Merge branch 'main' into mbaluda/type_sanitizer

Author: mbaluda

.github/actions/install-codeql/action.yml

@@ -2,12 +2,9 @@ name: "My CodeQL config"
 
 queries:
   - uses: security-extended
-  # for ui5/cap queries
   - uses: ./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls
   - uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
+  - uses: ./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls
 
-paths:
-  - "**/*.xml"
-  - "**/*.json"
 paths-ignore:
   - "**/frameworks/*/test/models"

.github/actions/install-qlt/action.yml

@@ -12,10 +12,10 @@ on:
 
 env:
   LGTM_INDEX_XML_MODE: all
-  LGTM_INDEX_FILTERS: "include:**/*.json"
+  LGTM_INDEX_FILETYPES: ".json:JSON"
 
 jobs:
-  analyze:
+  analyze-javascript:
     name: Analyze
     runs-on: 'ubuntu-latest'
     permissions:
@@ -55,12 +55,16 @@ jobs:
             -o "$cds_file.json"
         done
 
-    # Initializes the CodeQL tools for scanning.
+    - name: Extract CodeQL bundle version from qlt.conf.json
+      run: |
+        echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
+            
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
         languages: javascript
         config-file: ./.github/codeql/codeql-config.yaml
+        tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
         debug: true
 
     - name: Perform CodeQL Analysis

.github/codeql/codeql-config.yaml

@@ -18,11 +18,11 @@ jobs:
       matrix: ${{ steps.export-unit-test-matrix.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install QLT
         id: install-qlt
-        uses: ./.github/actions/install-qlt
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
         with:
           qlt-version: 'latest'
           add-to-path: true
@@ -43,11 +43,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install QLT
         id: install-qlt
-        uses: ./.github/actions/install-qlt
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
         with:
           qlt-version: 'latest'
           add-to-path: true
@@ -104,7 +104,7 @@ jobs:
           CODEQL_STDLIB_IDENT: ${{matrix.codeql_standard_library_ident}}
           RUNNER_TMP: ${{ runner.temp }}
           LGTM_INDEX_XML_MODE: all
-          LGTM_INDEX_FILTERS: "include:**/*.json"
+          LGTM_INDEX_FILETYPES: ".json:JSON"
 
         shell: bash
         run: >
@@ -116,7 +116,7 @@ jobs:
           --work-dir $RUNNER_TMP
 
       - name: Upload test results
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v4
         with:
           name: test-results-${{ runner.os }}-${{ matrix.codeql_cli }}-${{ matrix.codeql_standard_library_ident }}
           path: |
@@ -130,20 +130,21 @@ jobs:
     steps:
 
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install QLT
         id: install-qlt
-        uses: ./.github/actions/install-qlt
+        uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
         with:
           qlt-version: 'latest'
           add-to-path: true
 
 
       - name: Collect test results
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
 
       - name: Validate test results
         run: |
           qlt test run validate-unit-tests --pretty-print --results-directory . >> $GITHUB_STEP_SUMMARY
           qlt test run validate-unit-tests --results-directory .
+          

.github/workflows/code_scanning.yml

@@ -69,3 +69,4 @@ tmp/
 .cache/
 **.testproj
 dbs
+*.cds.json

.github/workflows/javascript.sarif.expected

@@ -1,38 +1,5 @@
-# SAP UI5 with CodeQL
-
-CodeQL queries and supporting models for the SAP UI5 JavaScript framework
-
-### Queries
-- [XSS](javascript/frameworks/UI5/src/UI5Xss/UI5Xss.ql)
-- [Log Injection](javascript/frameworks/UI5/src/UI5LogInjection/UI5LogInjection.ql)
-- [Clickjacking](javascript/frameworks/UI5/src/UI5Clickjacking/UI5Clickjacking.ql)
- 
-### Modeled UI5 framework elements
- - UI5 AMD-style components (also via jQuery)
- - MVC elements: 
-    - UI5 Controllers and Data Models (literal/external JSON models)
-    - UI5 [declarative Views](DeclarativeApp.png) (XML/JSON/HTML/JS)
-    - Library/custom UI5 Controls
-    - Project naming conventions (e.g. Control-Renderer)
-  - Source/Sink definition via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97)
-  - Controls inheritance via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L42-L59)
-
-### Supported Features with tests
-The following tables list the main supported features with corresponding test cases
-#### Detecting XSS and Log injection vulnerabilities
-|test | library controls | [MaD sources sinks](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97) | custom controls | UI5View | JS dataflow | HTML APIs | sanitizer | acc.path via handler |
-| - | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
-| [xss-html-control](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1033) | ✅︎ | ✅︎ | | XMLView |
-| [xss-custom-control-api1](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1051)| ✅︎ | ✅︎ | ✅︎ | XMLView | | classic |
-| [xss-custom-control-api2](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/250)| ✅︎ | ✅︎ | ✅︎ | XMLView | | DOM |
-| [xss-json-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/247)<br/>[xss-html-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/245)<br/>[xss-js-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/246) | ✅︎ | ✅︎ | | JsonView<br/>HTMLView<br/>JSView |
-| [log-html-control-df](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/275) | ✅︎ | ✅︎ | |XMLView| ✅︎ |
-| [sanitized](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/277)| ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ | DOM | ✅︎ |
-| [xss-event-handlers](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/335)| ✅︎ | ✅︎ | ✅︎ | XMLView | | | | ✅︎ |
-
-#### Detecting Clickjacking vulnerabilities
-| test | secure | insecure frameOptions | missing frameOptions |
-| - | :-: | :-: | :-: |
-| [clickjacking-deny-all](javascript/frameworks/UI5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html#L10) | ✅︎ | |
-| [clickjacking-allow-all:l9](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/240)<br/>[clickjacking-allow-all:l28](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/241) | | ✅︎ |
-| [clickjacking-default-all](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/330) | | | ✅︎ |
+# Overview
+[CodeQL](https://codeql.github.com/) models and queries for the SAP frameworks:
+- [CAP](javascript/frameworks/cap) (https://cap.cloud.sap/)
+- [UI5](javascript/frameworks/ui5) (https://sapui5.hana.ondemand.com/)
+- [XSJS](javascript/frameworks/xsjs) (https://www.npmjs.com/package/@sap/async-xsjs)

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -0,0 +1,15 @@
+# SAP CAP with CodeQL
+
+CodeQL queries and supporting models for the SAP CAP JavaScript framework
+
+### Queries
+- [CQL Injection](src/cqlinjection)
+- [Log Injection](src/loginjection)
+- [Sensitive Data Exposure](src/sensitive-exposure)
+- [Authentication Issues](src/bad-authn-authz)
+
+### Modeled CAP framework elements
+ - CQL (CAP Query Language) fluent API
+ - CDS (Core Data Services) declarative service specification
+ - Service composition API
+ - Event handlers

.gitignore

@@ -1,9 +1,7 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-models
-version: 0.2.0
+version: 0.3.0
 extensionTargets:
-  codeql/javascript-all: "^0.8.7"
-  codeql/javascript-queries: "^0.8.7"
-dataExtensions:
-  - "*.model.yml"
+  codeql/javascript-all: "^1.1.1"
+  codeql/javascript-queries: "^1.1.0"