diff --git a/.github/workflows/codeql-scan-job.yml b/.github/workflows/codeql-scan-job.yml index 1b5823692c..55d7f90b41 100644 --- a/.github/workflows/codeql-scan-job.yml +++ b/.github/workflows/codeql-scan-job.yml @@ -45,13 +45,14 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} - queries: security-and-quality + queries: ./github-actions/code-ql/exclude-patterns.ql,security-and-quality # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality + # added ./github-actions/code-ql/exclude-patterns.ql for issue #6548 # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). diff --git a/github-actions/code-ql/exclude-patterns.ql b/github-actions/code-ql/exclude-patterns.ql new file mode 100644 index 0000000000..1e1e0f2958 --- /dev/null +++ b/github-actions/code-ql/exclude-patterns.ql @@ -0,0 +1,57 @@ +// This file was created for issue #6548 +// File: ./github-actions/code-ql/exclude-patterns.ql + +// import javascript + +// from File file +// where (file.getExtension() = "js" or file.getExtension() = "html") +// and not file.getCode().matches(".*\\{%-?\\s*[a-zA-Z]+.*%\\}.*") // Exclude Liquid code +// and not file.getCode().matches("(?s).*---.*---.*") // Exclude YAML front matter +// select file + + +/** + * @name Exclude YAML and Liquid Front Matter + * @description Excludes YAML front matter and Liquid template sections from the analysis + * @kind problem + * @problem.severity warning + */ + + import javascript + + /** Predicate to identify YAML front matter lines */ + predicate isYamlFrontMatterLine(File f, int line) { + exists ( + int start, int end | + start = f.getLine(1).getLineNumber() and + (end = f.getLine(2).getLineNumber() or end = f.getLine(3).getLineNumber()) and + line >= start and + line <= end and + f.getLine(start).getText().matches("---") and + f.getLine(end).getText().matches("---") + ) + } + + /** Predicate to identify Liquid template sections */ + predicate isLiquidTemplateLine(File f, int line) { + exists ( + string content | + f.getLine(line).getText() = content and + ( + content.matches("{%.*%}") or + content.matches("{{.*}}") + ) + ) + } + + /** Class to represent code excluding YAML front matter and Liquid templates */ + class CodeExcludingFrontMatter extends Expr { + CodeExcludingFrontMatter() { + this.getFile().getExtension() = "js" and + not isYamlFrontMatterLine(this.getFile(), this.getLocation().getStartLine()) and + not isLiquidTemplateLine(this.getFile(), this.getLocation().getStartLine()) + } + } + + from CodeExcludingFrontMatter c + select c, "Code excluding YAML front matter and Liquid templates" \ No newline at end of file