CodeQL-Community-Packs/configs/synthetics.yml at 557d23ba392400d12585d6a9c31c7e6edcc39621 · GitHubSecurityLab/CodeQL-Community-Packs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Use this configuration file when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs.
# WARNING: A notable amount of false positives may be found in this configuration.  If you wish to reduce the number of false positives, use the default codeql suites :)
# NOTE: This configuration will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers.

name: "Synthetic Apps All Queries Config"

# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
threat-models: local

# start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries
disable-default-queries: true

packs:
    # All queries from the CodeQL Built in packs (including low/no precision queries)
    - codeql/actions-queries:.
    - codeql/cpp-queries:.
    - codeql/csharp-queries:.
    - codeql/go-queries:.
    - codeql/java-queries:.
    - codeql/javascript-queries:.
    - codeql/python-queries:.
    - codeql/ruby-queries:.
    - codeql/swift-queries:.

    # OSS queries from the default suites

    ### GitHub Security Lab###
    # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries)
    - githubsecuritylab/codeql-cpp-queries
    - githubsecuritylab/codeql-csharp-queries
    - githubsecuritylab/codeql-go-queries
    - githubsecuritylab/codeql-java-queries
    - githubsecuritylab/codeql-javascript-queries
    - githubsecuritylab/codeql-python-queries
    - githubsecuritylab/codeql-ruby-queries

    # Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
    - githubsecuritylab/codeql-java-queries:suites/java-local.qls
    - githubsecuritylab/codeql-python-queries:suites/python-local.qls

    # Data extensions via Community Packs for libraries (library ext models are those generated by the corresponding queries in src) https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
    - githubsecuritylab/codeql-csharp-library-sources
    - githubsecuritylab/codeql-java-library-sources

    # Data extensions via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
    - githubsecuritylab/codeql-csharp-extensions
    - githubsecuritylab/codeql-java-extensions

    ### Trail of Bits ###
    # Queris via packs: https://github.com/trailofbits/codeql-queries  (default suites include security + crypto
    - trailofbits/cpp-queries
    - trailofbits/go-queries

# Start with Security Experimental (lightly documented: https://github.com/github/codeql/pull/11702) : https://github.com/github/codeql/blob/main/misc/suite-helpers/security-experimental-selectors.yml
# - precision ( low + Low or EXCLUDED precision)
# + problem.severity: recommendation
# - restriction of no experimental folder
# - restriction of audit/debugging queries from community packs
query-filters:
    - include:
          kind:
              - problem
              - path-problem
          tags contain:
              - security
    - include:
          kind:
              - diagnostic
    - include:
          kind:
              - metric
          tags contain:
              - summary
    - exclude:
          deprecated: //
    - exclude:
          query path:
              # REMOVE exclude - OK even if they exist in experimental folder
              #- /^experimental\/.*/
              - Metrics/Summaries/FrameworkCoverage.ql
              - /Diagnostics/Internal/.*/
    - exclude:
          tags contain:
              - modeleditor
              - modelgenerator
    # Exclude audit queries from the CodeQL Built in packs
    - exclude:
          id:
              - cpp/untrusted-data-to-external-api
              - cs/untrusted-data-to-external-api
              - go/untrusted-data-to-external-api
              - java/untrusted-data-to-external-api
              - js/untrusted-data-to-external-api
              - py/untrusted-data-to-external-api

    # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
    - exclude:
          tags contain:
              - debugging
              - audit

#Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
paths-ignore:
    # Python
    - "vendor/**"
    - "examples/**"
    - "tests/**"
    - "test/**"
    - "site-packages/**"

    # JavaScript
    - "node_modules"
    - "**/*.test.js"
    - "**/*.test.tsx"
    - "**/*.spec.ts"
    - "**/*.spec.tsx"
    - "dist"
    - "CoverageResults"
    - "**/wwwroot/lib/**"
    - "**/deps/**"
    - "**/third_party/**"

    # Ruby
    - "**/gems/**"
    - "**/spec/**/*_spec.rb"
    - "**/test/**/*_test.rb"