advanced-security · jsinglet · Mar 1, 2024 · Jan 19, 2024 · Jan 19, 2024 · Jan 24, 2024
diff --git a/.gitattributes b/.gitattributes
@@ -2,7 +2,6 @@
 # Set default behavior to automatically normalize line endings.
 ###############################################################################
 * text=auto
-
 ###############################################################################
 # Set default behavior for command prompt diff.
 #
@@ -11,7 +10,6 @@
 # Note: This is only used by command line
 ###############################################################################
 #*.cs     diff=csharp
-
 ###############################################################################
 # Set the merge driver for project and solution files
 #
@@ -34,7 +32,6 @@
 #*.modelproj merge=binary
 #*.sqlproj   merge=binary
 #*.wwaproj   merge=binary
-
 ###############################################################################
 # behavior for image files
 #
@@ -43,7 +40,6 @@
 #*.jpg   binary
 #*.png   binary
 #*.gif   binary
-
 ###############################################################################
 # diff behavior for common document formats
 # 
@@ -61,3 +57,4 @@
 #*.PDF   diff=astextplain
 #*.rtf   diff=astextplain
 #*.RTF   diff=astextplain
+codeql_bundle.exe filter=lfs diff=lfs merge=lfs -text
diff --git a/.github/actions/install-qlt-local/action.yml b/.github/actions/install-qlt-local/action.yml
@@ -47,13 +47,36 @@ runs:
         # repair permissions
         chmod +x ./src/CodeQLToolkit.Core/bin/Release/net6.0/publish/linux-x64/qlt
         chmod +r -R ./src/CodeQLToolkit.Core/bin/Release/net6.0/publish/linux-x64        
-
+
+    - uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+
+    - name: Build CodeQL Bundle Tool for Packaging
+      shell: pwsh 
+      run: |
+        # need this for the bundling to work.
+        pip install poetry 
+        pip install -U pyinstaller 
+
+        # run the packaging 
+        ./scripts/build_codeql_bundle_dist.ps1 -Version 0.2.0 -WorkDirectory dist -DestinationDirectory ./src/CodeQLToolkit.Core/bin/Release/net6.0/publish/linux-x64/tools/
+      env:
+        GH_TOKEN: ${{ github.token }}
+
+    - name: Build Bundle Archive
+      shell: bash
+      run: |
+        echo "Current Directory $(pwd)"
+
         # create bundle 
         ARCHIVE="$(pwd)/qlt-linux-x86_64.zip"        
         pushd ./src/CodeQLToolkit.Core/bin/Release/net6.0/publish/linux-x64
         zip -r $ARCHIVE .
         popd
 
+
+
     - name: Move Artifacts
       shell: pwsh
       run: |

diff --git a/.github/actions/install-qlt/action.yml b/.github/actions/install-qlt/action.yml
@@ -30,6 +30,8 @@ runs:
         ADD_TO_PATH: ${{ inputs.add-to-path }}
         QLT_VERSION: ${{ inputs.qlt-version }}
         QLT_HOME: ${{ inputs.qlt-home }}
+        GITHUB_TOKEN: ${{ github.token }}
+
       shell: bash
       run: |
         echo -e "\e[0;32m[QLT]\e[0m Determining QLT release for $RUNNER_OS"

diff --git a/.github/workflows/internal-pr-bundle-integration-test-cpp.yml b/.github/workflows/internal-pr-bundle-integration-test-cpp.yml
@@ -0,0 +1,108 @@
+name: ⚙️ Integration Test Bundle on PR (CPP)
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Install QLT
+      id: install-qlt
+      uses: ./.github/actions/install-qlt-local
+      with:
+        qlt-version: 'latest'
+        add-to-path: true
+
+    - name: Validate QLT Installation
+      shell: bash
+      run: |
+        echo -e "Checking QLT Version:"
+        echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}"
+        qlt version
+
+    - name: Create Bundle (compiled)
+      shell: bash
+      run: |
+        if ! qlt codeql run install --base example/ --custom-bundle  ; then
+          echo "Failed to generate bundle."
+          exit 1
+        fi
+
+        # ensure bundle runs 
+
+        if ! qlt query run install-packs --use-bundle --base example/  ; then
+          echo "Failed to install query packs with tool."
+          exit 1
+        fi
+
+    - name: Validate Bundle Existence
+      shell: bash
+      run: |
+        echo "Checking Bundle Existence"
+        ls -l ${{ env.QLT_CODEQL_HOME }}/../out/
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        queries: security-extended
+        source-root: integration-tests/cpp/src/  # Path containing the example application 
+        tools: ${{ env.QLT_CODEQL_BUNDLE_PATH }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+      with:
+        working-directory: integration-tests/cpp/src/  # Path containing the example application 
+
+    - name: Perform CodeQL Analysis
+      id: analysis
+      uses: github/codeql-action/analyze@v2
+
+    - name: Validate SARIF Location
+      shell: bash
+      run: |
+        # validate we have the actual sarif results
+        echo "Checking SARIF file location at: ${{ steps.analysis.outputs.sarif-output }}"
+        ls -l ${{ steps.analysis.outputs.sarif-output }}
+
+    - name: Upload SARIF Results
+      uses: actions/upload-artifact@v2
+      with:
+        name: actual.sarif
+        path: |
+          ${{ steps.analysis.outputs.sarif-output }}/*.sarif
+        if-no-files-found: error
+
+    - name: Upload Bundle Used
+      uses: actions/upload-artifact@v2
+      with:
+        name: codeql-bundle.tar.gz
+        path: |
+          ${{ env.QLT_CODEQL_BUNDLE_PATH }}
+        if-no-files-found: error
+
+    - name: Validate SARIF Results
+      shell: bash
+      run: |
+        # Compare the expected vs the actual 
+        qlt bundle run validate-integration-tests --expected integration-tests/cpp/expected.sarif --actual ${{ steps.analysis.outputs.sarif-output }}/cpp.sarif        
diff --git a/.github/workflows/internal-pr-test-bundle-creation.yml b/.github/workflows/internal-pr-test-bundle-creation.yml
@@ -0,0 +1,49 @@
+name: ⚙️ Test Bundle Creation
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+  workflow_dispatch:
+
+jobs:
+  test-bundle-creation:
+    name: Test Bundle Creation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install QLT
+        id: install-qlt
+        uses: ./.github/actions/install-qlt-local
+        with:
+          qlt-version: 'latest'
+          add-to-path: true
+
+      - name: Validate QLT Installation
+        shell: bash
+        run: |
+          echo -e "Checking QLT Version:"
+          echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}"
+          qlt version
+
+      - name: Create Bundle (compiled)
+        shell: bash
+        run: |
+          if ! qlt codeql run install --base example/ --custom-bundle  ; then
+            echo "Failed to generate bundle."
+            exit 1
+          fi
+
+          # ensure bundle runs 
+
+          if ! qlt query run install-packs --use-bundle --base example/  ; then
+            echo "Failed to install query packs with tool."
+            exit 1
+          fi
+
+
diff --git a/.github/workflows/internal-pr-test-quick-bundle-creation.yml b/.github/workflows/internal-pr-test-quick-bundle-creation.yml
@@ -0,0 +1,49 @@
+name: ⚙️ Test Bundle Creation (Quick)
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+    branches:
+      - 'main'
+  workflow_dispatch:
+
+jobs:
+  test-bundle-creation:
+    name: Test Bundle Creation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Install QLT
+        id: install-qlt
+        uses: ./.github/actions/install-qlt-local
+        with:
+          qlt-version: 'latest'
+          add-to-path: true
+
+      - name: Validate QLT Installation
+        shell: bash
+        run: |
+          echo -e "Checking QLT Version:"
+          echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}"
+          qlt version
+
+      - name: Create Bundle (quick)
+        shell: bash
+        run: |
+          if ! qlt codeql run install --base example/ --quick-bundle  ; then
+            echo "Failed to generate bundle."
+            exit 1
+          fi
+
+          # ensure bundle runs 
+
+          if ! qlt query run install-packs --use-bundle --base example/  ; then
+            echo "Failed to install query packs with tool."
+            exit 1
+          fi
+
+
diff --git a/.github/workflows/internal-validate-workflow-files.yml b/.github/workflows/internal-validate-workflow-files.yml
@@ -3,10 +3,10 @@ name: ⚙️ Validate Workflow Files
 on:
   push:
     branches:
-      - '**'
+      - 'main'
   pull_request:
     branches:
-      - '**'
+      - 'main'
   workflow_dispatch:
 
 jobs:

diff --git a/.github/workflows/run-codeql-unit-tests-cpp.yml b/.github/workflows/run-codeql-unit-tests-cpp.yml
@@ -59,19 +59,20 @@ jobs:
 
       - name: Install CodeQL
         id: install-codeql
-        uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ matrix.codeql_cli }}
-          codeql-stdlib-version: ${{ matrix.codeql_standard_library }}
-          add-to-path: true
+        shell: bash
+        run: |
+          echo "Installing CodeQL"
+          qlt codeql run install --base example/
+          echo "-----------------------------"
+          echo "CodeQL Home: $QLT_CODEQL_HOME"
+          echo "CodeQL Binary: $QLT_CODEQL_PATH"
 
       - name: Verify Versions of Tooling
         shell: bash
         run: |
-          echo "CodeQL Home: ${{ steps.install-codeql.outputs.codeql-home }}"
           echo -e "Checking CodeQL Version:"
-          codeql --version 
-
+          $QLT_CODEQL_PATH --version
+                     
           echo -e "Checking QLT Version:"
           echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}"
           qlt version

diff --git a/.github/workflows/validate-codeql-queries-cpp.yml b/.github/workflows/validate-codeql-queries-cpp.yml
@@ -58,19 +58,21 @@ jobs:
 
 
       - name: Install CodeQL
-        uses: ./.github/actions/install-codeql
-        with:
-          codeql-cli-version: ${{ matrix.codeql_cli }}
-          codeql-stdlib-version: ${{ matrix.codeql_standard_library }}
-          add-to-path: true
+        id: install-codeql
+        shell: bash
+        run: |
+          echo "Installing CodeQL"
+          qlt codeql run install --base example/
+          echo "-----------------------------"
+          echo "CodeQL Home: $QLT_CODEQL_HOME"
+          echo "CodeQL Binary: $QLT_CODEQL_PATH"
 
       - name: Verify Versions of Tooling
         shell: bash
         run: |
-          echo "CodeQL Home: ${{ steps.install-codeql.outputs.codeql-home }}"
           echo -e "Checking CodeQL Version:"
-          codeql --version 
-
+          $QLT_CODEQL_PATH --version
+                     
           echo -e "Checking QLT Version:"
           echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}"
           qlt version

diff --git a/.gitignore b/.gitignore
@@ -360,4 +360,5 @@ MigrationBackup/
 .ionide/
 
 # Fody - auto-generated XML schema
-FodyWeavers.xsd
+FodyWeavers.xsd
+/dist/