diff --git a/suites/synthetics-cpp.qls b/suites/synthetics-cpp.qls new file mode 100644 index 00000000..d08a0f39 --- /dev/null +++ b/suites/synthetics-cpp.qls @@ -0,0 +1,60 @@ +# Use this query suite when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This suite will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. +# NOTE: A suite cannot exclude directories from the scan. Consider pairing with a codeql-config.yml that excludes unwanted folders with `paths-ignore` +# NOTE: A suite cannot include library packs that contain data extensions. Consider pairing with a codeql-config.yml that includes needed data models. + +# Run the following pack install commands to prime your workspace or run the analyze command using `--download` flag +#codeql pack download codeql/cpp-queries +#codeql pack download githubsecuritylab/codeql-cpp-queries +#codeql pack download trailofbits/cpp-queries + +# All queries from CodeQL built in query packs +- queries: '.' + from: codeql/cpp-queries + +# Curated packs from community repos + +### GitHub Security Lab ### +# Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) +- qlpack: githubsecuritylab/codeql-cpp-queries + +### Trail of Bits ### +# Queries via packs: https://github.com/trailofbits/codeql-queries (default suites include security + crypto) +- qlpack: trailofbits/cpp-queries + +- include: + kind: + - problem + - path-problem + tags contain: + - security +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator +# Exclude audit queries from the CodeQL Built in packs +- exclude: + id: + - cpp/untrusted-data-to-external-api +# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) +- exclude: + tags contain: + - debugging + - audit \ No newline at end of file diff --git a/suites/synthetics-csharp.qls b/suites/synthetics-csharp.qls new file mode 100644 index 00000000..3a147f1e --- /dev/null +++ b/suites/synthetics-csharp.qls @@ -0,0 +1,56 @@ +# Use this query suite when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This suite will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. +# NOTE: A suite cannot exclude directories from the scan. Consider pairing with a codeql-config.yml that excludes unwanted folders with `paths-ignore` +# NOTE: A suite cannot include library packs that contain data extensions. Consider pairing with a codeql-config.yml that includes needed data models. + +# Run the following pack install commands to prime your workspace or run the analyze command using `--download` flag +#codeql pack download codeql/csharp-queries +#codeql pack download githubsecuritylab/codeql-csharp-queries + +# All queries from CodeQL built in query packs +- queries: '.' + from: codeql/csharp-queries + +# Curated packs from community repos + +### GitHub Security Lab ### +# Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) +- qlpack: githubsecuritylab/codeql-csharp-queries + + +- include: + kind: + - problem + - path-problem + tags contain: + - security +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator +# Exclude audit queries from the CodeQL Built in packs +- exclude: + id: + - csharp/untrusted-data-to-external-api +# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) +- exclude: + tags contain: + - debugging + - audit \ No newline at end of file diff --git a/suites/synthetics-go.qls b/suites/synthetics-go.qls new file mode 100644 index 00000000..78133cfe --- /dev/null +++ b/suites/synthetics-go.qls @@ -0,0 +1,60 @@ +# Use this query suite when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This suite will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. +# NOTE: A suite cannot exclude directories from the scan. Consider pairing with a codeql-config.yml that excludes unwanted folders with `paths-ignore` +# NOTE: A suite cannot include library packs that contain data extensions. Consider pairing with a codeql-config.yml that includes needed data models. + +# Run the following pack install commands to prime your workspace or run the analyze command using `--download` flag +#codeql pack download codeql/go-queries +#codeql pack download githubsecuritylab/codeql-go-queries +#codeql pack download trailofbits/go-queries + +# All queries from CodeQL built in query packs +- queries: '.' + from: codeql/go-queries + +# Curated packs from community repos + +### GitHub Security Lab ### +# Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) +- qlpack: githubsecuritylab/codeql-go-queries + +### Trail of Bits ### +# Queries via packs: https://github.com/trailofbits/codeql-queries (default suites include security + crypto) +- qlpack: trailofbits/go-queries + +- include: + kind: + - problem + - path-problem + tags contain: + - security +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator +# Exclude audit queries from the CodeQL Built in packs +- exclude: + id: + - go/untrusted-data-to-external-api +# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) +- exclude: + tags contain: + - debugging + - audit \ No newline at end of file diff --git a/suites/synthetics-java.qls b/suites/synthetics-java.qls new file mode 100644 index 00000000..1aac9685 --- /dev/null +++ b/suites/synthetics-java.qls @@ -0,0 +1,59 @@ +# Use this query suite when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This suite will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. +# NOTE: A suite cannot exclude directories from the scan. Consider pairing with a codeql-config.yml that excludes unwanted folders with `paths-ignore` +# NOTE: A suite cannot include library packs that contain data extensions. Consider pairing with a codeql-config.yml that includes needed data models. + +# Run the following pack install commands to prime your workspace or run the analyze command using `--download` flag +#codeql pack download codeql/java-queries +#codeql pack download githubsecuritylab/codeql-java-queries + +# All queries from CodeQL built in query packs +- queries: '.' + from: codeql/java-queries + +# Curated packs from community repos + +### GitHub Security Lab ### +# Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) +- qlpack: githubsecuritylab/codeql-java-queries + +# Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs +- qlpack: githubsecuritylab/codeql-java-queries:suites/java-local.qls + + +- include: + kind: + - problem + - path-problem + tags contain: + - security +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator +# Exclude audit queries from the CodeQL Built in packs +- exclude: + id: + - java/untrusted-data-to-external-api +# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) +- exclude: + tags contain: + - debugging + - audit \ No newline at end of file diff --git a/suites/synthetics-javascript.qls b/suites/synthetics-javascript.qls new file mode 100644 index 00000000..c64d43af --- /dev/null +++ b/suites/synthetics-javascript.qls @@ -0,0 +1,56 @@ +# Use this query suite when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This suite will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. +# NOTE: A suite cannot exclude directories from the scan. Consider pairing with a codeql-config.yml that excludes unwanted folders with `paths-ignore` +# NOTE: A suite cannot include library packs that contain data extensions. Consider pairing with a codeql-config.yml that includes needed data models. + +# Run the following pack install commands to prime your workspace or run the analyze command using `--download` flag +#codeql pack download codeql/javascript-queries +#codeql pack download githubsecuritylab/codeql-javascript-queries + +# All queries from CodeQL built in query packs +- queries: '.' + from: codeql/javascript-queries + +# Curated packs from community repos + +### GitHub Security Lab ### +# Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) +- qlpack: githubsecuritylab/codeql-javascript-queries + + +- include: + kind: + - problem + - path-problem + tags contain: + - security +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator +# Exclude audit queries from the CodeQL Built in packs +- exclude: + id: + - javascript/untrusted-data-to-external-api +# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) +- exclude: + tags contain: + - debugging + - audit \ No newline at end of file diff --git a/suites/synthetics-python.qls b/suites/synthetics-python.qls new file mode 100644 index 00000000..d10fb73e --- /dev/null +++ b/suites/synthetics-python.qls @@ -0,0 +1,59 @@ +# Use this query suite when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This suite will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. +# NOTE: A suite cannot exclude directories from the scan. Consider pairing with a codeql-config.yml that excludes unwanted folders with `paths-ignore` +# NOTE: A suite cannot include library packs that contain data extensions. Consider pairing with a codeql-config.yml that includes needed data models. + +# Run the following pack install commands to prime your workspace or run the analyze command using `--download` flag +#codeql pack download codeql/python-queries +#codeql pack download githubsecuritylab/codeql-python-queries + +# All queries from CodeQL built in query packs +- queries: '.' + from: codeql/python-queries + +# Curated packs from community repos + +### GitHub Security Lab ### +# Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) +- qlpack: githubsecuritylab/codeql-python-queries + +# Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs +- qlpack: githubsecuritylab/codeql-python-queries:suites/python-local.qls + + +- include: + kind: + - problem + - path-problem + tags contain: + - security +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator +# Exclude audit queries from the CodeQL Built in packs +- exclude: + id: + - python/untrusted-data-to-external-api +# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) +- exclude: + tags contain: + - debugging + - audit \ No newline at end of file diff --git a/suites/synthetics-ruby.qls b/suites/synthetics-ruby.qls new file mode 100644 index 00000000..8c5965e0 --- /dev/null +++ b/suites/synthetics-ruby.qls @@ -0,0 +1,56 @@ +# Use this query suite when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs. +# WARNING: A notable amount of false positives may be found in this configuration. If you wish to reduce the number of false positives, use the default codeql suites :) +# NOTE: This suite will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers. +# NOTE: A suite cannot exclude directories from the scan. Consider pairing with a codeql-config.yml that excludes unwanted folders with `paths-ignore` +# NOTE: A suite cannot include library packs that contain data extensions. Consider pairing with a codeql-config.yml that includes needed data models. + +# Run the following pack install commands to prime your workspace or run the analyze command using `--download` flag +#codeql pack download codeql/ruby-queries +#codeql pack download githubsecuritylab/codeql-ruby-queries + +# All queries from CodeQL built in query packs +- queries: '.' + from: codeql/ruby-queries + +# Curated packs from community repos + +### GitHub Security Lab ### +# Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries) +- qlpack: githubsecuritylab/codeql-ruby-queries + + +- include: + kind: + - problem + - path-problem + tags contain: + - security +- include: + kind: + - diagnostic +- include: + kind: + - metric + tags contain: + - summary +- exclude: + deprecated: // +- exclude: + query path: + # REMOVE exclude - OK even if they exist in experimental folder + #- /^experimental\/.*/ + - Metrics/Summaries/FrameworkCoverage.ql + - /Diagnostics/Internal/.*/ +- exclude: + tags contain: + - modeleditor + - modelgenerator +# Exclude audit queries from the CodeQL Built in packs +- exclude: + id: + - ruby/untrusted-data-to-external-api +# Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs) +- exclude: + tags contain: + - debugging + - audit \ No newline at end of file