Add runcodeql.sh for "tox -e codeql" - Security check in python codes (…

…#105) * Add runcodeql.sh for "tox -e codeql" - Security check in python codes * Fixed issues found in the reviews by @richm. * Fixed typo found in the reviews by @richm.
linux-system-roles · Jan 26, 2023 · d087326 · d087326
1 parent 2ef2215
commit d087326
Show file tree

Hide file tree

Showing 3 changed files with 126 additions and 1 deletion.
diff --git a/src/tox_lsr/config_files/tox-default.ini b/src/tox_lsr/config_files/tox-default.ini
@@ -4,7 +4,7 @@ envlist =
     black, pylint, flake8, yamllint
     py{26,27,36,37,38,39,310,311}, shellcheck
     collection, ansible-lint, custom
-    ansible-test, woke
+    ansible-test, woke, codeql
 skipsdist = true
 skip_missing_interpreters = true
 
@@ -272,6 +272,11 @@ changedir = {toxinidir}
 commands =
     bash {lsr_scriptdir}/runwoke.sh
 
+[testenv:codeql]
+changedir = {toxinidir}
+commands =
+    bash {lsr_scriptdir}/runcodeql.sh
+
 [qemu_common]
 changedir = {toxinidir}
 basepython = python3

diff --git a/src/tox_lsr/test_scripts/runcodeql.sh b/src/tox_lsr/test_scripts/runcodeql.sh
@@ -0,0 +1,116 @@
+#!/bin/bash
+# SPDX-License-Identifier: MIT
+
+# Do not exit on an error to continue ansible-doc and ansible-test.
+set -euo pipefail
+
+#uncomment if you use $ME - otherwise set in utils.sh
+#ME=$(basename "$0")
+SCRIPTDIR=$(readlink -f "$(dirname "$0")")
+
+. "${SCRIPTDIR}/utils.sh"
+
+# Run codeql against python codes in a role
+CODEQLACTIONDIR=${CODEQLACTIONDIR:-"${HOME}/github.com/github/codeql-action"}
+ROLE=${ROLE:-"$( basename $TOPDIR )"}
+JQPATH=$( which jq 2> /dev/null )
+if [ $? -ne 0 ]; then
+    lsr_error "${ME}: jq is missing. Please install the package."
+fi
+
+# Go to the TOPDIR
+cd "$TOPDIR"
+
+# Install CodeQL
+# https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system
+CODEQLTARBALL=codeql-bundle-linux64.tar.gz
+CODEQLURL=https://github.com/github/codeql-action/releases/latest/download/$CODEQLTARBALL
+if [ ! -f "$LSR_TOX_ENV_TMP_DIR/$CODEQLTARBALL" ]; then
+    curl -L -o "$LSR_TOX_ENV_TMP_DIR/$CODEQLTARBALL"  "$CODEQLURL"
+fi
+if [ ! -d "$LSR_TOX_ENV_TMP_DIR/codeql" ]; then
+    tar xfz "$LSR_TOX_ENV_TMP_DIR/$CODEQLTARBALL" -C "$LSR_TOX_ENV_TMP_DIR"
+fi
+# codeql/codeql is a shell script which launches java, which  requires all the files in the 
+PATH="$LSR_TOX_ENV_TMP_DIR/codeql":"$PATH"
+
+# Checkout codeql-action
+CODEQLACTIONDIR="$LSR_TOX_ENV_DIR/codeql-action"
+if [ ! -d "$CODEQLACTIONDIR" ]; then
+    git clone https://github.com/github/codeql-action "$CODEQLACTIONDIR"
+fi
+
+# Create a database dir:
+DBDIR=$LSR_TOX_ENV_DIR/database
+if [ ! -d "$DBDIR" ]; then
+    mkdir $DBDIR
+fi
+RESULTS=$LSR_TOX_ENV_DIR/results
+if [ ! -d "$RESULTS" ]; then
+    mkdir $RESULTS
+fi
+
+# Load language configuration
+codeql resolve queries python-code-scanning.qls --format=bylanguage
+
+codeql resolve queries python-security-and-quality.qls --format=bylanguage
+
+codeql resolve languages --format=betterjson --extractor-options-verbosity=4
+
+# Setup Python dependencies
+# $CODEQLACTIONDIR/python-setup/install_tools.sh
+# Remove "--user" from "pip install" to workaround this error.
+# ERROR: Can not perform a '--user' install. User site-packages are
+# not visible in this virtualenv.
+sed -e "s/pip install --user/pip install/" \
+$CODEQLACTIONDIR/python-setup/install_tools.sh > "$LSR_TOX_ENV_TMP_DIR/install_tools.sh"
+bash "$LSR_TOX_ENV_TMP_DIR/install_tools.sh"
+
+codeql database init --db-cluster "$DBDIR" --source-root="$TOPDIR" \
+    --language=python
+
+# Setup environment variables
+export CODEQL_WORKFLOW_STARTED_AT=$( date -Iseconds )
+export CODEQL_RAM=5919
+export CODEQL_THREADS=2
+
+# Extracting python
+codeql database trace-command "$DBDIR/python" -- \
+    "$LSR_TOX_ENV_TMP_DIR/codeql/python/tools/autobuild.sh"
+
+# Finalizing python
+codeql database finalize --finalize-dataset --threads="$CODEQL_THREADS" \
+    --ram="$CODEQL_RAM" "$DBDIR/python"
+
+# Running queries for python
+codeql database run-queries --ram="$CODEQL_RAM" --threads="$CODEQL_THREADS" \
+    "$DBDIR/python" --min-disk-free=1024 \
+    -v python-security-and-quality.qls
+
+# Interpreting results for python
+codeql database interpret-results --threads="$CODEQL_THREADS" \
+    --format=sarif-latest -v --output=$RESULTS/python.sarif \
+    --no-sarif-add-snippets --print-diagnostics-summary \
+    --print-metrics-summary --sarif-group-rules-by-pack \
+    --sarif-add-query-help --sarif-category /language:python \
+    --sarif-add-baseline-file-info "$DBDIR/python" \
+    python-security-and-quality.qls
+
+codeql database print-baseline "$DBDIR/python"
+
+echo "CodeQL result file on $ROLE: $RESULTS/python.sarif"
+
+JQPATH=$( which jq 2> /dev/null )
+if [ $? -ne 0 ]; then
+    echo "WARNING: please install jq package"
+else
+    rcnt=$( jq '.runs[0].results | length' "$RESULTS/python.sarif" )
+	if [ $rcnt -gt 0 ]; then
+        echo "CODEQL RESULT"
+        jq '.runs[0].results' "$RESULTS/python.sarif"
+        lsr_error "${ME}: Found $rcnt security and quality issue(s)."
+    else
+        echo "PASS: Found no security and quality issues."
+	fi
+fi
+exit 0
diff --git a/tests/fixtures/test_tox_merge_ini/result.ini b/tests/fixtures/test_tox_merge_ini/result.ini
@@ -226,6 +226,10 @@ commands = bash {lsr_scriptdir}/runansible-test.sh
 changedir = {toxinidir}
 commands = bash {lsr_scriptdir}/runwoke.sh
 
+[testenv:codeql]
+changedir = {toxinidir}
+commands = bash {lsr_scriptdir}/runcodeql.sh
+
 [qemu_common]
 changedir = {toxinidir}
 basepython = python3