Merge pull request #167 from data-douser/data-douser/markdownlint

Apply markdownlint fixes for project .md files

CONTRIBUTING.md

@@ -1,7 +1,6 @@
-## Contributing
+# Contributing
 
 [fork]: https://github.com/advanced-security/codeql-sap-js/fork
-[pr]: https://github.com/advanced-security/codeql-sap-js/compare
 [style]: https://github.com/github/codeql/blob/main/docs/ql-style-guide.md
 
 Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
@@ -10,24 +9,26 @@ Contributions to this project are [released](https://help.github.com/articles/gi
 
 Please note that this project is released with a [Contributor Code of Conduct](CODE_OF_CONDUCT.md). By participating in this project you agree to abide by its terms.
 
-## Submitting a pull request
+## Submitting a Pull Request
 
-1. [Fork][fork] and clone the repository
-1. Configure and install the [CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases) specified in the `qlt.conf.json` file
-1. Create a new branch: `git checkout -b my-branch-name`
-1. Make your changes
-1. Make sure the QL tests pass on your machine
-1. Ensure the files are appropriately formatted (QL files should be formatted with `codeql query format`)
-1. Push to your fork and [submit a draft pull request](https://github.com/advanced-security/codeql-sap-js/compare). Make sure to select **Create Draft Pull Request**.
-7. Address failed checks, if any.
-8. Mark the [pull request ready for review](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review).
-9. Pat your self on the back and wait for your pull request to be reviewed and merged.
+1. [Fork][fork] and clone the repository.
+1. Configure and install the [CodeQL CLI](https://github.com/github/codeql-cli-binaries/releases) specified in the `qlt.conf.json` file.
+1. Create a new branch: `git checkout -b my-branch-name`.
+1. Make your changes.
+1. Make sure the QL tests pass on your machine.
+1. Ensure the files are appropriately formatted (QL files should be formatted with `codeql query format`).
+1. Push to your fork and [submit a draft Pull Request](https://github.com/advanced-security/codeql-sap-js/compare). Make sure to select **Create Draft Pull Request**.
+1. Address failed checks, if any.
+1. Mark the [Pull Request ready for review](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review).
+1. Pat yourself on the back and wait for your Pull Request to be reviewed and merged.
 
-Here are a few things you can do that will increase the likelihood of your pull request being accepted:
+## Helping Your Pull Request Get Accepted
+
+Here are a few things you can do that will increase the likelihood of your Pull Request being accepted:
 
 - Follow the [CodeQL style guide][style].
 - Write good tests.
-- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
+- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate Pull Requests.
 - Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
 
 ## Resources

README.md

@@ -1,18 +1,25 @@
 # CodeQL: SAP JavaScript frameworks
+
+[cloud-cap-samples]: https://github.com/SAP-samples/cloud-cap-samples
+
 This repository contains [CodeQL](https://codeql.github.com/) models and queries for SAP JavaScript frameworks:
-- [CAP](javascript/frameworks/cap) (https://cap.cloud.sap/)
-- [UI5](javascript/frameworks/ui5) (https://sapui5.hana.ondemand.com/)
-- [XSJS](javascript/frameworks/xsjs) (https://www.npmjs.com/package/@sap/async-xsjs)
 
-### Published CodeQl packs
+- [CAP](javascript/frameworks/cap) [https://cap.cloud.sap](https://cap.cloud.sap/)
+- [UI5](javascript/frameworks/ui5) [https://sapui5.hana.ondemand.com](https://sapui5.hana.ondemand.com/)
+- [XSJS](./javascript/frameworks/xsjs/README.md) [https://www.npmjs.com/package/@sap/async-xsjs](https://www.npmjs.com/package/@sap/async-xsjs)
+
+## Published CodeQl packs
+
 - [advanced-security/javascript-sap-cap-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-cap-queries)
 - [advanced-security/javascript-sap-ui5-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-ui5-queries)
 - [advanced-security/javascript-sap-async-xsjs-queries](https://github.com/advanced-security/codeql-sap-js/pkgs/container/javascript-sap-async-xsjs-queries)
 
-## Usage 
+## Usage
 
 ### Analyzing a repository with [Code Scanning](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#using-query-packs)
+
 Example workflow file:
+
 ```yaml
 jobs:
   analyze-javascript:
@@ -45,7 +52,9 @@ jobs:
         LGTM_INDEX_XML_MODE: all
         LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
 ```
+
 Example configuration file:
+
 ```yaml
 name: "My CodeQL config"
 
@@ -60,15 +69,19 @@ packs:
 paths-ignore:
   - "**/node_modules"
 ```
+
 ### Building and analyzing the CodeQL database with the CodeQL CLI
 
 1. Include and index XML, JSON and CDS files by setting the necessary environment variables:
-```
+
+```shell
 export LGTM_INDEX_XML_MODE='ALL'
 export LGTM_INDEX_FILETYPES=$'.json:JSON\n.cds:JSON'
 ```
+
 2. Compile all the CDS files using the SAP cds toolkit
-```
+
+```shell
 npm install -g @sap/cds-dk
 for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
   do
@@ -78,27 +91,56 @@ for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
       --locations
   done
 ```
+
 3. Build the database [as usual](https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/database-create)
-```
+
+```shell
 codeql database create <DB_NAME> --language=javascript
 ```
+
 4. Analyze the database using one or more packs
-```
+
+```shell
 codeql database analyze <DB_NAME> --format=sarif-latest --output=<OUTPUT_FILE> \
   --download advanced-security/javascript-sap-cap-queries \
              advanced-security/javascript-sap-ui5-queries \
              advanced-security/javascript-sap-xsjs-queries
 ```
 
-## License 
+### Example `codeql database create` with CDS Extractor Invocation
+
+The following example invocation of `codeql database create` includes the `--command` option to invoke the CDS extractor as an extension of the `javascript` extractor, which is used by `codeql` to create the database. The `pre-finalize.sh` script is a minimal wrapper around the `codeql database index-files` command, which we expect to run the `extractors/cds/tools/index-files.js` script to index the JSON files pre-generated by the CDS extractor.
+
+The below example assumes that:
+
+- The [`SAP-samples/cloud-cap-samples`][cloud-cap-samples] repository has been cloned to a sibling directory of the one containing the this repository.
+- The [`SAP-samples/cloud-cap-samples`][cloud-cap-samples] repository is intended as the source code root (i.e. target project) for the database.
+- The database directory (e.g., `~/codeql-home/databases/cloud-cap-samples-real`) is either absent or empty.
+
+```shell
+_d="$(pwd)" && codeql database create \
+  --command="${_d}/extractors/javascript/tools/pre-finalize.sh" \
+  --language="javascript" \
+  --search-path="${_d}/extractors/" \
+  --source-root="${_d}/../cloud-cap-samples/" \
+  -- ~/codeql-home/databases/cloud-cap-samples-real
+```
+
+NOTES:
+
+- The `--source-root` option must be adjusted to match the actual location of the target project (e.g., GitHub repository).
+- The database directory path (last argument) must be adjusted to match the desired location of the created database.
+- Running the above command multiple times with the same database directory will result in an error. The `--overwrite` command-line option can be used to avoid this error.
+- See `codeql database create -h -v` for verbose command help.
+
+## License
 
 This project is licensed under the terms of the MIT open source license. Please refer to [MIT](LICENSE.txt) for the full terms.
 
-## Maintainers 
+## Maintainers
 
-See [CODEOWNERS](CODEOWNERS)
+See [CODEOWNERS](CODEOWNERS).
 
 ## Support
 
-See [SUPPORT](SUPPORT.md)
-
+See [SUPPORT](SUPPORT.md).

SECURITY.md

@@ -1,10 +1,10 @@
-Thanks for helping make GitHub safe for everyone.
-
 # Security
 
+Thanks for helping make GitHub safe for everyone.
+
 GitHub takes the security of our software products and services seriously, including all of the open source code repositories managed through our GitHub organizations, such as [GitHub](https://github.com/GitHub).
 
-Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation. 
+Even though [open source repositories are outside of the scope of our bug bounty program](https://bounty.github.com/index.html#scope) and therefore not eligible for bounty rewards, we will ensure that your finding gets passed along to the appropriate maintainers for remediation.
 
 ## Reporting Security Issues
 
@@ -16,16 +16,16 @@ Instead, please send an email to opensource-security[@]github.com.
 
 Please include as much of the information listed below as you can to help us better understand and resolve the issue:
 
-  * The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
+* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
+* Full paths of source file(s) related to the manifestation of the issue
+* The location of the affected source code (tag/branch/commit or direct URL)
+* Any special configuration required to reproduce the issue
+* Step-by-step instructions to reproduce the issue
+* Proof-of-concept or exploit code (if possible)
+* Impact of the issue, including how an attacker might exploit the issue
 
 This information will help us triage your report more quickly.
 
 ## Policy
 
-See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms)
+See [GitHub's Safe Harbor Policy](https://docs.github.com/en/site-policy/security-policies/github-bug-bounty-program-legal-safe-harbor#1-safe-harbor-terms).

SUPPORT.md

@@ -1,4 +1,4 @@
-# Support 
+# Support
 
 ## How to file issues and get help
 

javascript/frameworks/cap/README.md

@@ -2,14 +2,16 @@
 
 CodeQL queries and supporting models for the SAP CAP JavaScript framework
 
-### Queries
+## Queries
+
 - [CQL Injection](src/cqlinjection)
 - [Log Injection](src/loginjection)
 - [Sensitive Data Exposure](src/sensitive-exposure)
 - [Authentication Issues](src/bad-authn-authz)
 
-### Modeled CAP framework elements
- - CQL (CAP Query Language) fluent API
- - CDS (Core Data Services) declarative service specification
- - Service composition API
- - Event handlers
+## Modeled CAP framework elements
+
+- CQL (CAP Query Language) fluent API
+- CDS (Core Data Services) declarative service specification
+- Service composition API
+- Event handlers

javascript/frameworks/ui5/README.md

@@ -2,24 +2,29 @@
 
 CodeQL queries and supporting models for the SAP UI5 JavaScript framework
 
-### Queries
+## Queries
+
 - [XSS](src/UI5Xss)
 - [Log Injection](src/UI5LogInjection)
 - [Clickjacking](src/UI5Clickjacking)
-
-### Modeled UI5 framework elements
- - UI5 AMD-style components (also via jQuery)
- - MVC elements: 
-    - UI5 Controllers and Data Models (literal/external JSON models)
-    - UI5 [declarative Views](DeclarativeApp.png) (XML/JSON/HTML/JS)
-    - Library/custom UI5 Controls
-    - Project naming conventions (e.g. Control-Renderer)
-  - Source/Sink definition via [ModelAsData extensions](ext/ui5.model.yml#L61-L97)
-  - Controls inheritance via [ModelAsData extensions](ext/ui5.model.yml#L42-L59)
-
-### Supported Features with tests
+
+## Modeled UI5 framework elements
+
+- UI5 AMD-style components (also via jQuery)
+- MVC elements:
+  - UI5 Controllers and Data Models (literal/external JSON models)
+  - UI5 [declarative Views](DeclarativeApp.png) (XML/JSON/HTML/JS)
+  - Library/custom UI5 Controls
+  - Project naming conventions (e.g. Control-Renderer)
+- Source/Sink definition via [ModelAsData extensions](ext/ui5.model.yml#L61-L97)
+- Controls inheritance via [ModelAsData extensions](ext/ui5.model.yml#L42-L59)
+
+## Supported Features with tests
+
 The following tables list the main supported features with corresponding test cases
-#### Detecting XSS and Log injection vulnerabilities
+
+### Detecting XSS and Log injection vulnerabilities
+
 |test | library controls | [MaD sources sinks](ext/ui5.model.yml#L61-L97) | custom controls | UI5View | JS dataflow | HTML APIs | sanitizer | acc.path via handler |
 | - | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
 | [xss-html-control](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1033) | ✅︎ | ✅︎ | | XMLView |
@@ -30,7 +35,8 @@ The following tables list the main supported features with corresponding test ca
 | [sanitized](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/277)| ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ | DOM | ✅︎ |
 | [xss-event-handlers](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/335)| ✅︎ | ✅︎ | ✅︎ | XMLView | | | | ✅︎ |
 
-#### Detecting Clickjacking vulnerabilities
+### Detecting Clickjacking vulnerabilities
+
 | test | secure | insecure frameOptions | missing frameOptions |
 | - | :-: | :-: | :-: |
 | [clickjacking-deny-all](test/queries/UI5Clickjacking/clickjacking-deny-all/index.html#L10) | ✅︎ | |

javascript/frameworks/xsjs/README.md

@@ -2,14 +2,16 @@
 
 CodeQL queries and supporting models for the SAP XSJS JavaScript framework
 
-### Queries
+## Queries
+
 - [XSS](src/XSJSReflectedXss)
 - [SQL Injection](src/XSJSSqlInjection)
 - [URL Redirection](src/XSJSUrlRedirect)
 - [ZipSlip](src/XSJSZipSlip)
 - [Authentication Issues](src/XSJSAuthentication)
 - [Disabled CSRF Protection](src/XSJSCsrfDisabled)
 
-### Modeled XSJS framework elements (From CodeQL v2.18.4)
- - XSJS NPM components
- - XSJSLib modules
+## Modeled XSJS framework elements (From CodeQL v2.18.4)
+
+- XSJS NPM components
+- XSJSLib modules