Adding support for CodeQL Security Analysis evidence integration

.github/workflows/codeql.yml

@@ -0,0 +1,120 @@
+name : "CodeQL Analysis Workflow"
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+  actions: read
+
+
+jobs:
+  codeql:
+    name: Analyse
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language_details:
+          - name: javascript
+            queries_path: ./examples/codeql/queries/js
+          - name: go
+            queries_path: ./examples/codeql/queries/go
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            examples/codeql/**
+          sparse-checkout-cone-mode: false
+
+      - name: Set up CodeQL for ${{ matrix.language_details.name }}
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language_details.name }}
+          config-file: examples/codeql/codeql-config.yml
+          queries: ${{ matrix.language_details.queries_path }}
+
+      - name: Setup Jfrog CLI for go
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ vars.ARTIFACTORY_URL }}
+          JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
+
+
+      - name: Setup Go
+        if: matrix.language_details.name == 'go'
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24.3'
+
+
+      - name: Run CodeQL Analysis for ${{ matrix.language_details.name }}
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "security-and-quality"
+          output: results-${{ matrix.language_details.name }}
+          upload: false
+
+      - name: Convert SARIF to Markdown
+        run: |
+          python ./examples/codeql/sarif_to_markdown.py \
+            results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \
+            results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md
+
+      - name: Build and Publish ${{ matrix.language_details.name }} package
+        env:
+          GO_CODE_PATH: examples/codeql/go
+          JS_CODE_PATH: examples/codeql/js
+        run: |
+          if [ ${{ matrix.language_details.name }} == 'go' ]; then
+            cd $GO_CODE_PATH
+            # Configure JFrog CLI for Go
+            jf go-config --repo-resolve=go-remote --repo-deploy=go-local \
+              --server-id-deploy=setup-jfrog-cli-server \
+              --server-id-resolve=setup-jfrog-cli-server
+
+            jf gp --build-name=my-go-build --build-number=${{ github.run_number }} v0.0.${{ github.run_number }}
+            jf rt bp my-go-build ${{ github.run_number }}
+          elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then
+            cd $JS_CODE_PATH
+            jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local \
+              --server-id-deploy=setup-jfrog-cli-server \
+              --server-id-resolve=setup-jfrog-cli-server
+
+            jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }}
+            jf rt bp my-javascript-build ${{ github.run_number }}
+          fi
+          cd -
+        continue-on-error: true
+
+      - name: Attach Evidence Using JFrog CLI
+        run: |
+          jf config show
+          if [ ${{ matrix.language_details.name }} == 'go' ]; then
+            PACKAGE_VERSION="v0.0.${{ github.run_number }}"
+            jf evd create \
+            --package-name "jfrog.com/mygobuild" \
+            --package-version $PACKAGE_VERSION \
+            --package-repo-name go-local \
+            --key "${{ secrets.CODEQL_SIGNING_KEY }}" \
+            --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
+            --predicate "results-go/go.sarif" \
+            --predicate-type "http://github.com/CodeQL/static-analysis" \
+            --markdown "results-go/go-report.md"
+          elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then
+            PACKAGE_VERSION="0.0.1"
+            jf evd create \
+            --package-name my-javascript-build \
+            --package-version $PACKAGE_VERSION \
+            --package-repo-name javascript-local \
+            --key "${{ secrets.CODEQL_SIGNING_KEY }}" \
+            --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
+            --predicate "results-javascript/javascript.sarif" \
+            --predicate-type "http://github.com/CodeQL/static-analysis" \
+            --markdown "results-javascript/javascript-report.md"
+          fi

examples/codeql/README.md

@@ -0,0 +1,108 @@
+# CodeQL Security Analysis Evidence Example
+
+This example demonstrates how to automate CodeQL security analysis for Go and JavaScript code, and attach the scan results as signed evidence to the packages in JFrog Artifactory using GitHub Actions and JFrog CLI.
+
+##  Overview
+The workflow performs CodeQL analysis on Go and JavaScript codebases, publishes the packages to Artifactory, and attaches the CodeQL analysis results as evidence. This enables traceability and security compliance in your CI/CD pipeline.
+
+## Prerequisites
+- JFrog CLI 2.76.1 or above (installed automatically in the workflow)
+- Go 1.24.3 (for Go analysis)
+- Node.js 18.x (for JavaScript analysis)
+- The following GitHub repository variables:
+    - `ARTIFACTORY_URL` (Artifactory base URL)
+- The following GitHub repository secrets:
+    - `ARTIFACTORY_ACCESS_TOKEN` (Artifactory access token)
+    - `JFROG_SIGNING_KEY`
+
+## Supported Languages
+- Go
+- JavaScript
+
+## Workflow Steps
+1. **Checkout Repository**
+    - Performs sparse checkout of required directories
+    - Only checks out the necessary CodeQL examples and queries
+
+2. **Setup CodeQL**
+    - Initializes CodeQL for the specified language
+    - Configures custom queries from `examples/codeql/queries/{language}`
+
+3. **Setup Build Environment**
+    - For Go: Installs Go 1.24.3
+    - For JavaScript: Installs Node.js
+    - Configures JFrog CLI with Artifactory credentials
+
+4. **Run CodeQL Analysis**
+    - Performs CodeQL analysis for security and quality
+    - Generates SARIF format results
+    - Saves results without uploading to GitHub
+
+5. **Build and Publish Packages**
+    - For Go:
+        - Configures JFrog CLI for Go repository
+        - Publishes package to Artifactory Go repository
+    - For JavaScript:
+        - Configures JFrog CLI for npm repository
+        - Publishes package to Artifactory npm repository
+
+6. **Attach Evidence**
+    - Attaches CodeQL analysis results as signed evidence to the published packages
+
+## Environment Setup
+
+### Go Package Configuration
+```yaml
+jf go-config --repo-resolve=go-remote --repo-deploy=go-local \
+  --server-id-deploy=setup-jfrog-cli-server \
+  --server-id-resolve=setup-jfrog-cli-server
+```
+
+### JavaScript Package Configuration
+```yaml
+jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local \
+  --server-id-deploy=setup-jfrog-cli-server \
+  --server-id-resolve=setup-jfrog-cli-server
+```
+
+## Evidence Attachment
+The workflow attaches CodeQL analysis results as evidence using the following format:
+
+### For Go Packages:
+```yaml
+jf evd create \
+--package-name "jfrog.com/mygobuild" \
+--package-version $PACKAGE_VERSION \
+--package-repo-name go-local \
+--key "${{ secrets.CODEQL_SIGNING_KEY }}" \
+--key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
+--predicate "results-go/go.sarif" \
+--predicate-type "http://github.com/CodeQL/static-analysis" \
+--markdown "results-go/go-report.md"
+```
+
+### For JavaScript Packages:
+```yaml
+jf evd create \
+--package-name my-javascript-build \
+--package-version $PACKAGE_VERSION \
+--package-repo-name javascript-local \
+--key "${{ secrets.CODEQL_SIGNING_KEY }}" \
+--key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
+--predicate "results-javascript/javascript.sarif" \
+--predicate-type "http://github.com/CodeQL/static-analysis" \
+--markdown "results-javascript/javascript-report.md"
+```
+
+## Workflow Trigger
+The analysis is triggered on:
+- Push to main branch
+- Manual workflow dispatch
+
+## References
+- [CodeQL Documentation](https://codeql.github.com/docs/)
+- [JFrog CLI Documentation](https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory)
+- [GitHub CodeQL Action](https://github.com/github/codeql-action)
+- [JFrog Evidence Management](https://www.jfrog.com/confluence/display/JFROG/Evidence+Management)
+
+

examples/codeql/codeql-config.yml

@@ -0,0 +1,16 @@
+name: "Package-Specific CodeQL Config"
+
+paths-ignore:
+  - '**/node_modules/**'
+  - '**/vendor/**'
+  - '**/dist/**'
+  - '**/build/**'
+  - '**/coverage/**'
+  - '**/test/**'
+  - '**/tests/**'
+  - '**/*.spec.js'
+  - '**/*.test.js'
+  - '**/*.spec.ts'
+
+paths:
+  - examples/codeql/

examples/codeql/go/go.mod

@@ -0,0 +1,3 @@
+module jfrog.com/mygobuild
+
+go 1.24.3

examples/codeql/go/main.go

@@ -0,0 +1,20 @@
+package mygobuild
+
+import (
+	"fmt"
+	"time"
+)
+
+// Greetter method with 5 params : name, place, age, fromDate, tillDate
+func Greetter(name string, place string, age int, fromDate time.Time, tillDate time.Time) {
+	fmt.Printf("Welcome %s , Please verify your details:\n", name)
+	fmt.Printf("Place: %s\n", place)
+	fmt.Printf("Age: %d\n", age)
+	fmt.Printf("From Date: %s\n", fromDate.Format("2006-01-02"))
+	fmt.Printf("Till Date: %s\n", tillDate.Format("2006-01-02"))
+	fmt.Println("Thank you for providing your details!")
+}
+
+func main() {
+	Greetter("John Doe", "New York", 30, time.Now().AddDate(0, 0, -7), time.Now())
+}

examples/codeql/js/index.js

@@ -0,0 +1,4 @@
+export function greet(name, place, age, from, till) {
+  console.log(`Hello ${name} from ${place}, you are ${age} years old!`);
+  console.log(`You are visiting from ${from} to ${till}.`);
+}

examples/codeql/js/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "my-javascript-build",
+  "version": "0.0.1",
+  "description": "Dummy package for testing CodeQL JavaScript queries",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1" 
+  },
+  "keywords": [],
+  "author": "JFrog",
+  "license": "ISC"
+}

examples/codeql/queries/go/codeql-pack.lock.yml

@@ -0,0 +1,24 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/dataflow:
+    version: 2.0.8
+  codeql/go-all:
+    version: 4.2.6
+  codeql/go-queries:
+    version: 1.2.1
+  codeql/mad:
+    version: 1.0.24
+  codeql/ssa:
+    version: 2.0.0
+  codeql/suite-helpers:
+    version: 1.0.24
+  codeql/threat-models:
+    version: 1.0.24
+  codeql/tutorial:
+    version: 1.0.24
+  codeql/typetracking:
+    version: 2.0.8
+  codeql/util:
+    version: 2.0.11
+compiled: false

examples/codeql/queries/go/go-too-many-params.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Functions with too many parameters
+ * @description Finds Go functions that have more than 3 parameters.
+ * @kind problem
+ * @problem.severity warning
+ * @id go/too-many-parameters
+ */
+import go
+
+from Function f
+where f.getNumParameter() > 3
+select f, "Function " + f.getName() + " has " + f.getNumParameter().toString() + " parameters, which is more than the allowed 3."

examples/codeql/queries/go/qlpack.yml

@@ -0,0 +1,5 @@
+name: sample/go-queries
+version: 0.0.1
+dependencies:
+  codeql/go-queries: "*"
+extractor: go

examples/codeql/queries/js/codeql-pack.lock.yml

@@ -0,0 +1,32 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/dataflow:
+    version: 2.0.8
+  codeql/javascript-all:
+    version: 2.6.4
+  codeql/javascript-queries:
+    version: 1.6.1
+  codeql/mad:
+    version: 1.0.24
+  codeql/regex:
+    version: 1.0.24
+  codeql/ssa:
+    version: 2.0.0
+  codeql/suite-helpers:
+    version: 1.0.24
+  codeql/threat-models:
+    version: 1.0.24
+  codeql/tutorial:
+    version: 1.0.24
+  codeql/typetracking:
+    version: 2.0.8
+  codeql/typos:
+    version: 1.0.24
+  codeql/util:
+    version: 2.0.11
+  codeql/xml:
+    version: 1.0.24
+  codeql/yaml:
+    version: 1.0.24
+compiled: false

examples/codeql/queries/js/js-too-many-params.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Too many parameters
+ * @description Functions with too many parameters can be hard to read and maintain.
+ * @kind problem
+ * @precision high
+ * @problem.severity warning
+ * @id js/too-many-params
+ * @tags maintainability
+ */
+import javascript
+
+from Function f
+where f.getNumParameter() > 3
+select f, "Function " + f.getName() + " has " + f.getNumParameter().toString() + " parameters, which is more than the allowed 3."

examples/codeql/queries/js/qlpack.yml

@@ -0,0 +1,5 @@
+name: sample/js-queries
+version: 0.0.1
+dependencies:
+  codeql/javascript-queries: "*"
+extractor: javascript