Config updates

felickz · felickz · commit 41e1279a942b · 2024-01-18T13:24:37.000-05:00
- add queries that explicitly target local sources from OSS pack (pulls in built in queries) - publish a config that explicitly targets local sources where possible (without pulling in lower precision queries) - audit pack is working better now due to fix GitHubSecurityLab/CodeQL-Community-Packs#35
diff --git a/config/codeql-audit.yml b/config/codeql-audit.yml
@@ -1,4 +1,3 @@
-# TODO: WORK IN PROGRESS: https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/pull/35
 # Use this configuration file when looking to audit the codebase for security risks.
 # WARNING: A notable amount of false positives may be found in this configuration.  If you wish to reduce the number of false positives, use the default codeql suites :)
 
@@ -11,7 +10,7 @@ threat-models: local
 disable-default-queries: true
 
 packs:
-    # OSS audit queries from the default suites for the GitHub Security Lab's Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs    
+    # OSS audit queries from the default suites for the GitHub Security Lab's Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
     - githubsecuritylab/codeql-cpp-queries:suites/cpp-audit.qls
     - githubsecuritylab/codeql-csharp-queries:suites/csharp-audit.qls
     - githubsecuritylab/codeql-go-queries:suites/go-audit.qls
@@ -26,4 +25,4 @@ packs:
 
     # Data extensions from the GitHub Security Lab https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
     - githubsecuritylab/codeql-csharp-extensions
-    - githubsecuritylab/codeql-java-extensions
+    - githubsecuritylab/codeql-java-extensions
diff --git a/config/codeql-local.yml b/config/codeql-local.yml
@@ -0,0 +1,43 @@
+# Use this configuration file when looking to expand the sources of vulnerability data using CodeQL Built in queries,custom queries, and data extensions.
+# A notable amount of false positives may be found in this configuration.  If you wish to reduce the number of false positives, use the default codeql suites :)
+name: "Synthetic Apps All Queries Config"
+
+# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
+threat-models: local
+
+packs:
+    ### CodeQL Security Extended ###
+    - codeql/cpp-queries:codeql-suites/cpp-security-extended.qls
+    - codeql/csharp-queries:codeql-suites/csharp-security-extended.qls
+    - codeql/go-queries:codeql-suites/go-security-extended.qls
+    - codeql/java-queries:codeql-suites/java-security-extended.qls
+    - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls
+    - codeql/python-queries:codeql-suites/python-security-extended.qls
+    - codeql/ruby-queries:codeql-suites/ruby-security-extended.qls
+
+    # Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-java-queries:suites/java-local.qls
+    - githubsecuritylab/codeql-python-queries:suites/python-local.qls
+
+    # Data extensions via Community Packs for libraries (library ext models are those generated by the corresponding queries in src) https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-library-sources
+    - githubsecuritylab/codeql-java-library-sources
+
+    # Data extensions via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-extensions
+    - githubsecuritylab/codeql-java-extensions
+
+#Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
+paths-ignore:
+    # Python
+    - "vendor/**"
+    - "examples/**"
+    - "tests/**"
+
+    # JavaScript
+    - "node_modules"
+    - "**/*.test.js"
+    - "**/*.test.tsx"
+    - "**/*.spec.ts"
+    - "**/*.spec.tsx"
+    - "dist"
diff --git a/config/codeql-synthetics.yml b/config/codeql-synthetics.yml
@@ -10,34 +10,38 @@ threat-models: local
 # start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries
 disable-default-queries: true
 
-packs:         
-    # All queries from the CodeQL Built in packs
-    - codeql/cpp-queries:.    
-    - codeql/csharp-queries:.    
-    - codeql/go-queries:.    
+packs:
+    # All queries from the CodeQL Built in packs (including low/no precision queries)
+    - codeql/cpp-queries:.
+    - codeql/csharp-queries:.
+    - codeql/go-queries:.
     - codeql/java-queries:.
     - codeql/javascript-queries:.
     - codeql/python-queries:.
     - codeql/ruby-queries:.
     - codeql/swift-queries:.
 
     # OSS queries from the default suites
-    
+
     ### GitHub Security Lab###
     # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries)
     - githubsecuritylab/codeql-cpp-queries
     - githubsecuritylab/codeql-csharp-queries
     - githubsecuritylab/codeql-go-queries
     - githubsecuritylab/codeql-java-queries
-    - githubsecuritylab/codeql-javascript-queries    
+    - githubsecuritylab/codeql-javascript-queries
     - githubsecuritylab/codeql-python-queries
-    - githubsecuritylab/codeql-ruby-queries        
+    - githubsecuritylab/codeql-ruby-queries
+
+    # Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-java-queries:suites/java-local.qls
+    - githubsecuritylab/codeql-python-queries:suites/python-local.qls
 
-    # Data extensions for libraries (library ext models are those generated by the corresponding queries in src) from the GitHub Security Lab https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    # Data extensions via Community Packs for libraries (library ext models are those generated by the corresponding queries in src) https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
     - githubsecuritylab/codeql-csharp-library-sources
     - githubsecuritylab/codeql-java-library-sources
 
-    # Data extensions from the GitHub Security Lab https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    # Data extensions via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
     - githubsecuritylab/codeql-csharp-extensions
     - githubsecuritylab/codeql-java-extensions
 
@@ -52,60 +56,59 @@ packs:
 # - restriction of no experimental folder
 # - restriction of audit/debugging queries from community packs
 query-filters:
-- include:
-    kind:
-    - problem
-    - path-problem
-    tags contain:
-    - security
-- include:
-    kind:
-    - diagnostic
-- include:
-    kind:
-    - metric
-    tags contain:
-    - summary
-- exclude:
-    deprecated: //
-- exclude:
-    query path:
-      # REMOVE exclude - OK even if they exist in experimental folder
-      #- /^experimental\/.*/
-      - Metrics/Summaries/FrameworkCoverage.ql
-      - /Diagnostics/Internal/.*/
-- exclude:
-    tags contain:
-      - modeleditor
-      - modelgenerator
-# Exclude audit queries from the CodeQL Built in packs
-- exclude:
-    id:
-    - cpp/untrusted-data-to-external-api
-    - cs/untrusted-data-to-external-api
-    - go/untrusted-data-to-external-api
-    - java/untrusted-data-to-external-api
-    - js/untrusted-data-to-external-api
-    - py/untrusted-data-to-external-api
-
+    - include:
+          kind:
+              - problem
+              - path-problem
+          tags contain:
+              - security
+    - include:
+          kind:
+              - diagnostic
+    - include:
+          kind:
+              - metric
+          tags contain:
+              - summary
+    - exclude:
+          deprecated: //
+    - exclude:
+          query path:
+              # REMOVE exclude - OK even if they exist in experimental folder
+              #- /^experimental\/.*/
+              - Metrics/Summaries/FrameworkCoverage.ql
+              - /Diagnostics/Internal/.*/
+    - exclude:
+          tags contain:
+              - modeleditor
+              - modelgenerator
+    # Exclude audit queries from the CodeQL Built in packs
+    - exclude:
+          id:
+              - cpp/untrusted-data-to-external-api
+              - cs/untrusted-data-to-external-api
+              - go/untrusted-data-to-external-api
+              - java/untrusted-data-to-external-api
+              - js/untrusted-data-to-external-api
+              - py/untrusted-data-to-external-api
 
-# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
-- exclude:
-    tags contain:
-      - debugging
-      - audit
+    # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
+    - exclude:
+          tags contain:
+              - debugging
+              - audit
 
 #Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
 paths-ignore:
-  # Python
-  - "vendor/**"
-  - "examples/**"
-  - "tests/**"
+    # Python
+    - "vendor/**"
+    - "examples/**"
+    - "tests/**"
 
-  # JavaScript
-  - "node_modules"
-  - "**/*.test.js"  
-  - "**/*.test.tsx"
-  - "**/*.spec.ts"
-  - "**/*.spec.tsx"
-  - "dist"
+    # JavaScript
+    - "node_modules"
+    - "**/*.test.js"
+    - "**/*.test.tsx"
+    - "**/*.spec.ts"
+    - "**/*.spec.tsx"
+    - "dist"
