From 6b4efa5b84793ee948bf5db4eb11c8ee50252da8 Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 09:50:43 +0100 Subject: [PATCH 1/3] feat: Update framework docs --- .../bicep/frameworks/Microsoft/Compute.qll | 106 ++++++++++++++++-- .../bicep/frameworks/Microsoft/Network.qll | 74 ++++++++++-- .../bicep/frameworks/Microsoft/Storage.qll | 18 ++- 3 files changed, 175 insertions(+), 23 deletions(-) diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Compute.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Compute.qll index 71fe658..c232f25 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Compute.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Compute.qll @@ -4,27 +4,43 @@ private import bicep * A resource of type Microsoft.Compute/virtualMachines */ module Compute { + /** + * Represents a generic Microsoft.Compute resource. + * Matches any resource of type Microsoft.Compute/*. + */ class ComputeResource extends Resource { + /** + * Constructs a ComputeResource for any Microsoft.Compute resource type. + */ ComputeResource() { this.getResourceType().regexpMatch("^Microsoft.Compute/.*") } } /** - * A resource of type Microsoft.Compute/virtualMachines - * https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines + * Represents a Microsoft.Compute/virtualMachines resource. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines */ class VirtualMachines extends ComputeResource { + /** + * Constructs a VirtualMachines resource. + */ VirtualMachines() { this.getResourceType().regexpMatch("^Microsoft.Compute/virtualMachines@.*") } + /** + * Returns a string representation of the VirtualMachines resource. + */ override string toString() { result = "VirtualMachines Resource" } + /** + * Returns the properties object for this virtual machine. + */ VirtualMachinesProperties::Properties getProperties() { result = this.getProperty("properties") } /** - * The the hardware network interfaces of the virtual machine + * Returns the hardware network interfaces of the virtual machine. */ Network::NetworkInterfaces getNetworkInterfaces() { result = this.getProperties().getNetworkProfile().getNetworkInterfaces() @@ -32,98 +48,168 @@ module Compute { } /** - * The properties module for Microsoft.Compute/virtualMachines + * The properties module for Microsoft.Compute/virtualMachines resources. */ module VirtualMachinesProperties { /** - * The properties object for the Microsoft.Compute/virtualMachines type + * The properties object for the Microsoft.Compute/virtualMachines type. */ class Properties extends Object { private VirtualMachines virtualMachines; + /** + * Constructs a Properties object for the given virtual machine. + */ Properties() { this = virtualMachines.getProperty("properties") } + /** + * Returns the parent VirtualMachines resource. + */ VirtualMachines getVirtualMachine() { result = virtualMachines } + /** + * Returns the hardware profile object for the virtual machine. + */ HardwareProfile getHardwareProfile() { result = this.getProperty("hardwareProfile") } + /** + * Returns the network profile object for the virtual machine. + */ NetworkProfile getNetworkProfile() { result = this.getProperty("networkProfile") } + /** + * Returns the OS profile object for the virtual machine. + */ OsProfile getOsProfile() { result = this.getProperty("osProfile") } } /** - * The hardwareProfile property object for the Microsoft.Compute/virtualMachines type + * The hardwareProfile property object for the Microsoft.Compute/virtualMachines type. */ class HardwareProfile extends Object { private Properties properties; + /** + * Constructs a HardwareProfile object for the given properties. + */ HardwareProfile() { this = properties.getProperty("hardwareProfile") } + /** + * Returns a string representation of the hardware profile. + */ string toString() { result = "HardwareProfile" } + /** + * Returns the vmSize property of the hardware profile. + */ Expr getVmSize() { result = this.getProperty("vmSize") } } /** - * A NetworkProfile for the Microsoft.Compute/virtualMachines type + * Represents a network profile for the Microsoft.Compute/virtualMachines type. */ class NetworkProfile extends Object { private Properties properties; + /** + * Constructs a NetworkProfile object for the given properties. + */ NetworkProfile() { this = properties.getProperty("networkProfile") } + /** + * Returns a string representation of the network profile. + */ string toString() { result = "NetworkProfile" } + /** + * Returns the network interfaces for the virtual machine. + */ Network::NetworkInterfaces getNetworkInterfaces() { result = resolveResource(this.getNetworkInterfacesObject()) } + /** + * Returns the networkInterfaces property as an object array. + */ private Object getNetworkInterfacesObject() { result = this.getProperty("networkInterfaces").(Array).getElements() } } /** + * Represents the storage profile for the Microsoft.Compute/virtualMachines type. */ class StorageProfile extends Object { private Properties properties; + /** + * Constructs a StorageProfile object for the given properties. + */ StorageProfile() { this = properties.getProperty("storageProfile") } + /** + * Returns the image reference for the storage profile. + */ ImageReference getImageReference() { result = this.getProperty("imageReference") } } /** - * A ImageReference for the Microsoft.Compute/virtualMachines type - * https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep#imagereference + * Represents an image reference for the Microsoft.Compute/virtualMachines type. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep#imagereference */ class ImageReference extends Object { private StorageProfile storageProfile; + /** + * Constructs an ImageReference object for the given storage profile. + */ ImageReference() { this = storageProfile.getProperty("imageReference") } + /** + * Returns the publisher property of the image reference. + */ Expr getPublisher() { result = this.getProperty("publisher") } + /** + * Returns the offer property of the image reference. + */ Expr getOffer() { result = this.getProperty("offer") } + /** + * Returns the sku property of the image reference. + */ Expr getSku() { result = this.getProperty("sku") } + /** + * Returns the version property of the image reference. + */ Expr getVersion() { result = this.getProperty("version") } } /** - * The OsProfile object for the Microsoft.Compute/virtualMachines type + * Represents the OS profile for the Microsoft.Compute/virtualMachines type. */ class OsProfile extends Object { private Properties properties; + /** + * Constructs an OsProfile object for the given properties. + */ OsProfile() { this = properties.getProperty("osProfile") } + /** + * Returns the computerName property of the OS profile. + */ Expr getComputerName() { result = this.getProperty("computerName") } + /** + * Returns the adminUsername property of the OS profile. + */ Expr getAdminUsername() { result = this.getProperty("adminUsername") } + /** + * Returns the adminPassword property of the OS profile. + */ Expr getAdminPassword() { result = this.getProperty("adminPassword") } } } diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll index 91f9f21..98a1770 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll @@ -2,77 +2,111 @@ private import bicep module Network { /** - * A resource of type Microsoft.Network + * Represents a generic Microsoft.Network resource. + * Matches any resource of type Microsoft.Network/*. */ class NetworkResource extends Resource { + /** + * Constructs a NetworkResource for any Microsoft.Network resource type. + */ NetworkResource() { this.getResourceType().regexpMatch("^Microsoft.Network/.*") } } /** - * A resource of type Microsoft.Network/networkInterfaces + * Represents a Microsoft.Network/networkInterfaces resource. */ class NetworkInterfaces extends NetworkResource { + /** + * Constructs a NetworkInterfaces resource. + */ NetworkInterfaces() { this.getResourceType().regexpMatch("^Microsoft.Network/networkInterfaces@.*") } + /** + * Returns a string representation of the NetworkInterfaces resource. + */ override string toString() { result = "NetworkInterfaces Resource" } + /** + * Returns the properties object for this network interface. + */ NetworkInterfaceProperties::Properties getProperties() { result = this.getProperty("properties") } } /** - * A module for all properties of Microsoft.Network/networkInterfaces + * A module for all properties of Microsoft.Network/networkInterfaces resources. */ module NetworkInterfaceProperties { /** - * The properties object for the Microsoft.Network/networkInterfaces type + * The properties object for the Microsoft.Network/networkInterfaces type. */ class Properties extends Object { private NetworkInterfaces networkInterfaces; + /** + * Constructs a Properties object for the given network interface. + */ Properties() { this = networkInterfaces.getProperty("properties") } + /** + * Returns the ipConfigurations property as an array of IpConfiguration objects. + */ IpConfiguration getIpConfigurations() { result = this.getProperty("ipConfigurations").(Array).getElements() } } /** - * An IpConfiguration for the Microsoft.Network/networkInterfaces type - * https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep#virtualmachinenetworkinterfaceipconfigurationproperties + * Represents an IpConfiguration for the Microsoft.Network/networkInterfaces type. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?pivots=deployment-language-bicep#virtualmachinenetworkinterfaceipconfigurationproperties */ class IpConfiguration extends Object { private Properties properties; + /** + * Constructs an IpConfiguration object for the given properties. + */ IpConfiguration() { this = properties.getProperty("ipConfigurations").(Array).getElements() } + /** + * Returns the name property of the IpConfiguration. + */ string getName() { result = this.getProperty("name").(StringLiteral).getValue() } } } /** - * A resource of type Microsoft.Network/virtualNetworks + * Represents a Microsoft.Network/virtualNetworks resource. */ class VirtualNetworks extends NetworkResource { + /** + * Constructs a VirtualNetworks resource. + */ VirtualNetworks() { this.getResourceType().regexpMatch("^Microsoft.Network/virtualNetworks@.*") } + /** + * Returns a string representation of the VirtualNetworks resource. + */ override string toString() { result = "VirtualNetworks Resource" } /** - * Get the properties object for the Microsoft.Network/virtualNetworks type + * Returns the properties object for the Microsoft.Network/virtualNetworks type. */ VirtualNetworkProperties::Properties getProperties() { result = this.getProperty("properties") } } /** - * A resource of type Microsoft.Network/virtualNetworks/subnets + * Represents a Microsoft.Network/virtualNetworks/subnets resource. */ class VirtualNetworkSubnets extends Resource { + /** + * Constructs a VirtualNetworkSubnets resource. + */ VirtualNetworkSubnets() { this.getResourceType().regexpMatch("^Microsoft.Network/virtualNetworks/subnets@.*") } @@ -80,32 +114,50 @@ module Network { module VirtualNetworkProperties { /** - * The properties object for the Microsoft.Network/virtualNetworks/subnets type + * The properties object for the Microsoft.Network/virtualNetworks/subnets type. */ class Properties extends Object { private VirtualNetworkSubnets virtualNetworkSubnets; + /** + * Constructs a Properties object for the given subnet. + */ Properties() { this = virtualNetworkSubnets.getProperty("properties") } + /** + * Returns the address space object for the subnet. + */ AddressSpace getAddressSpace() { result = this.getProperty("addressSpace") } + /** + * Returns true if DDoS protection is enabled for the subnet. + */ boolean getEnableDdosProtection() { result = this.getProperty("enableDdosProtection").(Boolean).getBool() } + /** + * Returns true if VM protection is enabled for the subnet. + */ boolean getEnableVmProtection() { result = this.getProperty("enableVmProtection").(Boolean).getBool() } } /** - * An AddressSpace for the Microsoft.Network/virtualNetworks type + * Represents an AddressSpace for the Microsoft.Network/virtualNetworks type. */ class AddressSpace extends Object { private Properties properties; + /** + * Constructs an AddressSpace object for the given properties. + */ AddressSpace() { this = properties.getProperty("addressSpace") } + /** + * Returns the addressPrefixes property as a string value. + */ string getAddressPrefixes() { result = this.getProperty("addressPrefixes").(Array).getElements().(StringLiteral).getValue() diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Storage.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Storage.qll index 9b5953c..53d6a04 100644 --- a/ql/lib/codeql/bicep/frameworks/Microsoft/Storage.qll +++ b/ql/lib/codeql/bicep/frameworks/Microsoft/Storage.qll @@ -1,6 +1,10 @@ private import bicep module Storage { + /** + * Represents a resource of type Microsoft.Storage/storageAccounts in Bicep. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts + */ class StorageAccounts extends Resource { StorageAccounts() { this.getResourceType().regexpMatch("^Microsoft.Storage/storageAccounts@.*") @@ -9,6 +13,10 @@ module Storage { Expr getKind() { result = this.getProperty("kind") } } + /** + * Represents the properties object for Microsoft.Storage/storageAccounts in Bicep. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts#storageaccountsproperties + */ class StorageAccountsProperties extends Object { private StorageAccounts storageAccounts; @@ -24,14 +32,16 @@ module Storage { } /** - * A resource of type Microsoft.Compute/disks + * Represents a resource of type Microsoft.Compute/disks in Bicep. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/disks */ class Disks extends Resource { Disks() { this.getResourceType().regexpMatch("^Microsoft.Compute/disks@.*") } } /** - * The Disk Properties object for the Microsoft.Compute/disks type + * Represents the properties object for Microsoft.Compute/disks in Bicep. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.compute/disks#diskproperties */ class DisksProperties extends Object { private Disks disks; @@ -45,6 +55,10 @@ module Storage { } } + /** + * Represents a resource of type Microsoft.Storage/storageAccounts/blobServices/containers in Bicep. + * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers + */ class BlobServiceContainers extends Resource { BlobServiceContainers() { this.getResourceType() From 573afc36a5c0a20aad248a40e54916f308bdbc0c Mon Sep 17 00:00:00 2001 From: Mathew Payne <2772944+GeekMasher@users.noreply.github.com> Date: Wed, 11 Jun 2025 09:52:28 +0100 Subject: [PATCH 2/3] fix(ci): Update self-action.yml --- .github/workflows/self-action.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/self-action.yml b/.github/workflows/self-action.yml index aaf7faa..f262333 100644 --- a/.github/workflows/self-action.yml +++ b/.github/workflows/self-action.yml @@ -3,8 +3,6 @@ name: "CodeQL Bicep Extractor" on: push: branches: [ main ] - pull_request: - branches: [ main ] workflow_dispatch: jobs: From 5888c01a783dd6bd6207de8f252f4edfc24d4fad Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Wed, 11 Jun 2025 09:56:09 +0100 Subject: [PATCH 3/3] fix(ci): Update Extractor download permissions --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ca9e514..376af8f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,6 +46,8 @@ jobs: --pattern 'extractor-bicep.tar.gz' tar -zxf extractor-bicep.tar.gz + chmod +x extractor-pack/tools/*.sh + chmod +x extractor-pack/tools/**/* - name: "Set up Rust" uses: dtolnay/rust-toolchain@nightly