minor fixes, added analyze_security script for windows and linux

jacobmsft · jacobmsft · commit ffaf8c01247d · 2020-07-17T15:32:31.000-07:00
diff --git a/Dockerfile b/Dockerfile
@@ -35,9 +35,10 @@ RUN apt-get update && \
 
 # Install .NET Core for tools/builds
 RUN cd /tmp && \
-    wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \
+    wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb && \
     dpkg -i packages-microsoft-prod.deb && \
-    add-apt-repository universe && \
+    apt-get update; \
+    apt-get install -y apt-transport-https && \
     apt-get update && \
     rm packages-microsoft-prod.deb
 RUN apt-get install -y dotnet-sdk-3.1
diff --git a/README.md b/README.md
@@ -60,7 +60,8 @@ to analyze and get a SARIF result file, you will have to run:
 
 ```
 $ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db"
-$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database analyze --format=sarifv2 --output=/opt/results/issues.sarif /opt/src/source_db
+$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS=" database upgrade /opt/src/source_db"
+$ docker run --rm --name codeql-container mcr.microsoft.com/codeql/codeql-container -v /dir/to/analyze:/opt/src -v /dir/for/results:/opt/results -e CODEQL_CLI_ARGS="database analyze --format=sarifv2 --output=/opt/results/issues.sarif /opt/src/source_db"
 ```
 
 For more information on CodeQL and QL packs, please visit https://www.github.com/github/codeql.
diff --git a/container/get-latest-codeql-version.py b/container/get-latest-codeql-version.py
@@ -1,13 +1,13 @@
-﻿#!/usr/bin/python3
-# get the parent directory of the script, to link libs
-
-import os
-import sys
-
-from libs.github import get_latest_github_repo_version
-
-def main():
-    latest_release = get_latest_github_repo_version("github/codeql-cli-binaries")
-    print(latest_release.title)
-
-main()
+#!/usr/bin/env python3
+# get the parent directory of the script, to link libs
+
+import os
+import sys
+
+from libs.github import get_latest_github_repo_version
+
+def main():
+    latest_release = get_latest_github_repo_version("github/codeql-cli-binaries")
+    print(latest_release.title)
+
+main()
diff --git a/container/setup.py b/container/setup.py
@@ -1,5 +1,4 @@
-#!/usr/bin/python3
-
+#!/usr/bin/env python3
 import os
 import sys
 import argparse
@@ -10,31 +9,23 @@
 
 CODEQL_HOME = get_env_variable('CODEQL_HOME')
 
-# should we update the local copy of codeql-cli if a new version is available?
-CHECK_LATEST_CODEQL_CLI = get_env_variable('CHECK_LATEST_CODEQL_CLI', True)
-
-# should we update the local copy of codeql queries if a new version is available?
-CHECK_LATEST_QUERIES = get_env_variable('CHECK_LATEST_QUERIES', True)
-
-# if we are downloading new queries, should we precompile them 
-PRECOMPILE_QUERIES = get_env_variable('PRECOMPILE_QUERIES', True)
-
-
 logger = getLogger('codeql-container-setup')
 logger.setLevel(INFO)
 
 def parse_arguments():
 
     parser = argparse.ArgumentParser(description='Setup codeql components.')
+    # should we update the local copy of codeql-cli if a new version is available?
     parser.add_argument("-c", "--check-latest-cli", help="check the latest codeql-cli package available and install it", 
                         default=False, action="store_true")
+    # should we update the local copy of codeql queries if a new version is available?
     parser.add_argument("-q", "--check-latest-queries", help="check the latest codeql queries available and install it",
                         default=False, action="store_true")
     #(makes query execution faster, but building the container build slower).
     parser.add_argument("-p", "--precompile-latest-queries", help="if new queries were downloaded, precompile it",    
                         default=False, action="store_true")
-    args = parser.parse_args()
 
+    args = parser.parse_args()
     return args
 
 def setup():
diff --git a/container/startup.py b/container/startup.py
@@ -1,55 +1,56 @@
-import os
-import sys
-from time import sleep
-from libs.utils import get_env_variable, check_output_wrapper, get_logger
-from libs.codeql import *
-
-CODEQL_HOME = get_env_variable('CODEQL_HOME')
-
-# should we update the local copy of codeql-cli if a new version is available?
-CHECK_LATEST_CODEQL_CLI = get_env_variable('CHECK_LATEST_CODEQL_CLI', True)
-
-# should we update the local copy of codeql queries if a new version is available?
-CHECK_LATEST_QUERIES = get_env_variable('CHECK_LATEST_QUERIES', True)
-
-# if we are downloading new queries, should we precompile them 
-#(makes query execution faster, but building the container build slower).
-PRECOMPILE_QUERIES = get_env_variable('PRECOMPILE_QUERIES', True)
-
-# ql packs, requested to run, if any
-CODEQL_CLI_ARGS = get_env_variable('CODEQL_CLI_ARGS', True)
-
-# should we just exit after execution, or should we wait for user to stop container?
-WAIT_AFTER_EXEC = get_env_variable('WAIT_AFTER_EXEC', True)
-
-def main():
-    # do the setup, if requested
-    scripts_dir = os.path.dirname(os.path.realpath(__file__)) # get the parent directory of the script
-    setup_script_args = ''
-    if CHECK_LATEST_CODEQL_CLI:
-        setup_script_args += ' --check-latest-cli'
-    if CHECK_LATEST_QUERIES:
-        setup_script_args += ' --check-latest-queries'
-    if PRECOMPILE_QUERIES:
-        setup_script_args += ' --precompile-latest-queries'
-
-    run_result = check_output_wrapper(
-        f"{scripts_dir}/setup.py {setup_script_args}", 
-        shell=True).decode("utf-8")
-
-    # what command did the user ask to run? 
-    if CODEQL_CLI_ARGS == False or CODEQL_CLI_ARGS == None or CODEQL_CLI_ARGS == ' ':
-        # nothing to do
-        logger.info("No argument passed in for codeql-cli, nothing to do. To perform some task, please set the CODEQL_CLI_ARGS environment variable to a valid argument..")
-    else:
-        codeql = CodeQL(CODEQL_HOME)
-        run_result = codeql.execute_codeql_command(CODEQL_CLI_ARGS)
-        print(run_result)
-
-    if WAIT_AFTER_EXEC:
-        logger.info("Wait forever specified, waiting...")
-        while True:
-            sleep(10)
-
-logger = get_logger()
-main()
+#!/usr/bin/env python3
+import os
+import sys
+from time import sleep
+from libs.utils import get_env_variable, check_output_wrapper, get_logger
+from libs.codeql import *
+
+CODEQL_HOME = get_env_variable('CODEQL_HOME')
+
+# should we update the local copy of codeql-cli if a new version is available?
+CHECK_LATEST_CODEQL_CLI = get_env_variable('CHECK_LATEST_CODEQL_CLI', True)
+
+# should we update the local copy of codeql queries if a new version is available?
+CHECK_LATEST_QUERIES = get_env_variable('CHECK_LATEST_QUERIES', True)
+
+# if we are downloading new queries, should we precompile them 
+#(makes query execution faster, but building the container build slower).
+PRECOMPILE_QUERIES = get_env_variable('PRECOMPILE_QUERIES', True)
+
+# ql packs, requested to run, if any
+CODEQL_CLI_ARGS = get_env_variable('CODEQL_CLI_ARGS', True)
+
+# should we just exit after execution, or should we wait for user to stop container?
+WAIT_AFTER_EXEC = get_env_variable('WAIT_AFTER_EXEC', True)
+
+def main():
+    # do the setup, if requested
+    scripts_dir = os.path.dirname(os.path.realpath(__file__)) # get the parent directory of the script
+    setup_script_args = ''
+    if CHECK_LATEST_CODEQL_CLI:
+        setup_script_args += ' --check-latest-cli'
+    if CHECK_LATEST_QUERIES:
+        setup_script_args += ' --check-latest-queries'
+    if PRECOMPILE_QUERIES:
+        setup_script_args += ' --precompile-latest-queries'
+
+    run_result = check_output_wrapper(
+        f"{scripts_dir}/setup.py {setup_script_args}", 
+        shell=True).decode("utf-8")
+
+    # what command did the user ask to run? 
+    if CODEQL_CLI_ARGS == False or CODEQL_CLI_ARGS == None or CODEQL_CLI_ARGS == ' ':
+        # nothing to do
+        logger.info("No valid argument passed in for codeql-cli, nothing to do. To perform some task, please set the CODEQL_CLI_ARGS environment variable to a valid argument...")
+    else:
+        codeql = CodeQL(CODEQL_HOME)
+        run_result = codeql.execute_codeql_command(CODEQL_CLI_ARGS)
+        print(run_result)
+
+    if WAIT_AFTER_EXEC:
+        logger.info("Wait forever specified, waiting...")
+        while True:
+            sleep(10)
+
+logger = get_logger()
+main()
diff --git a/scripts/unix/analyze_security.sh b/scripts/unix/analyze_security.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+scriptname=$(basename "$0")
+inputfile=${1}
+outputfile=${2}
+
+if [ "$#" -ne 2 ]; then
+    echo "Please provide the folder to analyze, and the folder to store results"
+    echo "Usage: ${scriptname} <folder to analyze> <folder to store result>"
+    exit 1
+fi
+
+#docker pull codeql/codeql-container
+docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ create\ --language=python\ /opt/src/source_db csteosstools.azurecr.io/codeql/codeql-container
+docker run --rm --name codeql-container -v "${inputfile}:/opt/src" -v "${outputfile}:/opt/results" -e CODEQL_CLI_ARGS=database\ upgrade\ /opt/src/source_db csteosstools.azurecr.io/codeql/codeql-container 
+docker run --rm --name codeql-container -v ${inputfile}:/opt/src -v ${outputfile}:/opt/results -e CODEQL_CLI_ARGS=database\ analyze\ /opt/src/source_db\ --format=sarifv2\ --output=/opt/results/issues.sarif\ python-security-and-quality.qls csteosstools.azurecr.io/codeql/codeql-container 
+
+echo "If there were no errors in the execution, the results file should be located at ${2}/issues.sarif"
diff --git a/scripts/windows/analyze_security.bat b/scripts/windows/analyze_security.bat
@@ -0,0 +1,26 @@
+set scriptname=%0
+set inputfile=%1
+set outputfile=%2
+
+@echo off
+setlocal enabledelayedexpansion
+
+set argCount=0
+for %%x in (%*) do (
+   set /A argCount+=1
+   set "argVec[!argCount!]=%%~x"
+)
+
+if %argCount% LSS 2 (
+echo "Please provide the folder to analyze, and the folder to store results" 
+    echo "Usage: %scriptname% <folder to analyze> <folder to store result>"
+exit /b 1
+)
+
+rem docker pull codeql/codeql-container
+echo docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db" csteosstools.azurecr.io/codeql/codeql-container
+start /W /B docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database create --language=python /opt/src/source_db" csteosstools.azurecr.io/codeql/codeql-container
+echo docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database upgrade /opt/src/source_db" csteosstools.azurecr.io/codeql/codeql-container 
+echo docker run --rm --name codeql-container -v "%inputfile%:/opt/src" -v "%outputfile%:/opt/results" -e CODEQL_CLI_ARGS="database analyze /opt/src/source_db --format=sarifv2 --output=/opt/results/issues.sarif python-security-and-quality.qls" csteosstools.azurecr.io/codeql/codeql-container 
+
+echo "If there were no errors in the execution, the results file should be located at %2/issues.sarif"
