Merge pull request #13 from GitHubSecurityLab/cpp_packs

Add cpp packs

Author: Alvaro Muñoz

.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'csharp', 'go', 'java', 'python', 'ruby' ]
+        language: [ 'cpp', 'csharp', 'go', 'java', 'python', 'ruby' ]
 
     steps:
       - uses: actions/checkout@v3

.github/workflows/publish.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3
@@ -54,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3

codeql-workspace.yml

@@ -1,4 +1,5 @@
 provide:
+- cpp/**/qlpack.yml
 - csharp/**/qlpack.yml
 - go/**/qlpack.yml
 - java/**/qlpack.yml

cpp/lib/applications/.gitkeep

@@ -0,0 +1,14 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/cpp-all:
+    version: 0.9.2
+  codeql/dataflow:
+    version: 0.0.3
+  codeql/ssa:
+    version: 0.1.4
+  codeql/tutorial:
+    version: 0.1.4
+  codeql/util:
+    version: 0.1.4
+compiled: false

cpp/lib/codeql-pack.lock.yml

@@ -0,0 +1,5 @@
+library: true 
+name: githubsecuritylab/codeql-cpp-libs
+version: 0.0.1
+dependencies:
+  codeql/cpp-all: '*'

cpp/lib/frameworks/.gitkeep

@@ -0,0 +1,14 @@
+/**
+ * @name External dependencies
+ * @description Count the number of dependencies that a Java project has on external packages.
+ * @kind treemap
+ * @id githubsecuritylab/external-dependencies
+ * @metricType externalDependency
+ * @tags audit
+ */
+
+import Metrics.Dependencies.ExternalDependencies
+
+from File file, int num, string encodedDependency
+where encodedDependencies(file, encodedDependency, num)
+select encodedDependency, num order by num desc

cpp/lib/github/.gitkeep

@@ -0,0 +1,13 @@
+/**
+ * @name Files
+ * @description List of all files in the repository
+ * @kind table
+ * @id githubsecuritylab/files
+ * @tags audit
+ */
+
+import cpp
+
+from File f
+where f.getExtension() = ["c", "cpp"] and not f.getRelativePath().matches("%/test/%")
+select f.getRelativePath()

cpp/lib/qlpack.yml

@@ -0,0 +1,16 @@
+/**
+ * @name Attack Surface
+ * @description Application attack surface
+ * @kind table
+ * @id githubsecuritylab/attack-surface
+ * @tags audit
+ */
+
+import cpp
+import semmle.code.cpp.models.interfaces.FlowSource
+
+from RemoteFlowSourceFunction source
+where not source.getLocation().getFile().getRelativePath().matches("%/test/%")
+select source, "remote", source.getLocation().getFile().getRelativePath(),
+  source.getLocation().getStartLine(), source.getLocation().getEndLine(),
+  source.getLocation().getStartColumn(), source.getLocation().getEndColumn()

cpp/src/CVEs/.gitkeep

@@ -0,0 +1,34 @@
+/**
+ * @name Backwards Partial Dataflow
+ * @description Backwards Partial Dataflow
+ * @kind table
+ * @id githubsecuritylab/backwards-partial-dataflow
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import PartialFlow::PartialPathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { none() }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Define the sink to run the backwards partial dataflow from. Eg:
+    // exists(Call c |
+    //   c.getTarget().hasName("sink") and
+    //   c.getAnArgument() = sink.asExpr()
+    // )
+    none()
+  }
+}
+
+private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+
+from PartialFlow::PartialPathNode n, int dist
+where PartialFlow::partialFlowRev(n, _, dist)
+select dist, n

cpp/src/audit/explore/Dependencies.ql

@@ -0,0 +1,39 @@
+/**
+ * @name DataFlow configuration
+ * @description DataFlow TaintTracking configuration
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
+ * @id githubsecuritylab/dataflow-query
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import MyFlow::PathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // Define your source nodes here
+    // exists(Call c |
+    //   c.getTarget().hasName("source") and
+    //   c = source.asExpr()
+    // )
+    none()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Define your sink nodes here
+    // exists(Call c |
+    //   c.getTarget().hasName("sink") and
+    //   c.getAnArgument() = sink.asExpr()
+    // )
+    none()
+  }
+}
+
+module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "Sample TaintTracking query"

cpp/src/audit/explore/Files.ql

@@ -0,0 +1,34 @@
+/**
+ * @name Forward Partial Dataflow
+ * @description Forward Partial Dataflow
+ * @kind table
+ * @id githubsecuritylab/forward-partial-dataflow
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import PartialFlow::PartialPathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // Define the source to run the forward partial dataflow from. Eg:
+    // exists(Call c |
+    //   c.getTarget().hasName("source") and
+    //   c = source.asExpr()
+    // )
+    none()
+  }
+
+  predicate isSink(DataFlow::Node sink) { none() }
+}
+
+private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+
+from PartialFlow::PartialPathNode n, int dist
+where PartialFlow::partialFlow(_, n, dist)
+select dist, n

cpp/src/audit/explore/RemoteFlowSources.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Sink Hoisting to method parameter
+ * @description Hoist a sink using partial dataflow
+ * @kind table
+ * @id githubsecuritylab/sink-hoister
+ * @tags template
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import PartialFlow::PartialPathGraph
+
+private module MyConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { none() }
+
+  predicate isSink(DataFlow::Node sink) {
+    // Define the sink to be hoisted here. eg:
+    // exists(Call c |
+    //   c.getTarget().hasName("sink") and
+    //   c.getAnArgument() = sink.asExpr()
+    // )
+    none()
+  }
+}
+
+private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+
+from PartialFlow::PartialPathNode n, int dist
+where
+  PartialFlow::partialFlowRev(n, _, dist) and
+  n.getNode() instanceof DataFlow::ParameterNode
+select dist, n

cpp/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -0,0 +1,18 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/cpp-all:
+    version: 0.9.2
+  codeql/cpp-queries:
+    version: 0.7.4
+  codeql/dataflow:
+    version: 0.0.3
+  codeql/ssa:
+    version: 0.1.4
+  codeql/suite-helpers:
+    version: 0.6.4
+  codeql/tutorial:
+    version: 0.1.4
+  codeql/util:
+    version: 0.1.4
+compiled: false

cpp/src/audit/templates/DataFlowConfiguration.ql

@@ -0,0 +1,8 @@
+library: false
+name: githubsecuritylab/codeql-cpp-queries
+version: 0.0.1
+defaultSuiteFile: suites/cpp.qls
+dependencies:
+  codeql/cpp-all: '*'
+  codeql/cpp-queries: '*'
+  githubsecuritylab/codeql-cpp-libs: 0.0.1

cpp/src/audit/templates/ForwardPartialDataflow.ql

@@ -0,0 +1,9 @@
+- description: "GitHub's Community Packs Ruby Extended Suite"
+
+- qlpack: github-queries-ruby
+
+- import: codeql-suites/ruby-security-extended.qls
+  from: codeql/ruby-queries
+- exclude:
+    id:
+      - rb/hardcoded-credentials

cpp/src/audit/templates/HoistSink.ql

@@ -0,0 +1,18 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/cpp-all:
+    version: 0.9.2
+  codeql/cpp-queries:
+    version: 0.7.4
+  codeql/dataflow:
+    version: 0.0.3
+  codeql/ssa:
+    version: 0.1.4
+  codeql/suite-helpers:
+    version: 0.6.4
+  codeql/tutorial:
+    version: 0.1.4
+  codeql/util:
+    version: 0.1.4
+compiled: false

cpp/src/codeql-pack.lock.yml

@@ -0,0 +1,9 @@
+name: githubsecurtylab/codeql-cpp-tests
+groups: [cpp, test]
+dependencies:
+    codeql/cpp-all: '*'
+    codeql/cpp-queries: '*'
+    githubsecuritylab/codeql-cpp-queries: '*'
+    githubsecuritylab/codeql-cpp-libs: '*'
+extractor: cpp
+tests: .