CodeQL: SAP JavaScript frameworks

This repository contains CodeQL models and queries for SAP JavaScript frameworks:

Published CodeQl packs

Usage

Analyzing a repository with Code Scanning

Example workflow file:

jobs:
  analyze-javascript:
    name: Analyze
    runs-on: 'ubuntu-latest'
    permissions:
      security-events: write

    - name: Compile CDS files
      run: |
        npm install -g @sap/cds-dk
        for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
          do
            cds compile $cds_file \
              -2 json \
              -o "$cds_file.json" \
              --locations
          done
      
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: javascript
        config-file: .github/codeql/codeql-config.yaml

    - name: Perform CodeQL Analysis
      id: analyze
      uses: github/codeql-action/analyze@v3

Example configuration file:

name: "My CodeQL config"

packs:
  # Use these packs for JavaScript and TypeScript analysis
  javascript:
    - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls
    - advanced-security/javascript-sap-async-xsjs-queries:codeql-suites/javascript-security-extended.qls
    - advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls
    - advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls

paths-ignore:
  - "**/node_modules"

Building and analyzing the CodeQL database with the CodeQL CLI

Include and index XML, JSON and CDS files by setting the necessary environment variables:

export LGTM_INDEX_XML_MODE='ALL'
export LGTM_INDEX_FILETYPES=$'.json:JSON\n.cds:JSON'

Compile all the CDS files using the SAP cds toolkit

npm install -g @sap/cds-dk
for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
  do
    cds compile $cds_file \
      -2 json \
      -o "$cds_file.json" \
      --locations
  done

Build the database as usual

codeql database create <DB_NAME> --language=javascript

Analyze the database using one or more packs

codeql database analyze <DB_NAME> --format=sarif-latest --output=<OUTPUT_FILE> \
  --download advanced-security/javascript-sap-cap-queries \
             advanced-security/javascript-sap-ui5-queries \
             advanced-security/javascript-sap-async-xsjs-queries

License

This project is licensed under the terms of the MIT open source license. Please refer to MIT for the full terms.

Maintainers

See CODEOWNERS

Support

See SUPPORT

Name		Name	Last commit message	Last commit date
Latest commit History 1,282 Commits
.github		.github
extractors		extractors
javascript		javascript
scripts		scripts
.gitignore		.gitignore
CODEOWNERS		CODEOWNERS
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE.txt		LICENSE.txt
README.md		README.md
SECURITY.md		SECURITY.md
SUPPORT.md		SUPPORT.md
codeql-workspace.yml		codeql-workspace.yml
qlt.conf.json		qlt.conf.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CodeQL: SAP JavaScript frameworks

Published CodeQl packs

Usage

Analyzing a repository with Code Scanning

Building and analyzing the CodeQL database with the CodeQL CLI

License

Maintainers

Support

About

Releases

Packages

Contributors 5

Languages

License

advanced-security/codeql-sap-js

Folders and files

Latest commit

History

Repository files navigation

CodeQL: SAP JavaScript frameworks

Published CodeQl packs

Usage

Analyzing a repository with Code Scanning

Building and analyzing the CodeQL database with the CodeQL CLI

License

Maintainers

Support

About

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

Packages 0

Contributors 5

Languages

Packages