From 90092cc7587b9a07ac70cb8ae14c69e39fb68b97 Mon Sep 17 00:00:00 2001 From: Dave Wichers Date: Tue, 26 Mar 2024 11:11:46 -0400 Subject: [PATCH] Update runCodeQL scripts and Dockerfile. --- VMs/Dockerfile | 2 +- scripts/mvnFortifyTranslate.bat | 2 +- scripts/runCodeQL.sh | 17 ++++++++++++++--- scripts/runCodeQLFull.sh | 10 ++++------ 4 files changed, 20 insertions(+), 11 deletions(-) diff --git a/VMs/Dockerfile b/VMs/Dockerfile index 8e3eea4afc..990a34d11e 100644 --- a/VMs/Dockerfile +++ b/VMs/Dockerfile @@ -1,4 +1,4 @@ -# This dockerfile builds a container that pulls down and runs the latest version of Benchmark +# This dockerfile builds a container that pulls down and runs the latest version of BenchmarkJava FROM ubuntu:latest MAINTAINER "Dave Wichers dave.wichers@owasp.org" diff --git a/scripts/mvnFortifyTranslate.bat b/scripts/mvnFortifyTranslate.bat index dc3d2c6a47..ad5f769057 100755 --- a/scripts/mvnFortifyTranslate.bat +++ b/scripts/mvnFortifyTranslate.bat @@ -1,3 +1,3 @@ sourceanalyzer -b benchmark -clean -sourceanalyzer -b benchmark mvn com.fortify.sca.plugins.maven:sca-maven-plugin:translate -Dfortify.sca.source.version=1.7 +sourceanalyzer -b benchmark mvn com.fortify.sca.plugins.maven:sca-maven-plugin:translate -Dfortify.sca.source.version=1.8 diff --git a/scripts/runCodeQL.sh b/scripts/runCodeQL.sh index b7624d51e0..3b0debcf07 100755 --- a/scripts/runCodeQL.sh +++ b/scripts/runCodeQL.sh @@ -1,4 +1,15 @@ -# This script assumes the owasp-benchmark database has already been initialized by running this first: -# ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java -../../Tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-code-scanning.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-code-scanning_qls.sarif +# The following is based on the instructions at: https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli. Follow the instructions at: Setting up the CodeQL CLI + +# Prerequisites: +# 1) Install codeql in a tools/ directory that is a peer to the folder containing BenchmarkJava. For example, if you have a git/ folder, which contains BenchmarkJava, BenchmarkUtils, etc., then the tools/ folder would be at the same level as the git/ folder. i.e., relative to BenchmarkJava, it is at ../../tools/code-ql-home. +# 2) Then the owasp-benchmark database has to be initialized by running this: +# ../../tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java + +# Mac Users: "If you are using macOS on Apple Silicon (for example, Apple M1), ensure that the Xcode command-line developer tools and Rosetta 2 are installed." +## For Xcode command line, run: xcode-select -p 1>/dev/null;echo $? - If this returns 0, its installed, if 2, its not installed. +## For Rosetta 2, run: lsbom -f /Library/Apple/System/Library/Receipts/com.apple.pkg.RosettaUpdateAuto.bom - And if it returns a list of files, it's installed. + + +# This then runs the codeql scan: +../../tools/codeql-home/codeql/codeql database analyze owasp-benchmark java-code-scanning.qls --format=sarifv2.1.0 --output=results/Benchmark_1.2-codeql_java-code-scanning_qls.sarif diff --git a/scripts/runCodeQLFull.sh b/scripts/runCodeQLFull.sh index effa7579d3..f77957b190 100755 --- a/scripts/runCodeQLFull.sh +++ b/scripts/runCodeQLFull.sh @@ -1,11 +1,9 @@ # The full list of java CodeQL query sets is: # tested: java-code-scanning.qls - Standard Code Scanning queries for Java - This does NOT include Weak Random rule. -# tested: java-security-extended.qls - Security-extended queries for Java - Same score. -## this one builds on the previous one a litte -# tested: java-security-and-quality.qls - Security-and-quality queries for Java - This ONE adds Weak Random rule. -## this one builds on the previous one. But detects nothing additional - Also does NOT include Weak Random rule. -# tested: java-lgtm.qls - Standard LGTM queries for Java - scores lower than lgtm-full by 1 category (Random) -# tested: java-lgtm-full.qls - Standard LGTM queries for Java, including ones not displayed by default - This ONE adds Weak Random rule. +# tested: java-security-extended.qls - Adds a bunch of rules to previous ruleset. +# tested: java-security-and-quality.qls - Adds a bunch of other rules, but scores identical to security-extended ruleset. +# tested: java-lgtm.qls - Standard LGTM queries for Java - scores the same as standard java-code-scanning.qls +# tested: java-lgtm-full.qls - Standard LGTM queries for Java, including ones not displayed by default. Scores the same as security-extended ruleset. # This script assumes the owasp-benchmark database has already been initialized by running this first: # ../../Tools/codeql-home/codeql/codeql database create owasp-benchmark --language=java