Merge pull request #159 from advanced-security/dep-semver

feat(iac): Update Dependencies and add better Semver support

Author: GeekMasher

ql/lib/codeql/iac/Dependencies.qll

@@ -1,14 +1,40 @@
+/**
+ * Dependencies module for Infrastructure as Code languages.
+ */
 private import codeql.Locations
 private import codeql.hcl.Terraform
 
 /**
  * Dependency for all Infrastructure as Code languages.
  */
-class Dependency extends Location {
+abstract class Dependency extends Location {
+  /**
+   * Gets the name of the dependency.
+   */
+  abstract string getName();
+  /**
+   * Gets the version of the dependency (in a format that is human-readable).
+   */
+  abstract string getVersion();
+  /**
+   * Gets the raw version of the dependency (in a format that is machine-readable).
+   */
+  abstract string getRawVersion();
+  /**
+   * Gets the semantic version of the dependency.
+   */
+  abstract SemanticVersion getSemanticVersion();
+}
+
+
+/**
+ * Dependency for Terraform.
+ */
+class TerraformDependency extends Dependency {
   string name;
   string version;
 
-  Dependency() {
+  TerraformDependency() {
     // Terraform Provider
     exists(Terraform::Terraform tf, Terraform::RequiredProvider rp | rp = tf.getRequiredProvider() |
       this = rp.getLocation() and
@@ -19,21 +45,87 @@ class Dependency extends Location {
 
   override string toString() { result = this.getName() + "@" + this.getVersion() }
 
+  override string getName() { result = name }
+
+
+  override string getVersion() { result = this.getSemanticVersion().getPretty() }
+
+
+  override string getRawVersion() { result = version }
+
+  override SemanticVersion getSemanticVersion() { result = version  }
+}
+
+class SemanticVersion extends string {
+  Dependency dep;
+  string normalized;
+  string pretty;
+
+  SemanticVersion() {
+    this = dep.getRawVersion() and
+    normalized = normalizeSemver(this) and 
+    pretty = prettySemver(this)
+  }
+
   /**
-   * Gets the name of the dependency.
+   * Holds if this version may be before `last`.
    */
-  string getName() { result = name }
+  bindingset[last]
+  predicate maybeBefore(string last) { normalized < normalizeSemver(last) }
 
   /**
-   * Gets the version of the dependency.
+   * Holds if this version may be after `first`.
    */
-  string getVersion() { result = version.replaceAll("=", "") }
+  bindingset[first]
+  predicate maybeAfter(string first) { normalizeSemver(first) < normalized }
 
-  SemanticVersion getSemanticVersion() { result = this.getVersion() }
+  /**
+   * Holds if this version may be between `first` (inclusive) and `last` (exclusive).
+   */
+  bindingset[first, last]
+  predicate maybeBetween(string first, string last) {
+    normalizeSemver(first) <= normalized and
+    normalized < normalizeSemver(last)
+  }
+
+  /**
+   * Holds if this version is equivalent to `other`.
+   */
+  bindingset[other]
+  predicate is(string other) { normalized = normalizeSemver(other) }
+
+  string getPretty() { result = pretty }
 }
 
-class SemanticVersion extends string {
-  private Dependency dep;
+bindingset[str]
+private string leftPad(string str) { result = ("000" + str).suffix(str.length()) }
 
-  SemanticVersion() { this = dep.getVersion() }
+/**
+ * Normalizes a SemVer string such that the lexicographical ordering
+ * of two normalized strings is consistent with the SemVer ordering.
+ *
+ * Pre-release information and build metadata is not yet supported.
+ */
+bindingset[orig]
+private string normalizeSemver(string orig) {
+  exists(string pattern, string major, string minor, string patch |
+    pattern = "(=|~>|^)(\\d+)\\.(\\d+)\\.(\\d+)" and
+    major = orig.regexpCapture(pattern, 2) and
+    minor = orig.regexpCapture(pattern, 3) and
+    patch = orig.regexpCapture(pattern, 4)
+  |
+    result = leftPad(major) + "." + leftPad(minor) + "." + leftPad(patch)
+  )
 }
+
+bindingset[orig]
+private string prettySemver(string orig) {
+  exists(string pattern, string major, string minor, string patch |
+    pattern = "(=|~>|^)(\\d+)\\.(\\d+)\\.(\\d+)" and
+    major = orig.regexpCapture(pattern, 2) and
+    minor = orig.regexpCapture(pattern, 3) and
+    patch = orig.regexpCapture(pattern, 4)
+  |
+    result = major + "." + minor + "." + patch
+  )
+}

ql/test/library-tests/hcl/terraform/Dependencies.expected

@@ -1,3 +1,8 @@
+dependencies
 | providers.tf:5:15:8:5 | hashicorp/[email protected] |
-| providers.tf:9:14:9:22 | hashicorp/time@~>0.7.2 |
-| providers.tf:10:14:10:22 | hashicorp/random@~>3.3.1 |
+| providers.tf:9:14:9:22 | hashicorp/[email protected] |
+| providers.tf:10:14:10:22 | hashicorp/[email protected] |
+semver
+| providers.tf:5:15:8:5 | hashicorp/[email protected] | =3.0.0 |
+| providers.tf:9:14:9:22 | hashicorp/[email protected] | ~>0.7.2 |
+| providers.tf:10:14:10:22 | hashicorp/[email protected] | ~>3.3.1 |

ql/test/library-tests/hcl/terraform/Dependencies.ql

@@ -1,3 +1,5 @@
 import hcl
 
 query predicate dependencies(Dependency d) { any() }
+
+query predicate semver(Dependency d, SemanticVersion v) { d.getSemanticVersion() = v }