From eaa9196bed65536f3532a50d22e8a8af0cc58b47 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Fri, 6 Jun 2025 11:35:05 +0530 Subject: [PATCH 01/15] Adding support for CodeQL evidence integration --- .github/workflows/codeql.yml | 111 ++++++++++++++++++ examples/codeql/codeql-config.yml | 16 +++ examples/codeql/go/go.mod | 3 + examples/codeql/go/main.go | 20 ++++ examples/codeql/js/index.js | 4 + examples/codeql/js/package.json | 12 ++ .../codeql/queries/go/codeql-pack.lock.yml | 24 ++++ .../codeql/queries/go/go-too-many-params.ql | 12 ++ examples/codeql/queries/go/qlpack.yml | 5 + .../codeql/queries/js/codeql-pack.lock.yml | 32 +++++ .../codeql/queries/js/js-too-many-params.ql | 14 +++ examples/codeql/queries/js/qlpack.yml | 5 + 12 files changed, 258 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 examples/codeql/codeql-config.yml create mode 100644 examples/codeql/go/go.mod create mode 100644 examples/codeql/go/main.go create mode 100644 examples/codeql/js/index.js create mode 100644 examples/codeql/js/package.json create mode 100644 examples/codeql/queries/go/codeql-pack.lock.yml create mode 100644 examples/codeql/queries/go/go-too-many-params.ql create mode 100644 examples/codeql/queries/go/qlpack.yml create mode 100644 examples/codeql/queries/js/codeql-pack.lock.yml create mode 100644 examples/codeql/queries/js/js-too-many-params.ql create mode 100644 examples/codeql/queries/js/qlpack.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..1346f8d --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,111 @@ +name : "CodeQL Analysis Workflow" + +on: + push: + branches: + - main + workflow_dispatch: + +permissions: + id-token: write + contents: read + actions: read + + +jobs: + codeql: + name: Analyse + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language_details: + - name: javascript + queries_path: ./examples/codeql/queries/js + - name: go + queries_path: ./examples/codeql/queries/go + + steps: + - uses: actions/checkout@v4 + with: + sparse-checkout: | + examples/codeql/**/** + sparse-checkout-cone-mode: false + + - name: Set up CodeQL for ${{ matrix.language_details.name }} + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language_details.name }} + config-file: examples/codeql/codeql-config.yml + queries: ${{ matrix.language_details.queries_path }} + + - name: Setup Jfrog CLI for go + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.ARTIFACTORY_URL }} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + + - name: Setup Go + if: matrix.language_details.name == 'go' + uses: actions/setup-go@v5 + with: + go-version: '1.24.3' + + + - name: Run CodeQL Analysis for ${{ matrix.language_details.name }} + uses: github/codeql-action/analyze@v3 + with: + category: "security-and-quality" + output: results-${{ matrix.language_details.name }} + upload: false + + - name: Setup Node + if: matrix.language_details.name == 'javascript' + uses: actions/setup-node@v4 + + - name: Build and Publish ${{ matrix.language_details.name }} package + env: + GO_CODE_PATH: examples/codeql/go + JS_CODE_PATH: examples/codeql/js + run: | + if [ ${{ matrix.language_details.name }} == 'go' ]; then + cd $GO_CODE_PATH + # Configure JFrog CLI for Go + jf go-config --repo-resolve=go-remote --repo-deploy=go-local \ + --server-id-deploy=setup-jfrog-cli-server \ + --server-id-resolve=setup-jfrog-cli-server + + jf gp --build-name=my-go-build --build-number=${{ github.run_number }} v0.0.${{ github.run_number }} + jf rt bp my-go-build ${{ github.run_number }} + elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then + cd $JS_CODE_PATH + jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local --server-id-deploy=setup-jfrog-cli-server --server-id-resolve=setup-jfrog-cli-server + jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }} + jf rt bp my-javascript-build ${{ github.run_number }} + fi + cd - + continue-on-error: true + + - name: Attach Evidence Using JFrog CLI + run: | + if [ ${{ matrix.language_details.name }} == 'go' ]; then + PACKAGE_VERSION="v0.0.${{ github.run_number }}" + jf evd create \ + --package-name="jfrog.com/mygobuild" \ + --package-version="$PACKAGE_VERSION" \ + --package-repo-name="go-local" \ + --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ + --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ + --predicate="results-go/go.sarif" \ + --predicate-type="http://github.com/CodeQL/static-analysis" + elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then + PACKAGE_VERSION="0.0.1" + jf evd create \ + --package-name="my-javascript-build" \ + --package-version="$PACKAGE_VERSION" \ + --package-repo-name="javascript-local" \ + --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ + --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ + --predicate="results-javascript/javascript.sarif" \ + --predicate-type="http://github.com/CodeQL/static-analysis" + fi \ No newline at end of file diff --git a/examples/codeql/codeql-config.yml b/examples/codeql/codeql-config.yml new file mode 100644 index 0000000..4ed78c1 --- /dev/null +++ b/examples/codeql/codeql-config.yml @@ -0,0 +1,16 @@ +name: "Package-Specific CodeQL Config" + +paths-ignore: + - '**/node_modules/**' + - '**/vendor/**' + - '**/dist/**' + - '**/build/**' + - '**/coverage/**' + - '**/test/**' + - '**/tests/**' + - '**/*.spec.js' + - '**/*.test.js' + - '**/*.spec.ts' + +paths: + - examples/codeql/ diff --git a/examples/codeql/go/go.mod b/examples/codeql/go/go.mod new file mode 100644 index 0000000..e54ac75 --- /dev/null +++ b/examples/codeql/go/go.mod @@ -0,0 +1,3 @@ +module jfrog.com/mygobuild + +go 1.24.3 diff --git a/examples/codeql/go/main.go b/examples/codeql/go/main.go new file mode 100644 index 0000000..28c9486 --- /dev/null +++ b/examples/codeql/go/main.go @@ -0,0 +1,20 @@ +package mygobuild + +import ( + "fmt" + "time" +) + +// Greetter method with 5 params : name, place, age, fromDate, tillDate +func Greetter(name string, place string, age int, fromDate time.Time, tillDate time.Time) { + fmt.Printf("Welcome %s , Please verify your details:\n", name) + fmt.Printf("Place: %s\n", place) + fmt.Printf("Age: %d\n", age) + fmt.Printf("From Date: %s\n", fromDate.Format("2006-01-02")) + fmt.Printf("Till Date: %s\n", tillDate.Format("2006-01-02")) + fmt.Println("Thank you for providing your details!") +} + +func main() { + Greetter("John Doe", "New York", 30, time.Now().AddDate(0, 0, -7), time.Now()) +} diff --git a/examples/codeql/js/index.js b/examples/codeql/js/index.js new file mode 100644 index 0000000..70dde6e --- /dev/null +++ b/examples/codeql/js/index.js @@ -0,0 +1,4 @@ +export function greet(name, place, age, from, till) { + console.log(`Hello ${name} from ${place}, you are ${age} years old!`); + console.log(`You are visiting from ${from} to ${till}.`); +} diff --git a/examples/codeql/js/package.json b/examples/codeql/js/package.json new file mode 100644 index 0000000..1818a13 --- /dev/null +++ b/examples/codeql/js/package.json @@ -0,0 +1,12 @@ +{ + "name": "my-javascript-build", + "version": "0.0.1", + "description": "Dummy package for testing CodeQL JavaScript queries", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "keywords": [], + "author": "JFrog", + "license": "ISC" +} diff --git a/examples/codeql/queries/go/codeql-pack.lock.yml b/examples/codeql/queries/go/codeql-pack.lock.yml new file mode 100644 index 0000000..91e885f --- /dev/null +++ b/examples/codeql/queries/go/codeql-pack.lock.yml @@ -0,0 +1,24 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/dataflow: + version: 2.0.8 + codeql/go-all: + version: 4.2.6 + codeql/go-queries: + version: 1.2.1 + codeql/mad: + version: 1.0.24 + codeql/ssa: + version: 2.0.0 + codeql/suite-helpers: + version: 1.0.24 + codeql/threat-models: + version: 1.0.24 + codeql/tutorial: + version: 1.0.24 + codeql/typetracking: + version: 2.0.8 + codeql/util: + version: 2.0.11 +compiled: false diff --git a/examples/codeql/queries/go/go-too-many-params.ql b/examples/codeql/queries/go/go-too-many-params.ql new file mode 100644 index 0000000..199fb68 --- /dev/null +++ b/examples/codeql/queries/go/go-too-many-params.ql @@ -0,0 +1,12 @@ +/** + * @name Functions with too many parameters + * @description Finds Go functions that have more than 3 parameters. + * @kind problem + * @problem.severity warning + * @id go/too-many-parameters + */ +import go + +from Function f +where f.getNumParameter() > 3 +select f, "Function " + f.getName() + " has " + f.getNumParameter().toString() + " parameters, which is more than the allowed 3." \ No newline at end of file diff --git a/examples/codeql/queries/go/qlpack.yml b/examples/codeql/queries/go/qlpack.yml new file mode 100644 index 0000000..a7e1e70 --- /dev/null +++ b/examples/codeql/queries/go/qlpack.yml @@ -0,0 +1,5 @@ +name: sample/go-queries +version: 0.0.1 +dependencies: + codeql/go-queries: "*" +extractor: go \ No newline at end of file diff --git a/examples/codeql/queries/js/codeql-pack.lock.yml b/examples/codeql/queries/js/codeql-pack.lock.yml new file mode 100644 index 0000000..d241f46 --- /dev/null +++ b/examples/codeql/queries/js/codeql-pack.lock.yml @@ -0,0 +1,32 @@ +--- +lockVersion: 1.0.0 +dependencies: + codeql/dataflow: + version: 2.0.8 + codeql/javascript-all: + version: 2.6.4 + codeql/javascript-queries: + version: 1.6.1 + codeql/mad: + version: 1.0.24 + codeql/regex: + version: 1.0.24 + codeql/ssa: + version: 2.0.0 + codeql/suite-helpers: + version: 1.0.24 + codeql/threat-models: + version: 1.0.24 + codeql/tutorial: + version: 1.0.24 + codeql/typetracking: + version: 2.0.8 + codeql/typos: + version: 1.0.24 + codeql/util: + version: 2.0.11 + codeql/xml: + version: 1.0.24 + codeql/yaml: + version: 1.0.24 +compiled: false diff --git a/examples/codeql/queries/js/js-too-many-params.ql b/examples/codeql/queries/js/js-too-many-params.ql new file mode 100644 index 0000000..85fbbcd --- /dev/null +++ b/examples/codeql/queries/js/js-too-many-params.ql @@ -0,0 +1,14 @@ +/** + * @name Too many parameters + * @description Functions with too many parameters can be hard to read and maintain. + * @kind problem + * @problem.severity warning + * @precision high + * @id js/too-many-params + * @tags maintainability + */ +import javascript + +from Function f +where f.getNumParameter() > 3 +select f, "Function " + f.getName() + " has " + f.getNumParameter().toString() + " parameters, which is more than the allowed 3." \ No newline at end of file diff --git a/examples/codeql/queries/js/qlpack.yml b/examples/codeql/queries/js/qlpack.yml new file mode 100644 index 0000000..941d9f6 --- /dev/null +++ b/examples/codeql/queries/js/qlpack.yml @@ -0,0 +1,5 @@ +name: sample/js-queries +version: 0.0.1 +dependencies: + codeql/javascript-queries: "*" +extractor: javascript \ No newline at end of file From 242ccdfc8d1d96d0bffaf08482eb80640333a629 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 02:39:08 +0530 Subject: [PATCH 02/15] CodeQL-Implementation --- .github/workflows/codeql.yml | 61 ++++--- examples/codeql/README.md | 106 ++++++++++++ examples/codeql/sarif_to_markdown.py | 239 +++++++++++++++++++++++++++ 3 files changed, 384 insertions(+), 22 deletions(-) create mode 100644 examples/codeql/README.md create mode 100644 examples/codeql/sarif_to_markdown.py diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1346f8d..1280731 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,7 +7,6 @@ on: workflow_dispatch: permissions: - id-token: write contents: read actions: read @@ -29,7 +28,7 @@ jobs: - uses: actions/checkout@v4 with: sparse-checkout: | - examples/codeql/**/** + examples/codeql/** sparse-checkout-cone-mode: false - name: Set up CodeQL for ${{ matrix.language_details.name }} @@ -44,13 +43,15 @@ jobs: env: JF_URL: ${{ vars.ARTIFACTORY_URL }} JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} - + with: + version: 2.76.1 + - name: Setup Go if: matrix.language_details.name == 'go' uses: actions/setup-go@v5 with: go-version: '1.24.3' - + - name: Run CodeQL Analysis for ${{ matrix.language_details.name }} uses: github/codeql-action/analyze@v3 @@ -59,10 +60,23 @@ jobs: output: results-${{ matrix.language_details.name }} upload: false + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.8' + + - name: Convert SARIF to Markdown + run: | + python ./examples/codeql/sarif_to_markdown.py \ + results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \ + results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md + - name: Setup Node if: matrix.language_details.name == 'javascript' uses: actions/setup-node@v4 - + with: + node-version: '18' + - name: Build and Publish ${{ matrix.language_details.name }} package env: GO_CODE_PATH: examples/codeql/go @@ -74,38 +88,41 @@ jobs: jf go-config --repo-resolve=go-remote --repo-deploy=go-local \ --server-id-deploy=setup-jfrog-cli-server \ --server-id-resolve=setup-jfrog-cli-server - - jf gp --build-name=my-go-build --build-number=${{ github.run_number }} v0.0.${{ github.run_number }} - jf rt bp my-go-build ${{ github.run_number }} + + jf gp --build-name=my-go-build --build-number=1 v0.0.1 + jf rt bp my-go-build 1 elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then cd $JS_CODE_PATH jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local --server-id-deploy=setup-jfrog-cli-server --server-id-resolve=setup-jfrog-cli-server - jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }} - jf rt bp my-javascript-build ${{ github.run_number }} + jf npm publish --build-name=my-javascript-build --build-number=1 + jf rt bp my-javascript-build 1 fi cd - continue-on-error: true - name: Attach Evidence Using JFrog CLI + env: + JFROG_SIGNING_KEY: ${{ secrets.JFROG_SIGNING_KEY }} run: | + KEY=$(echo $JFROG_SIGNING_KEY | base64 -d) if [ ${{ matrix.language_details.name }} == 'go' ]; then - PACKAGE_VERSION="v0.0.${{ github.run_number }}" jf evd create \ - --package-name="jfrog.com/mygobuild" \ - --package-version="$PACKAGE_VERSION" \ + --package-name="mygobuild" \ + --package-version="v0.0.1" \ --package-repo-name="go-local" \ - --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ - --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ + --key="$KEY" \ + --key-alias="dev" \ --predicate="results-go/go.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" + --predicate-type="http://github.com/CodeQL/static-analysis" \ + --markdown="results-go/go-report.md" elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then - PACKAGE_VERSION="0.0.1" jf evd create \ --package-name="my-javascript-build" \ - --package-version="$PACKAGE_VERSION" \ + --package-version="0.0.1" \ --package-repo-name="javascript-local" \ - --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ - --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ + --key="$KEY" \ + --key-alias="dev" \ --predicate="results-javascript/javascript.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" - fi \ No newline at end of file + --predicate-type="http://github.com/CodeQL/static-analysis" \ + --markdown="results-javascript/javascript-report.md" + fi diff --git a/examples/codeql/README.md b/examples/codeql/README.md new file mode 100644 index 0000000..66720a8 --- /dev/null +++ b/examples/codeql/README.md @@ -0,0 +1,106 @@ +# CodeQL Security Analysis Evidence Example + +This example demonstrates how to automate CodeQL security analysis for Go and JavaScript code, and attach the scan results as signed evidence to the packages in JFrog Artifactory using GitHub Actions and JFrog CLI. + +## Overview +The workflow performs CodeQL analysis on Go and JavaScript codebases, publishes the packages to Artifactory, and attaches the CodeQL analysis results as evidence. This enables traceability and security compliance in your CI/CD pipeline. + +## Prerequisites +- JFrog CLI 2.76.1 or above (installed automatically in the workflow) +- Go 1.24.3 (for Go analysis) +- Node.js 18.x (for JavaScript analysis) +- The following GitHub repository variables: + - `ARTIFACTORY_URL` (Artifactory base URL) +- The following GitHub repository secrets: + - `ARTIFACTORY_ACCESS_TOKEN` (Artifactory access token) + - `JFROG_SIGNING_KEY` (Base64 encoded key for signing evidence) + +## Supported Languages +- Go +- JavaScript + +## Workflow Steps +1. **Checkout Repository** + - Performs sparse checkout of required directories + - Only checks out the necessary CodeQL examples and queries + +2. **Setup CodeQL** + - Initializes CodeQL for the specified language + - Configures custom queries from `examples/codeql/queries/{language}` + +3. **Setup Build Environment** + - For Go: Installs Go 1.24.3 + - For JavaScript: Installs Node.js 18.x + - Configures JFrog CLI with Artifactory credentials + +4. **Run CodeQL Analysis** + - Performs CodeQL analysis for security and quality + - Generates SARIF format results + - Saves results without uploading to GitHub + +5. **Build and Publish Packages** + - For Go: + - Configures JFrog CLI for Go repository + - Publishes package to Artifactory Go repository + - For JavaScript: + - Configures JFrog CLI for npm repository + - Publishes package to Artifactory npm repository + +6. **Attach Evidence** + - Attaches CodeQL analysis results as signed evidence to the published packages + +## Environment Setup + +### Go Package Configuration +```yaml +jf go-config --repo-resolve=go-remote --repo-deploy=go-local \ + --server-id-deploy=setup-jfrog-cli-server \ + --server-id-resolve=setup-jfrog-cli-server +``` + +### JavaScript Package Configuration +```yaml +jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local \ + --server-id-deploy=setup-jfrog-cli-server \ + --server-id-resolve=setup-jfrog-cli-server +``` + +## Evidence Attachment +The workflow attaches CodeQL analysis results as evidence using the following format: + +### For Go Packages: +```yaml +jf evd create \ + --package-name="example.com/mygobuild" \ + --package-version="v0.0.1" \ + --package-repo-name="go-local" \ + --key="$KEY" \ + --key-alias="dev" \ + --predicate="results-go/go.sarif" \ + --predicate-type="http://github.com/CodeQL/static-analysis" +``` + +### For JavaScript Packages: +```yaml +jf evd create \ + --package-name="my-javascript-build" \ + --package-version="0.0.1" \ + --package-repo-name="javascript-local" \ + --key="$KEY" \ + --key-alias="dev" \ + --predicate="results-javascript/javascript.sarif" \ + --predicate-type="http://github.com/CodeQL/static-analysis" +``` + +## Workflow Trigger +The analysis is triggered on: +- Push to main branch +- Manual workflow dispatch + +## References +- [CodeQL Documentation](https://codeql.github.com/docs/) +- [JFrog CLI Documentation](https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory) +- [GitHub CodeQL Action](https://github.com/github/codeql-action) +- [JFrog Evidence Management](https://www.jfrog.com/confluence/display/JFROG/Evidence+Management) + + diff --git a/examples/codeql/sarif_to_markdown.py b/examples/codeql/sarif_to_markdown.py new file mode 100644 index 0000000..4f249c7 --- /dev/null +++ b/examples/codeql/sarif_to_markdown.py @@ -0,0 +1,239 @@ +#!/usr/bin/env python3 + +""" +CodeQL SARIF to Markdown Converter + +This script converts CodeQL SARIF output files to readable Markdown format. +It includes severity ratings, CVSS scores, and detailed analysis information. +""" + +import json +import sys +import logging +from datetime import datetime +from typing import Dict, List, Optional, Any +import platform +import os + +class SeverityFormatter: + """Handles severity-related formatting and conversions.""" + + EMOJI_MAP = { + 'error': '🔴', + 'warning': '🟡', + 'note': '🔵', + 'none': '⚪' + } + + CVSS_RANGES = [ + (9.0, 'Critical'), + (7.0, 'High'), + (4.0, 'Medium'), + (0.0, 'Low') + ] + + @classmethod + def get_emoji(cls, level: str) -> str: + return cls.EMOJI_MAP.get(level.lower(), cls.EMOJI_MAP['none']) + + @classmethod + def get_cvss_rating(cls, security_severity: Any) -> str: + if not security_severity: + return "N/A" + try: + score = float(security_severity) + for threshold, rating in cls.CVSS_RANGES: + if score >= threshold: + return f"{rating} ({score})" + return f"Low ({score})" + except (ValueError, TypeError): + return str(security_severity) + +class MarkdownBuilder: + def __init__(self, sarif_data: Dict): + self.data = sarif_data + self.formatter = SeverityFormatter() + self.sections: List[str] = [] + + def add_header(self) -> None: + codeql_version = "unknown" + if self.data.get('runs'): + tool_info = self.data['runs'][0].get('tool', {}).get('driver', {}) + codeql_version = tool_info.get('version', 'unknown') + + self.sections.extend([ + "# 🔍 CodeQL Security Analysis Report", + "\n## Scan Details", + f"**Scan Type**: CodeQL Static Analysis", + f"**Scan Date**: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S UTC')}", + f"**Operating System**: {platform.system()} {platform.release()}", + f"**Analysis Tool**: CodeQL {codeql_version}", + f"**Repository**: {os.path.basename(os.getcwd())}", + "\n---\n" + ]) + + def add_tool_info(self) -> None: + if not self.data.get('runs'): + return + tool = self.data['runs'][0].get('tool', {}).get('driver', {}) + self.sections.extend([ + "\n## 🛠️ Analysis Details", + f"- **Tool**: {tool.get('name', 'CodeQL')}", + f"- **Version**: {tool.get('version', 'N/A')}", + f"- **Language**: {tool.get('language', 'N/A')}" + ]) + + def add_summary(self) -> None: + severity_count = {'error': 0, 'warning': 0, 'note': 0, 'none': 0} + total_issues = 0 + + for run in self.data.get('runs', []): + for result in run.get('results', []): + level = result.get('level', 'none').lower() + severity_count[level] = severity_count.get(level, 0) + 1 + total_issues += 1 + + self.sections.extend([ + "\n## 📊 Analysis Summary", + f"\n**Total Issues Found**: {total_issues}", + "\n### Severity Breakdown" + ]) + + for severity, count in severity_count.items(): + if count > 0: + emoji = self.formatter.get_emoji(severity) + self.sections.append(f"- {emoji} **{severity.title()}**: {count}") + + def add_query_info(self) -> None: + self.sections.append("\n## 📝 Query Information") + + unique_queries = set() + for run in self.data.get('runs', []): + for rule in run.get('tool', {}).get('driver', {}).get('rules', []): + if rule['id'] not in unique_queries: + unique_queries.add(rule['id']) + properties = rule.get('properties', {}) + + self.sections.extend([ + f"\n### {rule.get('name', rule['id'])}", + f"- **ID**: `{rule['id']}`" + ]) + + if 'security-severity' in properties: + cvss = self.formatter.get_cvss_rating(properties['security-severity']) + self.sections.append(f"- **CVSS Score**: {cvss}") + + severity = properties.get('problem.severity', 'none') + emoji = self.formatter.get_emoji(severity) + self.sections.append(f"- **Severity**: {emoji} {severity.title()}") + + if 'tags' in properties: + tags = ', '.join(f'`{tag}`' for tag in properties['tags']) + self.sections.append(f"- **Tags**: {tags}") + + description = rule.get('description', {}).get('text', 'No description available') + self.sections.extend(['', description, '']) + + def add_findings(self) -> None: + self.sections.extend([ + "\n## 🔍 Detailed Findings", + "\n| Severity | Query | Location | Description |", + "|----------|--------|-----------|-------------|" + ]) + + for run in self.data.get('runs', []): + rules = {rule['id']: rule for rule in run.get('tool', {}).get('driver', {}).get('rules', [])} + + for result in run.get('results', []): + rule_id = result.get('ruleId', 'unknown') + rule = rules.get(rule_id, {}) + rule_name = rule.get('name', rule_id) + + # ✅ New logic to fallback to rule severity if result.level is missing + rule_severity = rule.get('properties', {}).get('problem.severity', 'none') + severity = result.get('level', rule_severity) + + emoji = self.formatter.get_emoji(severity) + location = self._format_location(result.get('locations', [])) + message = result.get('message', {}).get('text', 'No description available') + + self.sections.append( + f"| {emoji} {severity.title()} | {rule_name} | {location} | {message} |" + ) + + def _format_location(self, locations: List[Dict]) -> str: + if not locations: + return "N/A" + loc = locations[0].get('physicalLocation', {}) + file_path = loc.get('artifactLocation', {}).get('uri', 'unknown') + region = loc.get('region', {}) + start_line = region.get('startLine', '?') + end_line = region.get('endLine', start_line) + location = f"`{file_path}:{start_line}`" + if start_line != end_line: + location += f"-`{end_line}`" + return location + + def add_recommendations(self) -> None: + self.sections.extend([ + "\n## 💡 Recommendations", + "\n1. Review all findings, particularly those marked as high severity", + "2. Prioritize fixes based on security severity scores", + "3. Implement secure coding practices to prevent similar issues", + "4. Run regular CodeQL scans to maintain code security" + ]) + + def build(self) -> str: + self.add_header() + self.add_tool_info() + self.add_summary() + self.add_query_info() + self.add_findings() + self.add_recommendations() + return '\n'.join(self.sections) + +def setup_logging(): + logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(levelname)s - %(message)s' + ) + +def main(): + setup_logging() + logger = logging.getLogger(__name__) + + if len(sys.argv) != 3: + logger.error("Incorrect number of arguments") + print("Usage: python sarif_to_markdown.py ") + sys.exit(1) + + input_file = sys.argv[1] + output_file = sys.argv[2] + + try: + logger.info(f"Reading SARIF file: {input_file}") + with open(input_file, 'r') as f: + sarif_data = json.load(f) + + logger.info("Converting SARIF to Markdown") + builder = MarkdownBuilder(sarif_data) + markdown_content = builder.build() + + logger.info(f"Writing Markdown file: {output_file}") + with open(output_file, 'w') as f: + f.write(markdown_content) + + logger.info("Conversion completed successfully") + + except FileNotFoundError: + logger.error(f"Input file not found: {input_file}") + sys.exit(1) + except json.JSONDecodeError: + logger.error(f"Invalid SARIF JSON in file: {input_file}") + sys.exit(1) + except Exception as e: + logger.error(f"Unexpected error: {str(e)}") + sys.exit(1) + +if __name__ == "__main__": + main() From 360c31de90bace39f8db341786eb021f855b5290 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 03/15] Added repositories --- .github/workflows/codeql.yml | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1280731..4510931 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -89,13 +89,13 @@ jobs: --server-id-deploy=setup-jfrog-cli-server \ --server-id-resolve=setup-jfrog-cli-server - jf gp --build-name=my-go-build --build-number=1 v0.0.1 - jf rt bp my-go-build 1 + jf gp --build-name=my-go-build --build-number=${{ github.run_number }} v0.0.${{ github.run_number }} + jf rt bp my-go-build ${{ github.run_number }} elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then cd $JS_CODE_PATH jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local --server-id-deploy=setup-jfrog-cli-server --server-id-resolve=setup-jfrog-cli-server - jf npm publish --build-name=my-javascript-build --build-number=1 - jf rt bp my-javascript-build 1 + jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }} + jf rt bp my-javascript-build ${{ github.run_number }} fi cd - continue-on-error: true @@ -106,23 +106,25 @@ jobs: run: | KEY=$(echo $JFROG_SIGNING_KEY | base64 -d) if [ ${{ matrix.language_details.name }} == 'go' ]; then + PACKAGE_VERSION="v0.0.${{ github.run_number }}" jf evd create \ - --package-name="mygobuild" \ - --package-version="v0.0.1" \ + --package-name="jfrog.com/mygobuild" \ + --package-version="$PACKAGE_VERSION" \ --package-repo-name="go-local" \ - --key="$KEY" \ - --key-alias="dev" \ + --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ + --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ --predicate="results-go/go.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" \ + --predicate-type="http://github.com/CodeQL/static-analysis" --markdown="results-go/go-report.md" elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then + PACKAGE_VERSION="0.0.1" jf evd create \ --package-name="my-javascript-build" \ - --package-version="0.0.1" \ + --package-version="$PACKAGE_VERSION" \ --package-repo-name="javascript-local" \ - --key="$KEY" \ - --key-alias="dev" \ + --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ + --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ --predicate="results-javascript/javascript.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" \ + --predicate-type="http://github.com/CodeQL/static-analysis" --markdown="results-javascript/javascript-report.md" fi From fb76a57b64c4cd1a003f08771cf88c9560f24790 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 04/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 8 ++- examples/codeql/README.md | 2 +- examples/codeql/go/main.go | 2 +- .../codeql/queries/go/go-too-many-params.ql | 2 +- .../codeql/queries/js/js-too-many-params.ql | 2 +- examples/codeql/sarif_to_markdown.py | 62 ++++++++++++++----- 6 files changed, 55 insertions(+), 23 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4510931..26c38a9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -105,16 +105,18 @@ jobs: JFROG_SIGNING_KEY: ${{ secrets.JFROG_SIGNING_KEY }} run: | KEY=$(echo $JFROG_SIGNING_KEY | base64 -d) + echo $KEY + jf config show if [ ${{ matrix.language_details.name }} == 'go' ]; then PACKAGE_VERSION="v0.0.${{ github.run_number }}" jf evd create \ - --package-name="jfrog.com/mygobuild" \ + --package-name="jfrog.com/mygobuild" \ --package-version="$PACKAGE_VERSION" \ --package-repo-name="go-local" \ --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ --predicate="results-go/go.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" + --predicate-type="http://github.com/CodeQL/static-analysis" \ --markdown="results-go/go-report.md" elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then PACKAGE_VERSION="0.0.1" @@ -125,6 +127,6 @@ jobs: --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ --predicate="results-javascript/javascript.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" + --predicate-type="http://github.com/CodeQL/static-analysis" \ --markdown="results-javascript/javascript-report.md" fi diff --git a/examples/codeql/README.md b/examples/codeql/README.md index 66720a8..a5b089c 100644 --- a/examples/codeql/README.md +++ b/examples/codeql/README.md @@ -13,7 +13,7 @@ The workflow performs CodeQL analysis on Go and JavaScript codebases, publishes - `ARTIFACTORY_URL` (Artifactory base URL) - The following GitHub repository secrets: - `ARTIFACTORY_ACCESS_TOKEN` (Artifactory access token) - - `JFROG_SIGNING_KEY` (Base64 encoded key for signing evidence) + - `JFROG_SIGNING_KEY` ## Supported Languages - Go diff --git a/examples/codeql/go/main.go b/examples/codeql/go/main.go index 28c9486..e8558e5 100644 --- a/examples/codeql/go/main.go +++ b/examples/codeql/go/main.go @@ -17,4 +17,4 @@ func Greetter(name string, place string, age int, fromDate time.Time, tillDate t func main() { Greetter("John Doe", "New York", 30, time.Now().AddDate(0, 0, -7), time.Now()) -} +} \ No newline at end of file diff --git a/examples/codeql/queries/go/go-too-many-params.ql b/examples/codeql/queries/go/go-too-many-params.ql index 199fb68..66f6534 100644 --- a/examples/codeql/queries/go/go-too-many-params.ql +++ b/examples/codeql/queries/go/go-too-many-params.ql @@ -9,4 +9,4 @@ import go from Function f where f.getNumParameter() > 3 -select f, "Function " + f.getName() + " has " + f.getNumParameter().toString() + " parameters, which is more than the allowed 3." \ No newline at end of file +select f, "Function " + f.getName() + " has " + f.getNumParameter().toString() + " parameters, which is more than the allowed 3." diff --git a/examples/codeql/queries/js/js-too-many-params.ql b/examples/codeql/queries/js/js-too-many-params.ql index 85fbbcd..df76f73 100644 --- a/examples/codeql/queries/js/js-too-many-params.ql +++ b/examples/codeql/queries/js/js-too-many-params.ql @@ -2,8 +2,8 @@ * @name Too many parameters * @description Functions with too many parameters can be hard to read and maintain. * @kind problem - * @problem.severity warning * @precision high + * @problem.severity warning * @id js/too-many-params * @tags maintainability */ diff --git a/examples/codeql/sarif_to_markdown.py b/examples/codeql/sarif_to_markdown.py index 4f249c7..814d866 100644 --- a/examples/codeql/sarif_to_markdown.py +++ b/examples/codeql/sarif_to_markdown.py @@ -64,11 +64,10 @@ def add_header(self) -> None: self.sections.extend([ "# 🔍 CodeQL Security Analysis Report", "\n## Scan Details", - f"**Scan Type**: CodeQL Static Analysis", - f"**Scan Date**: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S UTC')}", - f"**Operating System**: {platform.system()} {platform.release()}", - f"**Analysis Tool**: CodeQL {codeql_version}", - f"**Repository**: {os.path.basename(os.getcwd())}", + f"**Scan Type**: CodeQL Static Analysis\n", + f"**Scan Date**: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S UTC')}\n", + f"**Operating System**: {platform.system()} {platform.release()}\n", + f"**Analysis Tool**: CodeQL", "\n---\n" ]) @@ -79,18 +78,45 @@ def add_tool_info(self) -> None: self.sections.extend([ "\n## 🛠️ Analysis Details", f"- **Tool**: {tool.get('name', 'CodeQL')}", - f"- **Version**: {tool.get('version', 'N/A')}", - f"- **Language**: {tool.get('language', 'N/A')}" + f"- **Version**: {tool.get('semanticVersion', tool.get('version', 'N/A'))}", ]) + # Map artifact index to language + artifact_lang = {} + for notification in tool.get('notifications', []): + lang = notification.get('properties', {}).get('languageDisplayName') + locations = notification.get('locations', []) + for loc in locations: + idx = loc.get('physicalLocation', {}).get('artifactLocation', {}).get('index') + if lang and idx is not None: + artifact_lang[idx] = lang + + + def add_summary(self) -> None: - severity_count = {'error': 0, 'warning': 0, 'note': 0, 'none': 0} + severity_count = { + 'error': 0, + 'warning': 0, + 'note': 0, + 'none': 0 + } total_issues = 0 for run in self.data.get('runs', []): + # Collect rules from driver and all extensions + rules = {rule['id']: rule for rule in run.get('tool', {}).get('driver', {}).get('rules', [])} + for ext in run.get('tool', {}).get('extensions', []): + for rule in ext.get('rules', []): + rules[rule['id']] = rule + for result in run.get('results', []): - level = result.get('level', 'none').lower() - severity_count[level] = severity_count.get(level, 0) + 1 + rule_id = result.get('ruleId', 'unknown') + rule = rules.get(rule_id, {}) + rule_severity = rule.get('properties', {}).get('problem.severity', 'none') + level = result.get('level', rule_severity).lower() + if level not in severity_count: + severity_count[level] = 0 + severity_count[level] += 1 total_issues += 1 self.sections.extend([ @@ -99,10 +125,11 @@ def add_summary(self) -> None: "\n### Severity Breakdown" ]) - for severity, count in severity_count.items(): - if count > 0: - emoji = self.formatter.get_emoji(severity) - self.sections.append(f"- {emoji} **{severity.title()}**: {count}") + for severity in ['error', 'warning', 'note', 'none']: + count = severity_count.get(severity, 0) + emoji = self.formatter.get_emoji(severity) + self.sections.append(f"- {emoji} **{severity.title()}**: {count}") + def add_query_info(self) -> None: self.sections.append("\n## 📝 Query Information") @@ -142,14 +169,18 @@ def add_findings(self) -> None: ]) for run in self.data.get('runs', []): + # Collect rules from driver and all extensions rules = {rule['id']: rule for rule in run.get('tool', {}).get('driver', {}).get('rules', [])} + for ext in run.get('tool', {}).get('extensions', []): + for rule in ext.get('rules', []): + rules[rule['id']] = rule for result in run.get('results', []): rule_id = result.get('ruleId', 'unknown') rule = rules.get(rule_id, {}) rule_name = rule.get('name', rule_id) - # ✅ New logic to fallback to rule severity if result.level is missing + # Fallback to rule severity if result.level is missing rule_severity = rule.get('properties', {}).get('problem.severity', 'none') severity = result.get('level', rule_severity) @@ -160,7 +191,6 @@ def add_findings(self) -> None: self.sections.append( f"| {emoji} {severity.title()} | {rule_name} | {location} | {message} |" ) - def _format_location(self, locations: List[Dict]) -> str: if not locations: return "N/A" From b870bc373dfeb11ae60a9581479e8143a9b22511 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 05/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 26c38a9..d1e905b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -74,8 +74,7 @@ jobs: - name: Setup Node if: matrix.language_details.name == 'javascript' uses: actions/setup-node@v4 - with: - node-version: '18' + - name: Build and Publish ${{ matrix.language_details.name }} package env: From 2db07850d296c764ef0adff73a2bfb262507fa86 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 06/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- examples/codeql/sarif_to_markdown.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/examples/codeql/sarif_to_markdown.py b/examples/codeql/sarif_to_markdown.py index 814d866..c447ec7 100644 --- a/examples/codeql/sarif_to_markdown.py +++ b/examples/codeql/sarif_to_markdown.py @@ -204,14 +204,6 @@ def _format_location(self, locations: List[Dict]) -> str: location += f"-`{end_line}`" return location - def add_recommendations(self) -> None: - self.sections.extend([ - "\n## 💡 Recommendations", - "\n1. Review all findings, particularly those marked as high severity", - "2. Prioritize fixes based on security severity scores", - "3. Implement secure coding practices to prevent similar issues", - "4. Run regular CodeQL scans to maintain code security" - ]) def build(self) -> str: self.add_header() From 7b5c8cef330f8d80fb624e49d9e373d3616b7c90 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 07/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- examples/codeql/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/codeql/README.md b/examples/codeql/README.md index a5b089c..2da70af 100644 --- a/examples/codeql/README.md +++ b/examples/codeql/README.md @@ -30,7 +30,7 @@ The workflow performs CodeQL analysis on Go and JavaScript codebases, publishes 3. **Setup Build Environment** - For Go: Installs Go 1.24.3 - - For JavaScript: Installs Node.js 18.x + - For JavaScript: Installs Node.js - Configures JFrog CLI with Artifactory credentials 4. **Run CodeQL Analysis** From 40f005c8d0a0e81559a9f294042c1fb076453b98 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 08/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- examples/codeql/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/codeql/README.md b/examples/codeql/README.md index 2da70af..62c4a64 100644 --- a/examples/codeql/README.md +++ b/examples/codeql/README.md @@ -2,7 +2,7 @@ This example demonstrates how to automate CodeQL security analysis for Go and JavaScript code, and attach the scan results as signed evidence to the packages in JFrog Artifactory using GitHub Actions and JFrog CLI. -## Overview +## Overview The workflow performs CodeQL analysis on Go and JavaScript codebases, publishes the packages to Artifactory, and attaches the CodeQL analysis results as evidence. This enables traceability and security compliance in your CI/CD pipeline. ## Prerequisites From 80be697718613bd67a3864b63b314c84df75b56c Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 09/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- examples/codeql/sarif_to_markdown.py | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/codeql/sarif_to_markdown.py b/examples/codeql/sarif_to_markdown.py index c447ec7..405c9bf 100644 --- a/examples/codeql/sarif_to_markdown.py +++ b/examples/codeql/sarif_to_markdown.py @@ -211,7 +211,6 @@ def build(self) -> str: self.add_summary() self.add_query_info() self.add_findings() - self.add_recommendations() return '\n'.join(self.sections) def setup_logging(): From dcfac44bfc386effb87ad4b216b5993a95f197f0 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 10/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d1e905b..845e719 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -43,8 +43,7 @@ jobs: env: JF_URL: ${{ vars.ARTIFACTORY_URL }} JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} - with: - version: 2.76.1 + - name: Setup Go if: matrix.language_details.name == 'go' From 39bbaff4023b4179fd33458615c2ebe88c851e6b Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 11/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 845e719..bea1111 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,6 +7,7 @@ on: workflow_dispatch: permissions: + id-token: write contents: read actions: read From d1ba789e82f7fab48066854a359c54a5e61784a5 Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 12/15] Added repositories # Conflicts: # .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bea1111..ab76b77 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -93,8 +93,8 @@ jobs: elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then cd $JS_CODE_PATH jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local --server-id-deploy=setup-jfrog-cli-server --server-id-resolve=setup-jfrog-cli-server - jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }} - jf rt bp my-javascript-build ${{ github.run_number }} + jf npm publish --build-name=my-javascript-build --build-number=1 + jf rt bp my-javascript-build 1 fi cd - continue-on-error: true From 7adf5560dc1bcd8ea0f06963da17b6bf5c8f3d78 Mon Sep 17 00:00:00 2001 From: Pooja Donode <140853520+poojadonode28@users.noreply.github.com> Date: Mon, 9 Jun 2025 17:54:42 +0530 Subject: [PATCH 13/15] Update codeql.yml --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ab76b77..ddf2df4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -70,6 +70,7 @@ jobs: python ./examples/codeql/sarif_to_markdown.py \ results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \ results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md + cat results-javascript/javascript.sarif - name: Setup Node if: matrix.language_details.name == 'javascript' From f166249d66ab735c9d42222cfbd3655eddf3f3bc Mon Sep 17 00:00:00 2001 From: Pooja Donode <140853520+poojadonode28@users.noreply.github.com> Date: Mon, 9 Jun 2025 17:58:18 +0530 Subject: [PATCH 14/15] Update codeql.yml --- .github/workflows/codeql.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ddf2df4..ab76b77 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -70,7 +70,6 @@ jobs: python ./examples/codeql/sarif_to_markdown.py \ results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \ results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md - cat results-javascript/javascript.sarif - name: Setup Node if: matrix.language_details.name == 'javascript' From 7514656af909447de6e0409ae2de377cc020897f Mon Sep 17 00:00:00 2001 From: POOJA DONODE Date: Mon, 9 Jun 2025 03:05:21 +0530 Subject: [PATCH 15/15] Added repositories # Conflicts: # .github/workflows/codeql.yml # Conflicts: # .github/workflows/codeql.yml --- .github/workflows/codeql.yml | 55 +++++++++++++++--------------------- examples/codeql/README.md | 30 +++++++++++--------- 2 files changed, 38 insertions(+), 47 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ab76b77..eb58acf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -60,22 +60,12 @@ jobs: output: results-${{ matrix.language_details.name }} upload: false - - name: Set up Python - uses: actions/setup-python@v4 - with: - python-version: '3.8' - - name: Convert SARIF to Markdown run: | python ./examples/codeql/sarif_to_markdown.py \ results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \ results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md - - name: Setup Node - if: matrix.language_details.name == 'javascript' - uses: actions/setup-node@v4 - - - name: Build and Publish ${{ matrix.language_details.name }} package env: GO_CODE_PATH: examples/codeql/go @@ -92,40 +82,39 @@ jobs: jf rt bp my-go-build ${{ github.run_number }} elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then cd $JS_CODE_PATH - jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local --server-id-deploy=setup-jfrog-cli-server --server-id-resolve=setup-jfrog-cli-server - jf npm publish --build-name=my-javascript-build --build-number=1 - jf rt bp my-javascript-build 1 + jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local \ + --server-id-deploy=setup-jfrog-cli-server \ + --server-id-resolve=setup-jfrog-cli-server + + jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }} + jf rt bp my-javascript-build ${{ github.run_number }} fi cd - continue-on-error: true - name: Attach Evidence Using JFrog CLI - env: - JFROG_SIGNING_KEY: ${{ secrets.JFROG_SIGNING_KEY }} run: | - KEY=$(echo $JFROG_SIGNING_KEY | base64 -d) - echo $KEY jf config show if [ ${{ matrix.language_details.name }} == 'go' ]; then PACKAGE_VERSION="v0.0.${{ github.run_number }}" jf evd create \ - --package-name="jfrog.com/mygobuild" \ - --package-version="$PACKAGE_VERSION" \ - --package-repo-name="go-local" \ - --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ - --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ - --predicate="results-go/go.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" \ - --markdown="results-go/go-report.md" + --package-name "jfrog.com/mygobuild" \ + --package-version $PACKAGE_VERSION \ + --package-repo-name go-local \ + --key "${{ secrets.CODEQL_SIGNING_KEY }}" \ + --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \ + --predicate "results-go/go.sarif" \ + --predicate-type "http://github.com/CodeQL/static-analysis" \ + --markdown "results-go/go-report.md" elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then PACKAGE_VERSION="0.0.1" jf evd create \ - --package-name="my-javascript-build" \ - --package-version="$PACKAGE_VERSION" \ - --package-repo-name="javascript-local" \ - --key="${{ secrets.CODEQL_SIGNING_KEY }}" \ - --key-alias= ${{ vars.CODEQL_KEY_ALIAS }} \ - --predicate="results-javascript/javascript.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" \ - --markdown="results-javascript/javascript-report.md" + --package-name my-javascript-build \ + --package-version $PACKAGE_VERSION \ + --package-repo-name javascript-local \ + --key "${{ secrets.CODEQL_SIGNING_KEY }}" \ + --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \ + --predicate "results-javascript/javascript.sarif" \ + --predicate-type "http://github.com/CodeQL/static-analysis" \ + --markdown "results-javascript/javascript-report.md" fi diff --git a/examples/codeql/README.md b/examples/codeql/README.md index 62c4a64..5e3d908 100644 --- a/examples/codeql/README.md +++ b/examples/codeql/README.md @@ -71,25 +71,27 @@ The workflow attaches CodeQL analysis results as evidence using the following fo ### For Go Packages: ```yaml jf evd create \ - --package-name="example.com/mygobuild" \ - --package-version="v0.0.1" \ - --package-repo-name="go-local" \ - --key="$KEY" \ - --key-alias="dev" \ - --predicate="results-go/go.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" +--package-name "jfrog.com/mygobuild" \ +--package-version $PACKAGE_VERSION \ +--package-repo-name go-local \ +--key "${{ secrets.CODEQL_SIGNING_KEY }}" \ +--key-alias ${{ vars.CODEQL_KEY_ALIAS }} \ +--predicate "results-go/go.sarif" \ +--predicate-type "http://github.com/CodeQL/static-analysis" \ +--markdown "results-go/go-report.md" ``` ### For JavaScript Packages: ```yaml jf evd create \ - --package-name="my-javascript-build" \ - --package-version="0.0.1" \ - --package-repo-name="javascript-local" \ - --key="$KEY" \ - --key-alias="dev" \ - --predicate="results-javascript/javascript.sarif" \ - --predicate-type="http://github.com/CodeQL/static-analysis" +--package-name my-javascript-build \ +--package-version $PACKAGE_VERSION \ +--package-repo-name javascript-local \ +--key "${{ secrets.CODEQL_SIGNING_KEY }}" \ +--key-alias ${{ vars.CODEQL_KEY_ALIAS }} \ +--predicate "results-javascript/javascript.sarif" \ +--predicate-type "http://github.com/CodeQL/static-analysis" \ +--markdown "results-javascript/javascript-report.md" ``` ## Workflow Trigger