Merge pull request #39 from advanced-security/ql-for-ql

Add initial QL for QL support

Author: GeekMasher

.github/workflows/codeql-ql.yml

@@ -0,0 +1,97 @@
+name: CodeQL for QL
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  ql-for-ql:
+    runs-on: ubuntu-latest
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+      cancel-in-progress: true
+
+    steps:
+      - name: "Checkout repository"
+        uses: actions/checkout@v4
+
+      - name: "Set up Rust"
+        uses: dtolnay/rust-toolchain@nightly
+
+      - name: "Build QL-for-QL"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          CODEQL_REPOSITORY_PATH: ${{ runner.temp }}/codeql
+        run: |
+          set -e
+
+          CODEQL_REPOSITORY_PATH="${CODEQL_REPOSITORY_PATH:-$HOME/.codeql/codeql-ql}"
+          echo "CodeQL repository path: $CODEQL_REPOSITORY_PATH"
+
+          if [ ! -d "$CODEQL_REPOSITORY_PATH" ]; then
+            echo "CodeQL repository not found. Cloning..."
+            mkdir -p "$HOME/.codeql"
+
+            git clone \
+              --depth 1 \
+              https://github.com/github/codeql.git \
+              "$CODEQL_REPOSITORY_PATH"
+          fi
+
+          pushd "$CODEQL_REPOSITORY_PATH/ql" > /dev/null
+
+          echo "Building QL Extractor..."
+          ./scripts/create-extractor-pack.sh
+
+          popd > /dev/null
+
+      - name: "Run QL-for-QL"
+        id: run_ql
+        env:
+          GH_TOKEN: ${{ github.token }}
+          CODEQL_REPOSITORY_PATH: ${{ runner.temp }}/codeql
+        run: |
+          set -e
+
+          SARIF_FILE="${SARIF_FILE:-ql-for-ql.sarif}"
+          CODEQL_REPOSITORY_PATH="${CODEQL_REPOSITORY_PATH:-$HOME/.codeql/codeql-ql}"
+          CODEQL_SUITE="${CODEQL_SUITE:-$CODEQL_REPOSITORY_PATH/ql/ql/src/codeql-suites/ql-code-scanning.qls}"
+
+          # Glob for Actions toolcache
+          CODEQL_GLOB='$RUNNER_TOOL_CACHE/CodeQL/*/x64/codeql/codeql'
+
+          if [ -f "$CODEQL_GLOB" ]; then
+            CODEQL_BINARY=$(echo $CODEQL_GLOB)
+          elif which codeql >/dev/null; then
+            CODEQL_BINARY="codeql"
+          elif gh codeql >/dev/null; then
+            CODEQL_BINARY="gh codeql"
+          else
+            gh extension install github/gh-codeql
+            CODEQL_BINARY="gh codeql"
+          fi
+          echo "[+] Using codeql binary: $CODEQL_BINARY"
+
+          $CODEQL_BINARY database create \
+              --language ql --overwrite \
+              --search-path "$CODEQL_REPOSITORY_PATH/ql/extractor-pack" \
+              ../ql-for-ql-db
+
+          $CODEQL_BINARY database analyze \
+              --format=sarif-latest \
+              --additional-packs "$CODEQL_REPOSITORY_PATH/ql" \
+              --output=$SARIF_FILE \
+              ../ql-for-ql-db \
+              $CODEQL_SUITE
+
+          echo "sarif=$SARIF_FILE" >> "$GITHUB_OUTPUT"
+                
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.run_ql.outputs.sarif }}