Merge pull request #46 from GitHubSecurityLab/config-synthetics

GeekMasher · web-flow · commit 1c49cfc46baa · 2024-02-21T14:23:39.000Z
Add Synthetic CodeQL configuration file
diff --git a/configs/README.md b/configs/README.md
@@ -1,13 +1,26 @@
 # Community Configurations
 
-## Default / CodeQL
+## [Default / CodeQL](default.yml)
 
-The `default.yml` configuration is the default config file used to make it easy to use the CodeQL Community Packs.
+The `default.yml` configuration is the default config file used to make it easy to use the CodeQL Community Packs.  The queries included here are pulled in from the language `default suites` automatically when referencing the community packs.  The default suites as specified in each language's `{LANG}/src/qlpack.yml`.  The standard configuration is:
+```yml
+defaultSuiteFile: suites/{LANG}.qls
+```
 
-## Audit
+## [Audit](audit.yml)
+
+The `audit.yml` configuration is used primarily to conduct a security assessment of potentially vulnerable code, by running a number of audit queries with CodeQL.  Many of these queries operate on partial path queries, thus not seeking complete source/sink flows. Use these wide-ranging queries or [partial flow paths](https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/) as tools to infer potential taint disruptions and identify opportunities for customization improvements.
 
-The `audit.yml` configuration is used primary to audit code by running a number of audit queries with CodeQL.
 These are based on the suite in each language suites folder called `{LANG}-audit.qls`
 
 > [!NOTE]
 > Current Ruby and Swift are not supported
+
+## [Synthetics](synthetics.yml)
+
+This `synthetics.yml` configuration is intended for analyzing synthetic ([intentionally vulnerable](https://owasp.org/www-project-vulnerable-web-applications-directory/)) code samples for vulnerabilities. This configuration uses all possible security queries/extensions from the CodeQL built in packs, the CodeQL Community Packs, and additional OSS packs. It also includes the queries from the built-in `security-experimental.qls` suite with additional lower precision/experimental queries:
+- queries marked as `@precision: low` or missing a precision
+- queries marked as `@problem.severity: recommendation`
+- queries in `\experimental\` folders
+
+This configuration will provide a more thorough analysis at the cost of longer analysis times and potential false positives.  Consider using the `audit.yml` configuration to look for additional false negative scenarios.
diff --git a/configs/synthetics.yml b/configs/synthetics.yml
@@ -0,0 +1,114 @@
+# Use this configuration file when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs.
+# WARNING: A notable amount of false positives may be found in this configuration.  If you wish to reduce the number of false positives, use the default codeql suites :)
+# NOTE: This configuration will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers.
+
+name: "Synthetic Apps All Queries Config"
+
+# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
+threat-models: local
+
+# start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries
+disable-default-queries: true
+
+packs:
+    # All queries from the CodeQL Built in packs (including low/no precision queries)
+    - codeql/cpp-queries:.
+    - codeql/csharp-queries:.
+    - codeql/go-queries:.
+    - codeql/java-queries:.
+    - codeql/javascript-queries:.
+    - codeql/python-queries:.
+    - codeql/ruby-queries:.
+    - codeql/swift-queries:.
+
+    # OSS queries from the default suites
+
+    ### GitHub Security Lab###
+    # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries)
+    - githubsecuritylab/codeql-cpp-queries
+    - githubsecuritylab/codeql-csharp-queries
+    - githubsecuritylab/codeql-go-queries
+    - githubsecuritylab/codeql-java-queries
+    - githubsecuritylab/codeql-javascript-queries
+    - githubsecuritylab/codeql-python-queries
+    - githubsecuritylab/codeql-ruby-queries
+
+    # Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-java-queries:suites/java-local.qls
+    - githubsecuritylab/codeql-python-queries:suites/python-local.qls
+
+    # Data extensions via Community Packs for libraries (library ext models are those generated by the corresponding queries in src) https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-library-sources
+    - githubsecuritylab/codeql-java-library-sources
+
+    # Data extensions via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-extensions
+    - githubsecuritylab/codeql-java-extensions
+
+    ### Trail of Bits ###
+    # Queris via packs: https://github.com/trailofbits/codeql-queries  (default suites include security + crypto
+    - trailofbits/cpp-queries
+    - trailofbits/go-queries
+
+# Start with Security Experimental (lightly documented: https://github.com/github/codeql/pull/11702) : https://github.com/github/codeql/blob/main/misc/suite-helpers/security-experimental-selectors.yml
+# - precision ( low + Low or EXCLUDED precision)
+# + problem.severity: recommendation
+# - restriction of no experimental folder
+# - restriction of audit/debugging queries from community packs
+query-filters:
+    - include:
+          kind:
+              - problem
+              - path-problem
+          tags contain:
+              - security
+    - include:
+          kind:
+              - diagnostic
+    - include:
+          kind:
+              - metric
+          tags contain:
+              - summary
+    - exclude:
+          deprecated: //
+    - exclude:
+          query path:
+              # REMOVE exclude - OK even if they exist in experimental folder
+              #- /^experimental\/.*/
+              - Metrics/Summaries/FrameworkCoverage.ql
+              - /Diagnostics/Internal/.*/
+    - exclude:
+          tags contain:
+              - modeleditor
+              - modelgenerator
+    # Exclude audit queries from the CodeQL Built in packs
+    - exclude:
+          id:
+              - cpp/untrusted-data-to-external-api
+              - cs/untrusted-data-to-external-api
+              - go/untrusted-data-to-external-api
+              - java/untrusted-data-to-external-api
+              - js/untrusted-data-to-external-api
+              - py/untrusted-data-to-external-api
+
+    # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
+    - exclude:
+          tags contain:
+              - debugging
+              - audit
+
+#Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
+paths-ignore:
+    # Python
+    - "vendor/**"
+    - "examples/**"
+    - "tests/**"
+
+    # JavaScript
+    - "node_modules"
+    - "**/*.test.js"
+    - "**/*.test.tsx"
+    - "**/*.spec.ts"
+    - "**/*.spec.tsx"
+    - "dist"
