Merge pull request #8 from microsoft/dev/jacobmsft/docs

jacobmsft · web-flow · commit 8331f58480d3 · 2020-08-13T10:46:00.000-07:00
Add more functionality to the scripts, add new generic script, add to…
diff --git a/README.md b/README.md
@@ -21,13 +21,13 @@ We keep updating the docker image periodically and uploading it to the Microsoft
 
 You can pull the image by running the command:
 ```
-$ docker pull mcr.microsoft.com/codeql/codeql-container
+$ docker pull mcr.microsoft.com/cstsectools/codeql-container
 ```
 
 If you want to analyze a particular source directory with codeql, run the container as:
 
 ```
-$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS=<query run...>
+$ docker run --rm --name codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS=<query run...> mcr.microsoft.com/cstsectools/codeql-container
 ```
 
 where `/dir/to/analyze` contains the source files that have to be analyzed, and `/dir/for/results` is where the result output 
@@ -59,9 +59,9 @@ For example, if you want to analyze a python project source code placed in `/dir
 to analyze and get a SARIF result file, you will have to run:
 
 ```
-$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db"
-$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS=" database upgrade /opt/src/source_db"
-$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database analyze --format=sarifv2 --output=/opt/results/issues.sarif /opt/src/source_db"
+$ docker run --rm --name codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db /opt/output/source_db" mcr.microsoft.com/cstsectools/codeql-container
+$ docker run --rm --name codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS=" database upgrade /opt/src/source_db" mcr.microsoft.com/cstsectools/codeql-container
+$ docker run --rm --name codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database analyze --format=sarifv2 --output=/opt/results/issues.sarif /opt/src/source_db" mcr.microsoft.com/cstsectools/codeql-container
 ```
 
 For more information on CodeQL and QL packs, please visit https://www.github.com/github/codeql.
@@ -76,6 +76,35 @@ cd codeql-container
 docker build . -f Dockerfile -t codeql-container
 ```
 
+# Convenience Scripts
+Analyzing a source directory takes multiple invocations of the container, as mentioned above. To help with that, we've built some scripts for convenience, which does these invocations for you. 
+These scripts are in the ```scripts``` folder, under their respective platforms (unix or windows).
+
+
+##### analyze_security.sh
+scripts/unix/analyze_security.sh (or scripts/windows/analyze_security.bat for windows) runs the Security and Quality QL pack suite on your project. This is how you would run it:
+
+```
+scripts/unix/analyze_security.sh /path/to/analyze /path/to/results language
+```
+
+For example for the python project can be analyzed thus:
+
+```
+/scripts/unix/analyze_security.sh /tmp/django/src /tmp/django/output python
+```
+
+for JavaScript:
+```
+/scripts/unix/analyze_security.sh /tmp/express/src /tmp/express/output javascript
+```
+
+##### run_qlpack.sh
+If you know which QL suite you would like to run on the code to be analyzed, use scripts/unix/run_qlpack.sh (or scripts/windows/run_qlpack.bat for windows). 
+```
+scripts/unix/analyze_security.sh /path/to/analyze /path/to/results language qlpack
+```
+
 # Contributing
 
 This project welcomes contributions and suggestions. Most contributions require you to agree to a
diff --git a/container/libs/codeql.py b/container/libs/codeql.py
@@ -88,7 +88,7 @@ def precompile_queries(self):
         execute_codeql_command(f' query compile --search-path {self.CODEQL_HOME} {self.CODEQL_HOME}/codeql-repo/*/ql/src/codeql-suites/*.qls')
 
     def execute_codeql_command(self, args):
-        ret_string = check_output_wrapper(f'{self.CODEQL_HOME}/codeql/codeql {args}', shell=True).decode("utf-8")
+        ret_string = check_output_wrapper(f'{self.CODEQL_HOME}/codeql/codeql {args}', shell=True)
         if ret_string is CalledProcessError:
             logger.error("Could not run codeql command")
             exit(ERROR_EXECUTING_CODEQL)
diff --git a/scripts/unix/analyze_security.sh b/scripts/unix/analyze_security.sh
@@ -2,22 +2,69 @@
 scriptname=$(basename "$0")
 inputfile=${1}
 outputfile=${2}
+language=${3}
 
-if [ "$#" -ne 2 ]; then
-    echo "Please provide the folder to analyze, and the folder to store results"
-    echo "Usage: ${scriptname} <folder to analyze> <folder to store result>"
+RED="\033[31m"
+YELLOW="\033[33m"
+GREEN="\033[32m"
+RESET="\033[0m"
+
+print_yellow() {
+    echo -e "${YELLOW}${1}${RESET}"
+}
+
+print_red() {
+    echo -e "${RED}${1}${RESET}"
+}
+
+print_green() {
+    echo -e "${GREEN}${1}${RESET}"
+}
+
+if [ "$#" -ne 3 ]; then
+    print_yellow "\nPlease provide the folder to analyze, the folder to store results, and the coding language of the project."
+    print_yellow "\nUsage: ${scriptname} <folder to analyze> <folder to store result> <language>"
+    print_yellow "\nExample: ${scriptname} /tmp/pandas /tmp/results python"
+   exit 1
+fi
+
+print_yellow "Getting/Updating the codeQL container\n"
+docker pull mcr.microsoft.com/cstsectools/codeql-container:latest
+if [ $? -eq 0 ]
+then
+    print_green "\nPulled the container" 
+else
+    print_red "\nFailed to pull container"
     exit 1
 fi
 
-RED='[7;31m'
-RESET='[0m'
-#docker pull sargemonkey/codeql-container
-#[ $? -eq 0 ] && echo "Pulled the container" || echo -e "failed to pull container";exit 1
-docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ create\ --language=python\ /opt/src/source_db csteosstools.azurecr.io/codeql/codeql-container
-[ $? -eq 0 ] && echo "Created the database" || echo -e "\n${RED}Failed to create the database${RESET}\n";exit 1
-docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ upgrade\ /opt/src/source_db csteosstools.azurecr.io/codeql/codeql-container 
-[ $? -eq 0 ] && echo "Upgraded the database" || echo -e "\n${RED}failed to upgrade the database${RESET}\n";exit 2
-docker run --rm --name codeql-container -v ${inputfile}:/opt/src -v ${outputfile}:/opt/results -e CODEQL_CLI_ARGS=database\ analyze\ /opt/src/source_db\ --format=sarifv2\ --output=/opt/results/issues.sarif\ python-security-and-quality.qls csteosstools.azurecr.io/codeql/codeql-container 
-[ $? -eq 0 ] && echo "Query execution successful" || echo -e "\n${RED}Query execution failed${RESET}\n"; exit 3
-
-echo "The results file should be located at ${2}/issues.sarif"
+print_yellow "\nCreating the codeQL database. This might take some time depending on the size of the project..."
+docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ create\ --language=${3}\ /opt/results/source_db\ -s\ /opt/src mcr.microsoft.com/cstsectools/codeql-container
+if [ $? -eq 0 ]
+then
+    print_green "\nCreated the database" 
+else
+    print_red "\nFailed to create the database"
+    exit 1
+fi
+
+docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ upgrade\ /opt/src/source_db mcr.microsoft.com/cstsectools/codeql-container 
+if [ $? -eq 0 ]
+then
+    print_green "\nUpgraded the database\n" 
+else
+    print_red "\nFailed to upgrade the database"
+    exit 2
+fi
+
+print_yellow "\nRunning the Quality and Security rules on the project"
+docker run --rm --name codeql-container -v ${inputfile}:/opt/src -v ${outputfile}:/opt/results -e CODEQL_CLI_ARGS=database\ analyze\ /opt/src/source_db\ --format=sarifv2\ --output=/opt/results/issues.sarif\ ${language}-security-and-quality.qls mcr.microsoft.com/cstsectools/codeql-container 
+if [ $? -eq 0 ]
+then
+    print_green "\nQuery execution successful" 
+else
+    print_red "\nQuery execution failed\n"
+    exit 3
+fi
+
+[ $? -eq 0 ] && print_yellow "The results are saved at ${2}/issues.sarif"
diff --git a/scripts/unix/run_ql_suite.sh b/scripts/unix/run_ql_suite.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+scriptname=$(basename "$0")
+inputfile=${1}
+outputfile=${2}
+language=${3}
+qlpack=${4}
+
+RED="\033[31m"
+YELLOW="\033[33m"
+GREEN="\033[32m"
+RESET="\033[0m"
+
+print_yellow() {
+    echo -e "${YELLOW}${1}${RESET}"
+}
+
+print_red() {
+    echo -e "${RED}${1}${RESET}"
+}
+
+print_green() {
+    echo -e "${GREEN}${1}${RESET}"
+}
+
+if [ "$#" -ne 4 ]; then
+    print_yellow "\nPlease provide the folder to analyze, the folder to store results, the coding language of the project, and the QL suite to run."
+    print_yellow "\nUsage: ${scriptname} <folder to analyze> <folder to store result> <language> <ql suite>"
+    print_yellow "\nExample: ${scriptname} /tmp/pandas /tmp/results python security-and-quality"
+   exit 1
+fi
+
+
+print_yellow "Getting/Updating the codeQL container\n"
+docker pull mcr.microsoft.com/cstsectools/codeql-container:latest
+if [ $? -eq 0 ]
+then
+    print_green "\nPulled the container" 
+else
+    print_red "\nFailed to pull container"
+    exit 1
+fi
+
+print_yellow "\nCreating the codeQL database. This might take some time depending on the size of the project..."
+docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ create\ --language=${3}\ /opt/results/source_db\ -s\ /opt/src mcr.microsoft.com/cstsectools/codeql-container
+if [ $? -eq 0 ]
+then
+    print_green "\nCreated the database" 
+else
+    print_red "\nFailed to create the database"
+    exit 1
+fi
+
+docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ upgrade\ /opt/src/source_db mcr.microsoft.com/cstsectools/codeql-container 
+if [ $? -eq 0 ]
+then
+    print_green "\nUpgraded the database\n" 
+else
+    print_red "\nFailed to upgrade the database"
+    exit 2
+fi
+
+print_yellow "\nRunning the Quality and Security rules on the project"
+docker run --rm --name codeql-container -v ${inputfile}:/opt/src -v ${outputfile}:/opt/results -e CODEQL_CLI_ARGS=database\ analyze\ /opt/src/source_db\ --format=sarifv2\ --output=/opt/results/issues.sarif\ ${language}-${qlpack}.qls mcr.microsoft.com/cstsectools/codeql-container 
+if [ $? -eq 0 ]
+then
+    print_green "\nQuery execution successful" 
+else
+    print_red "\nQuery execution failed\n"
+    exit 3
+fi
+
+[ $? -eq 0 ] && print_yellow "The results are saved at ${2}/issues.sarif"
diff --git a/scripts/windows/analyze_security.bat b/scripts/windows/analyze_security.bat
@@ -1,46 +1,61 @@
+@echo off
+setlocal enabledelayedexpansion
+
 set scriptname=%0
 set inputfile=%1
 set outputfile=%2
-
-@echo off
-setlocal enabledelayedexpansion
+set language=%3
 
 set argCount=0
 for %%x in (%*) do (
    set /A argCount+=1
    set "argVec[!argCount!]=%%~x"
 )
 
-if %argCount% LSS 2 (
-echo "Please provide the folder to analyze, and the folder to store results" 
-    echo "Usage: %scriptname% <folder to analyze> <folder to store result>"
+if %argCount% LSS 3 (
+    call :print_yellow "Please provide the folder to analyze, the folder to store results, and the coding language of the project" 
+    call :print_yellow "Usage: %scriptname% :folder to analyze: :folder to store result: :language:"
+    call :print_yellow  "Example: %scriptname% C:\Source\pandas C:\Results python"
 exit /b 1
 )
 
-rem docker pull codeql/codeql-container
-echo docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db" csteosstools.azurecr.io/codeql/codeql-container
-start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db" csteosstools.azurecr.io/codeql/codeql-container
+call :print_yellow "Getting the image..."
+docker pull mcr.microsoft.com/cstsectools/codeql-container
+call :print_green "Pulled the container" 
+
+call :print_yellow "Creating the codeQL database. This might take some time depending on the size of the project..."
+start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database create --language=%language%% /opt/src/source_db -s /opt/src" mcr.microsoft.com/cstsectools/codeql-container
 
-call :print_status "Failed creating the database" , %errorlevel%
 if %errorlevel% GTR 0 (
-    call :print_exit_error "Failed creating the database"    
+    call :print_red "Failed creating the database"    
     exit /b %errorlevel%
 )
-start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database upgrade /opt/src/source_db" csteosstools.azurecr.io/codeql/codeql-container 
+
+start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database upgrade /opt/src/source_db" mcr.microsoft.com/cstsectools/codeql-container 
 if %errorlevel% GTR 0 (
-    call :print_exit_error "Failed upgrading the database"    
+    call :print_red "Failed upgrading the database"    
     exit /b %errorlevel%
 )
-start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database analyze /opt/src/source_db --format=sarifv2 --output=/opt/results/issues.sarif python-security-and-quality.qls" csteosstools.azurecr.io/codeql/codeql-container 
+
+call :print_yellow "Running the Quality and Security rules on the project"
+start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database analyze /opt/src/source_db --format=sarifv2 --output=/opt/results/issues.sarif %language%-security-and-quality.qls" mcr.microsoft.com/cstsectools/codeql-container
 if %errorlevel% GTR 0 (
-    call :print_exit_error "Failed to run the query on the database"    
+    call :print_red "Failed to run the query on the database"    
     exit /b %errorlevel%
 )
-echo "The results file should be located at %2\issues.sarif"
 
+if %errorlevel% EQU 0 (
+    call :print_yellow "The results file are saved at at %2\issues.sarif"
+)
+
+:print_yellow
+    echo [33m%~1[0m
+    exit /b 0
+
+:print_red
+    echo [31m%~1[0m
+    exit /b 0
 
-:print_exit_error
-    echo.
-    echo [7;31m%~1[0m
-    echo.
-    echo [0mExiting...[0m
+:print_green
+    echo [32m%~1[0m
+    exit /b 0
diff --git a/scripts/windows/run_ql_suite.bat b/scripts/windows/run_ql_suite.bat
@@ -0,0 +1,62 @@
+@echo off
+setlocal enabledelayedexpansion
+
+set scriptname=%0
+set inputfile=%1
+set outputfile=%2
+set language=%3
+set qlpack=%4
+
+set argCount=0
+for %%x in (%*) do (
+   set /A argCount+=1
+   set "argVec[!argCount!]=%%~x"
+)
+
+if %argCount% LSS 4 (
+    call :print_yellow "Please provide the folder to analyze, the folder to store results, coding language of the project, and the QL suite" 
+    call :print_yellow "Usage: %scriptname% :folder to analyze: :folder to store result: :language: :QL suite:"
+    call :print_yellow  "Example: %scriptname% C:\Source\pandas C:\Results python security-and-quality"
+exit /b 1
+)
+
+call :print_yellow "Getting the image..."
+docker pull mcr.microsoft.com/cstsectools/codeql-container
+call :print_green "Pulled the container" 
+
+call :print_yellow "Creating the codeQL database. This might take some time depending on the size of the project..."
+start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database create --language=%language%% /opt/src/source_db -s /opt/src" mcr.microsoft.com/cstsectools/codeql-container
+
+if %errorlevel% GTR 0 (
+    call :print_red "Failed creating the database"    
+    exit /b %errorlevel%
+)
+
+start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database upgrade /opt/src/source_db" mcr.microsoft.com/cstsectools/codeql-container 
+if %errorlevel% GTR 0 (
+    call :print_red "Failed upgrading the database"    
+    exit /b %errorlevel%
+)
+
+call :print_yellow "Running the Quality and Security rules on the project"
+start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database analyze /opt/src/source_db --format=sarifv2 --output=/opt/results/issues.sarif %language%-%qlpack%.qls" mcr.microsoft.com/cstsectools/codeql-container
+if %errorlevel% GTR 0 (
+    call :print_red "Failed to run the query on the database"    
+    exit /b %errorlevel%
+)
+
+if %errorlevel% EQU 0 (
+    call :print_yellow "The results file are saved at at %2\issues.sarif"
+)
+
+:print_yellow
+    echo [33m%~1[0m
+    exit /b 0
+
+:print_red
+    echo [31m%~1[0m
+    exit /b 0
+
+:print_green
+    echo [32m%~1[0m
+    exit /b 0
