP_DATABASE}"`);
+        execFileSync(
+            codeqlExePath,
+            [
+                'database',
+                'add-diagnostic',
+                '--extractor-name=cds',
+                '--ready-for-status-page',
+                '--source-id=cds/compilation-failure',
+                '--source-name="Failure to compile one or more SAP CAP CDS files"',
+                '--severity=error',
+                `--markdown-message="${errorMessage}"`,
+                `--file-path="${cdsFilePath}"`,
+                '--',
+                `${process.env.CODEQL_EXTRACTOR_CDS_WIP_DATABASE}`
+            ],
+        );
     }
 });
 
 // Check if the (JavaScript) JS extractor variables are set, and set them if not.
 if (!process.env.CODEQL_EXTRACTOR_JAVASCRIPT_ROOT) {
     // Find the JS extractor location.
-    process.env.CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = execSync(`${codeqlExePath} resolve extractor --language=javascript`).toString().trim();
+    process.env.CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = execFileSync(
+        codeqlExePath,
+        ['resolve', 'extractor', '--language=javascript']
+    ).toString().trim();
     // Set the JAVASCRIPT extractor environment variables to the same as the CDS
     // extractor environment variables so that the JS extractor will write to the
     // CDS database.
@@ -134,25 +211,39 @@ if (process.env.LGTM_INDEX_FILTERS) {
         .filter(line =>
             line.startsWith('exclude')
             &&
-            !allowedExcludePatterns.includes(line)
+            !allowedExcludePatterns.some(pattern => line.includes(pattern))
         ).join('\n');
 }
 
 // Enable extraction of the .cds.json files only.
-const lgtmIndexFiltersPatterns = join(
-    'exclude:**', '*.*\ninclude:**', '*.cds.json\ninclude:**', '*.cds\nexclude:**', 'node_modules', '**', '*.*'
-);
-process.env.LGTM_INDEX_FILTERS = `${lgtmIndexFiltersPatterns}${excludeFilters}`;
-console.log(`Setting $LGTM_INDEX_FILTERS to:\n${process.env.LGTM_INDEX_FILTERS}`);
+const lgtmIndexFiltersPatterns = [
+    join('exclude:**', '*.*'),
+    join('include:**', '*.cds.json'),
+    join('include:**', '*.cds'),
+    join('exclude:**', 'node_modules', '**', '*.*')
+].join('\n');;
+process.env.LGTM_INDEX_FILTERS = lgtmIndexFiltersPatterns + excludeFilters;
+console.log(`Set $LGTM_INDEX_FILTERS to:\n${process.env.LGTM_INDEX_FILTERS}`);
 process.env.LGTM_INDEX_TYPESCRIPT = 'NONE';
 // Configure to copy over the .cds files as well, by pretending they are JSON.
 process.env.LGTM_INDEX_FILETYPES = '.cds:JSON';
 // Ignore the LGTM_INDEX_INCLUDE variable for this purpose as it may explicitly
 // refer to .js or .ts files.
 delete process.env.LGTM_INDEX_INCLUDE;
 
-console.log('Extracting the cds.json files');
+console.log('Extracting the .cds.json files');
 
-// Invoke the JS autobuilder to index the .cds.json files only.
-const autobuildScriptPath = join(process.env.CODEQL_EXTRACTOR_JAVASCRIPT_ROOT, 'tools', autobuildScriptName);
-execSync(autobuildScriptPath, { stdio: 'inherit' });
+console.log(`Running 'javascript' extractor autobuild script: ${autobuildScriptPath}`);
+/**
+ * Invoke the javascript autobuilder to index the .cds.json files only.
+ *
+ * Environment variables must be passed from this script's process to the
+ * process that invokes the autobuild script, otherwise the CDS autobuild.sh
+ * script will not be invoked by the autobuild script built into the
+ * 'javascript' extractor.
+ */
+spawnSync(
+    autobuildScriptPath,
+    [],
+    { env: process.env, shell: true, stdio: 'inherit' }
+);
diff --git a/extractors/cds/tools/index-files.sh b/extractors/cds/tools/index-files.sh
@@ -41,6 +41,6 @@ fi
 # dependencies (i.e. node_modules) relative to this directory.
 cd "$_script_dir" && \
 echo "Installing node package dependencies" && \
-npm install --quiet --no-audit --no-fund --no-package-json && \
+npm install --quiet --no-audit --no-fund && \
 echo "Running the 'index-files.js' script" && \
-node "$(dirname "$0")/index-files.js" "$_response_file_path"
+node "$(dirname "$0")/index-files.js" "$_response_file_path"
diff --git a/extractors/cds/tools/package-lock.json b/extractors/cds/tools/package-lock.json
diff --git a/extractors/cds/tools/package.json b/extractors/cds/tools/package.json
@@ -8,6 +8,7 @@
     "child_process": "^1.0.2",
     "fs": "^0.0.1-security",
     "os": "^0.1.2",
-    "path": "^0.12.7"
+    "path": "^0.12.7",
+    "shell-quote": "^1.8.2"
   }
 }
diff --git a/extractors/javascript/tools/pre-finalize.cmd b/extractors/javascript/tools/pre-finalize.cmd
@@ -1,7 +1,7 @@
 @echo off
 
 if not defined CODEQL_EXTRACTOR_CDS_SKIP_EXTRACTION (
-    type NUL && "%CODEQL_DIST%\codeql" database index-files ^
+    type NUL && "%CODEQL_DIST%\codeql.exe" database index-files ^
         --include-extension=.cds ^
         --language cds ^
         --prune **\node_modules\**\* ^

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@`
`8`	`8`	`"child_process": "^1.0.2",`
`9`	`9`	`"fs": "^0.0.1-security",`
`10`	`10`	`"os": "^0.1.2",`
`11`		`- "path": "^0.12.7"`
	`11`	`+ "path": "^0.12.7",`
	`12`	`+ "shell-quote": "^1.8.2"`
`12`	`13`	`}`
`13`	`14`	`}`