Initial structure for cpg native queries and and a small example

buildSrc/src/main/kotlin/features.gradle.kts

@@ -6,4 +6,4 @@ val enablePluginSupport: Boolean by rootProject.extra
 
 dependencies {
     if (enablePluginSupport) runtimeOnly(project(":codyze-plugins"))
-}
+}

codyze-cli/build.gradle.kts

@@ -8,6 +8,7 @@ dependencies {
     implementation(projects.codyzeCore)
     implementation(projects.codyzeBackends.cpg)
     implementation(projects.codyzeSpecificationLanguages.coko.cokoDsl)
+    implementation(projects.codyzeSpecificationLanguages.cpgNative)
 
     implementation(libs.clikt)
     implementation(libs.koin)

codyze-cli/src/main/kotlin/de/fraunhofer/aisec/codyze/cli/KoinModules.kt

@@ -24,6 +24,7 @@ import de.fraunhofer.aisec.codyze.core.executor.ExecutorCommand
 import de.fraunhofer.aisec.codyze.core.output.OutputBuilder
 import de.fraunhofer.aisec.codyze.core.output.SarifBuilder
 import de.fraunhofer.aisec.codyze.core.plugin.Plugin
+import de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native.CPGQuerySubcommand
 import de.fraunhofer.aisec.codyze.specificationLanguages.coko.dsl.cli.CokoSubcommand
 import org.koin.core.module.dsl.factoryOf
 import org.koin.dsl.bind
@@ -42,6 +43,7 @@ val backendCommands = module {
  * Each [Executor] must provide a [ExecutorCommand] to be selectable in the CLI.
  */
 val executorCommands = module {
+    factoryOf(::CPGQuerySubcommand) bind(ExecutorCommand::class)
     factoryOf(::CokoSubcommand) bind(ExecutorCommand::class)
 }
 

codyze-specification-languages/cpg-native/build.gradle.kts

@@ -0,0 +1,38 @@
+plugins {
+    id("documented-module")
+    id("publish")
+}
+
+dependencies {
+    implementation(projects.codyzeCore)
+    implementation(projects.codyzeSpecificationLanguages.coko.cokoCore)
+    implementation(projects.codyzeBackends.cpg) // used only for the CokoScript plugin block configuration
+    implementation(libs.bundles.cpg)
+    implementation(libs.kotlin.reflect)
+
+    implementation(libs.sarif4k)
+    implementation(libs.koin)
+    implementation(libs.clikt)
+
+    // For testing with koin
+    // kotlin-test-junit has to be excluded because it is loaded by "documented-module" plugin
+    testImplementation(libs.koin.test) {
+        exclude(group = "org.jetbrains.kotlin", module = "kotlin-test-junit")
+    }
+    testImplementation(libs.koin.junit5) {
+        exclude(group = "org.jetbrains.kotlin", module = "kotlin-test-junit")
+    }
+    testImplementation(libs.mockk)
+    testImplementation(libs.bundles.cpg)
+}
+
+publishing {
+    publications {
+        named<MavenPublication>(name) {
+            pom {
+                name.set("Codyze Specification Language Native CPG Query DSL")
+                description.set("Queries with native CPG DSL for Codyze")
+            }
+        }
+    }
+}

codyze-specification-languages/cpg-native/src/main/kotlin/de/fraunhofer/aisec/codyze/specificationLanguage/cpg/native/CPGQueryConfiguration.kt

@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2024, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native
+
+import de.fraunhofer.aisec.codyze.core.executor.ExecutorConfiguration
+import io.github.oshai.kotlinlogging.KotlinLogging
+
+private val logger = KotlinLogging.logger { }
+
+data class CPGQueryConfiguration(
+    val runQueries: Boolean // Queries may be turned of, if all executors are run and queries shoul be excluded
+) : ExecutorConfiguration

codyze-specification-languages/cpg-native/src/main/kotlin/de/fraunhofer/aisec/codyze/specificationLanguage/cpg/native/CPGQueryExecutor.kt

@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2024, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native
+
+import de.fraunhofer.aisec.codyze.backends.cpg.CPGBackend
+import de.fraunhofer.aisec.codyze.core.executor.Executor
+import de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native.queries.CPGQuery
+import de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native.queries.ExampleQuery
+import io.github.detekt.sarif4k.Run
+import io.github.oshai.kotlinlogging.KotlinLogging
+import java.io.FileOutputStream
+import java.io.PrintStream
+
+private val logger = KotlinLogging.logger {}
+
+/**
+ * The [Executor] to run natively defined CPG queries on the cpg backend, generating Sarif output
+ */
+
+class CPGQueryExecutor(private val configuration: CPGQueryConfiguration, private val backend: CPGBackend) :
+    Executor {
+    private val queries: MutableList<CPGQuery> = mutableListOf()
+
+    init {
+        queries.add(ExampleQuery())
+    }
+
+    override fun evaluate(): Run {
+        logger.info { "Running CPG Queries" }
+        val findings: MutableMap<CPGQuery, List<CpgQueryFinding>> = mutableMapOf()
+
+        queries.forEach {
+            findings.put(it, it.query(backend))
+        }
+        val informationExtractor = TSFIInformationExtractor()
+        informationExtractor.extractInformation(backend.cpg)
+
+        informationExtractor.printInformation(
+            XMLFormatter(),
+            PrintStream(FileOutputStream("sf.xml")),
+            PrintStream(FileOutputStream("tsfi.xml"))
+        )
+
+        val cpgQuerySarifBuilder = CPGQuerySarifBuilder(queries = queries, backend = backend)
+        return cpgQuerySarifBuilder.buildRun(findings = findings)
+    }
+}

codyze-specification-languages/cpg-native/src/main/kotlin/de/fraunhofer/aisec/codyze/specificationLanguage/cpg/native/CPGQueryFinding.kt

@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2024, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native
+
+import de.fraunhofer.aisec.codyze.backends.cpg.coko.getSarifLocation
+import de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native.queries.CPGQuery
+import de.fraunhofer.aisec.codyze.specificationLanguages.coko.core.Finding
+import de.fraunhofer.aisec.cpg.graph.Node
+import io.github.detekt.sarif4k.Artifact
+import io.github.detekt.sarif4k.Level
+import io.github.detekt.sarif4k.Message
+import io.github.detekt.sarif4k.Result
+import java.nio.file.Path
+
+/**
+ * An implementation of a [Finding] specifically for native queries.
+ */
+data class CpgQueryFinding(
+    val message: String,
+    val kind: Finding.Kind = Finding.Kind.Fail,
+    val node: Node? = null,
+    val relatedNodes: Collection<Node>? = null,
+) {
+    fun toSarif(query: CPGQuery, queries: List<CPGQuery>, artifacts: Map<Path, Artifact>?) =
+        Result(
+            message = Message(text = message),
+            kind = kind.resultKind,
+            level = if (kind == Finding.Kind.Fail) {
+                query.level
+            } else {
+                Level.None
+            },
+            ruleIndex = queries.indexOf(query).toLong(),
+            locations = node?.let { listOf(node.getSarifLocation(artifacts)) },
+            relatedLocations = relatedNodes?.map { node ->
+                node.getSarifLocation(artifacts)
+            }
+        )
+}

codyze-specification-languages/cpg-native/src/main/kotlin/de/fraunhofer/aisec/codyze/specificationLanguage/cpg/native/CPGQueryOptionGroup.kt

@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2024, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native
+
+import de.fraunhofer.aisec.codyze.core.executor.ExecutorOptions
+import io.github.oshai.kotlinlogging.KotlinLogging
+
+private val logger = KotlinLogging.logger {}
+
+/**
+ * Contains all the options specific to the [CPGQueryExecutor]. For now this option group is an empty dummy.
+ */
+@Suppress("UNUSED")
+class CPGQueryOptionGroup : ExecutorOptions("CPG Query Options")

codyze-specification-languages/cpg-native/src/main/kotlin/de/fraunhofer/aisec/codyze/specificationLanguage/cpg/native/CPGQuerySarifBuilder.kt

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2024, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native
+
+import de.fraunhofer.aisec.codyze.core.VersionProvider
+import de.fraunhofer.aisec.codyze.core.backend.Backend
+import de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native.queries.CPGQuery
+import io.github.detekt.sarif4k.*
+
+private fun CPGQuery.toReportingDescriptor() = ReportingDescriptor(
+    id = id,
+    name = javaClass.simpleName,
+    shortDescription = MultiformatMessageString(text = shortDescription),
+    fullDescription = MultiformatMessageString(text = description),
+    defaultConfiguration = ReportingConfiguration(level = level),
+    help = MultiformatMessageString(text = help),
+    properties =
+    PropertyBag(
+        tags = tags.toSet(),
+        map = emptyMap()
+    ),
+)
+
+class CPGQuerySarifBuilder(val queries: List<CPGQuery>, val backend: Backend) {
+    val reportingDescriptors = queries.map { it.toReportingDescriptor() }
+    val toolComponent = ToolComponent(
+        name = "CPGQueryExecutor",
+        product = "Codyze",
+        organization = "Fraunhofer AISEC",
+        semanticVersion = VersionProvider.getVersion("cpg-queries"),
+        downloadURI = "https://github.com/Fraunhofer-AISEC/codyze/releases",
+        informationURI = "https://www.codyze.io",
+        rules = reportingDescriptors,
+    )
+
+    fun buildRun(findings: Map<CPGQuery, List<CpgQueryFinding>>): Run {
+        // build the SARIF run based on the received results
+        return Run(
+            tool = Tool(
+                driver = toolComponent,
+                extensions = listOf(backend.toolInfo)
+            ),
+            artifacts = backend.artifacts.values.toList(),
+            results = findings.entries.flatMap { entry ->
+                entry.value.map { it.toSarif(entry.key, queries, backend.artifacts) }
+            }
+        )
+    }
+}

codyze-specification-languages/cpg-native/src/main/kotlin/de/fraunhofer/aisec/codyze/specificationLanguage/cpg/native/CPGQuerySubcommand.kt

@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2024, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native
+
+import com.github.ajalt.clikt.parameters.groups.provideDelegate
+import de.fraunhofer.aisec.codyze.backends.cpg.CPGBackend
+import de.fraunhofer.aisec.codyze.core.backend.Backend
+import de.fraunhofer.aisec.codyze.core.executor.ExecutorCommand
+
+@Suppress("UNUSED")
+class CPGQuerySubcommand : ExecutorCommand<CPGQueryExecutor>("runNativeQueries") {
+    val executorOptions by CPGQueryOptionGroup()
+
+    init {
+        // allow only the backends that implement the [CokoBackend] interface as subcommands
+        registerBackendOptions<CPGBackend>()
+    }
+
+    override fun getExecutor(goodFindings: Boolean, pedantic: Boolean, backend: Backend?) = with(executorOptions) {
+        CPGQueryExecutor(CPGQueryConfiguration(true), backend as CPGBackend)
+    }
+}

codyze-specification-languages/cpg-native/src/main/kotlin/de/fraunhofer/aisec/codyze/specificationLanguage/cpg/native/Formatter.kt

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2024, Fraunhofer AISEC. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package de.fraunhofer.aisec.codyze.specificationLanguage.cpg.native
+
+open abstract class Formatter {
+    public abstract fun format(k: String, v: String, attributes: Map<String, String>): String
+}