-
Notifications
You must be signed in to change notification settings - Fork 1.7k
JS: Add individual per-security-query counting queries #9193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
|
This introduces a lot of duplicate codeql code that can be avoided using imports and query predicates. I think each query could look something like this: import semmle.javascript.security.dataflow.CodeInjectionQuery
import CountThingsWhere CountThings.qll looks something like: import javascript
import evaluation.EndToEndEvaluation
query predicate countThings(int numAlerts, int numSinks) {
numAlerts =
count(DataFlow::Node source, DataFlow::Node sink |
cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
) and
numSinks = count(DataFlow::Node sink |
exists(DataFlow::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
)Could you consider if such a refactoring is possible / worth it? |
|
Yes, good point @esbena and I definitely think it's worth it. Basic QL question: what would the individual queries look like? I.e. how would they actually use the |
|
The trick is that |
|
Ah, there was a critical typo: I have updated the example file name to end with qll now! |
|
I've just attempted the suggestion refactor @esbena - would you mind giving it another look when you have time? |
|
@github/codeql-ml-powered-queries-reviewers if anyone has a spare moment, could someone provide a quick review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the as CodeInjection/TaintedPath/... namings can be dropped now.
Otherwise LGTM.
5b34741 to
91fa17a
Compare
|
Thanks for the review @esbena - I've now removed the I accidentally dismissed your approval, would you mind approving again sorry? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Your edit caused the approval dismissal)
The ATM project uses an AML pipeline to select which CodeQL databases to use as the evaluation databases for each security query being boosted.
Previously, evaluation sets for all security queries would be produced at once, using the
CountAlertsAndEndpoints.qlquery. However, this query does not scale with adding more security queries, and it is not efficient to create evaluation sets for all queries during every pipeline run (when adding a new query, you simply want to create an evaluation set for that one query, and not the others).Therefore, after a discussion, it was deemed better to specify one security query that you would like to create an evaluation set for. For this, we would need a way to count alerts and endpoints for a single query. The most simple solution is to add per-query counting queries,
Count{QUERY_NAME}.ql, which can be used by the selection pipeline.The selection pipeline has been tested with the
CountCodeInjection.qlquery.