From 45cf3f7e8d0a1e273929b1ccaff8e76906ce8a8b Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 12:14:41 +0530 Subject: [PATCH 01/72] Create codeql.yml --- .github/workflows/codeql.yml | 94 ++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..4dfc7882 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,94 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '32 10 * * 2' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + build-mode: autobuild + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 0afbfc2aad8793a7767a3eacfdc1b5ebf00c9762 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 13:16:53 +0530 Subject: [PATCH 02/72] Create matlab-scan.yml initial commit --- .github/workflows/matlab-scan.yml | 52 +++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/matlab-scan.yml diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml new file mode 100644 index 00000000..b3c68e17 --- /dev/null +++ b/.github/workflows/matlab-scan.yml @@ -0,0 +1,52 @@ +name: Code Scan + +on: + #push: + #branches: + #- master # Change this if your default branch is different + pull_request: + branches: + - master + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout Code + uses: actions/checkout@v2 + + - name: Set up dependencies + run: | + # Install dependencies if required + sudo apt-get install -y ctags gtags cscope + + - name: Run Ctags + run: | + make ctags + + - name: Run Gtags + run: | + make GTAGS + + - name: Run Cscope + run: | + make cscope + + - name: Clean Cscope files + run: | + make clean-cscope + + - name: Clean Tags + run: | + make distclean-tags + + - name: Run CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: 'security' + paths: 'path/to/your/codebase/**/*.c' + + - name: Clean up + run: | + make distclean From a6f3200b0b68192a3e68d575f2ca3ec927b561c8 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 14:46:41 +0530 Subject: [PATCH 03/72] Added custom query language foe MATLAB Code Scan --- .../matlab/ Improper Input Handling.ql | 23 +++++++++++++++++ .../matlab/ Improper Use of cd.ql | 23 +++++++++++++++++ .../matlab/ Unsafe Use of mkdir.ql | 23 +++++++++++++++++ .../matlab/ Use of Deprecated Functions.ql | 21 ++++++++++++++++ .../matlab/Hardcoded Credentials.ql | 22 ++++++++++++++++ .../matlab/Hardcoded IP Address.ql | 21 ++++++++++++++++ .../matlab/Improper Use of pause Function.ql | 23 +++++++++++++++++ .../matlab/Improper Use of rmdir.ql | 23 +++++++++++++++++ .../matlab/Improper fclose() After fopen().ql | 15 +++++++++++ .../matlab/Insecure File Permission.ql | 22 ++++++++++++++++ .../Insecure Random Number Generation.ql | 22 ++++++++++++++++ .../matlab/Insecure Usage of save Function.ql | 22 ++++++++++++++++ .../matlab/Insecure Use of eval Function.ql | 22 ++++++++++++++++ ...e Use of urlread or webread Without TLS.ql | 22 ++++++++++++++++ .../matlab/Insecure load Function.ql | 22 ++++++++++++++++ .../Potential Buffer Overflow via fscanf.ql | 24 ++++++++++++++++++ .../matlab/Unchecked System() command.ql | 24 ++++++++++++++++++ .../matlab/Uninitialized Variables.ql | 25 +++++++++++++++++++ .../matlab/Unsafe Use of system Command.ql | 25 +++++++++++++++++++ .../matlab/Unsafe fopen Usage.ql | 25 +++++++++++++++++++ .../matlab/Unsanitized User Input.ql | 24 ++++++++++++++++++ .../custom-queries/matlab/Untrusted Input.ql | 23 +++++++++++++++++ ...validated User Input in File Operations.ql | 23 +++++++++++++++++ .../Use of Weak Cryptographic functions.ql | 21 ++++++++++++++++ 24 files changed, 540 insertions(+) create mode 100644 .github/custom-queries/matlab/ Improper Input Handling.ql create mode 100644 .github/custom-queries/matlab/ Improper Use of cd.ql create mode 100644 .github/custom-queries/matlab/ Unsafe Use of mkdir.ql create mode 100644 .github/custom-queries/matlab/ Use of Deprecated Functions.ql create mode 100644 .github/custom-queries/matlab/Hardcoded Credentials.ql create mode 100644 .github/custom-queries/matlab/Hardcoded IP Address.ql create mode 100644 .github/custom-queries/matlab/Improper Use of pause Function.ql create mode 100644 .github/custom-queries/matlab/Improper Use of rmdir.ql create mode 100644 .github/custom-queries/matlab/Improper fclose() After fopen().ql create mode 100644 .github/custom-queries/matlab/Insecure File Permission.ql create mode 100644 .github/custom-queries/matlab/Insecure Random Number Generation.ql create mode 100644 .github/custom-queries/matlab/Insecure Usage of save Function.ql create mode 100644 .github/custom-queries/matlab/Insecure Use of eval Function.ql create mode 100644 .github/custom-queries/matlab/Insecure Use of urlread or webread Without TLS.ql create mode 100644 .github/custom-queries/matlab/Insecure load Function.ql create mode 100644 .github/custom-queries/matlab/Potential Buffer Overflow via fscanf.ql create mode 100644 .github/custom-queries/matlab/Unchecked System() command.ql create mode 100644 .github/custom-queries/matlab/Uninitialized Variables.ql create mode 100644 .github/custom-queries/matlab/Unsafe Use of system Command.ql create mode 100644 .github/custom-queries/matlab/Unsafe fopen Usage.ql create mode 100644 .github/custom-queries/matlab/Unsanitized User Input.ql create mode 100644 .github/custom-queries/matlab/Untrusted Input.ql create mode 100644 .github/custom-queries/matlab/Unvalidated User Input in File Operations.ql create mode 100644 .github/custom-queries/matlab/Use of Weak Cryptographic functions.ql diff --git a/.github/custom-queries/matlab/ Improper Input Handling.ql b/.github/custom-queries/matlab/ Improper Input Handling.ql new file mode 100644 index 00000000..f5168c88 --- /dev/null +++ b/.github/custom-queries/matlab/ Improper Input Handling.ql @@ -0,0 +1,23 @@ +/** + * @name Improper input handling in mathematical operations + * @description Detects mathematical operations on untrusted inputs without proper validation or sanitization, leading to potential data integrity issues. + * @kind problem + * @problem.severity high + * @tags security, input-validation + */ +import javascript + +class ImproperInputInMathOp extends Expr { + ImproperInputInMathOp() { + this.getFile().getName().endsWith(".m") and + exists(Expr mathOp | + mathOp.getSource() = this and + mathOp.toString().matches("(\\+|\\-|\\*|\\/|\\^|sqrt|log)%") and + not exists(Expr inputValidation | + inputValidation.getSource() = mathOp and inputValidation.toString().matches("(validate|sanitize)%")) + ) + } +} + +from ImproperInputInMathOp mathOp +select mathOp, "Improper input handling in mathematical operations detected. Ensure inputs are validated or sanitized." diff --git a/.github/custom-queries/matlab/ Improper Use of cd.ql b/.github/custom-queries/matlab/ Improper Use of cd.ql new file mode 100644 index 00000000..db82e7c9 --- /dev/null +++ b/.github/custom-queries/matlab/ Improper Use of cd.ql @@ -0,0 +1,23 @@ +/** + * @name Improper use of cd command + * @description Detects usage of `cd` to change directories without validating whether the directory exists, potentially leading to errors. + * @kind problem + * @problem.severity warning + * @tags security, directory-management + */ +import javascript + +class ImproperCdUsage extends Expr { + ImproperCdUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr cdCall | + cdCall.getSource() = this and + cdCall.toString().matches("cd%") and + not exists(Expr check | + check.getSource() = cdCall and check.toString().matches("(exist|isdir)%")) + ) + } +} + +from ImproperCdUsage cdCall +select cdCall, "Improper use of cd command without validating the directory path." diff --git a/.github/custom-queries/matlab/ Unsafe Use of mkdir.ql b/.github/custom-queries/matlab/ Unsafe Use of mkdir.ql new file mode 100644 index 00000000..0ede7d0c --- /dev/null +++ b/.github/custom-queries/matlab/ Unsafe Use of mkdir.ql @@ -0,0 +1,23 @@ +/** + * @name Unsafe mkdir usage + * @description Detects the use of `mkdir` without checking for the directory's existence or permissions. + * @kind problem + * @problem.severity warning + * @tags security, resource-management + */ +import javascript + +class UnsafeMkdir extends Expr { + UnsafeMkdir() { + this.getFile().getName().endsWith(".m") and + exists(Expr mkdirCall | + mkdirCall.getSource() = this and + mkdirCall.toString().matches("mkdir%") and + not exists(Expr check | + check.getSource() = mkdirCall and check.toString().matches("(exist|isdir)%")) + ) + } +} + +from UnsafeMkdir mkdirCall +select mkdirCall, "Unsafe use of mkdir without checking for directory existence or permissions." diff --git a/.github/custom-queries/matlab/ Use of Deprecated Functions.ql b/.github/custom-queries/matlab/ Use of Deprecated Functions.ql new file mode 100644 index 00000000..3a636ebd --- /dev/null +++ b/.github/custom-queries/matlab/ Use of Deprecated Functions.ql @@ -0,0 +1,21 @@ +/** + * @name Deprecated function usage + * @description Detects the use of deprecated functions in MATLAB, which might introduce vulnerabilities or break in future releases. + * @kind problem + * @problem.severity warning + * @tags security, deprecated + */ +import javascript + +class DeprecatedFunctionUsage extends Expr { + DeprecatedFunctionUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr deprecatedCall | + deprecatedCall.getSource() = this and + deprecatedCall.toString().matches("(str2num|input|addpath)%") + ) + } +} + +from DeprecatedFunctionUsage deprecatedCall +select deprecatedCall, "Deprecated function usage detected. Consider updating to supported alternatives." diff --git a/.github/custom-queries/matlab/Hardcoded Credentials.ql b/.github/custom-queries/matlab/Hardcoded Credentials.ql new file mode 100644 index 00000000..be996d46 --- /dev/null +++ b/.github/custom-queries/matlab/Hardcoded Credentials.ql @@ -0,0 +1,22 @@ +/** + * @name Hardcoded credentials + * @description Detects potential hardcoded credentials, such as passwords or API keys, in MATLAB scripts. + * @kind problem + * @problem.severity critical + * @tags security, hardcoded-credentials + */ + +import javascript + +class MatlabHardcodedCredentials extends Expr { + MatlabHardcodedCredentials() { + this.getFile().getName().endsWith(".m") and + exists(Expr hardcoded | + hardcoded.getSource() = this and + hardcoded.toString().matches("(password|passwd|apiKey|secret|token)\\s*=\\s*['\"]\\w+['\"]") + ) + } +} + +from MatlabHardcodedCredentials hardcoded +select hardcoded, "Potential hardcoded credentials detected in MATLAB code." diff --git a/.github/custom-queries/matlab/Hardcoded IP Address.ql b/.github/custom-queries/matlab/Hardcoded IP Address.ql new file mode 100644 index 00000000..c893d68b --- /dev/null +++ b/.github/custom-queries/matlab/Hardcoded IP Address.ql @@ -0,0 +1,21 @@ +/** + * @name Hardcoded IP address + * @description Detects hardcoded IP addresses in the MATLAB code, which could indicate potential misconfigurations or security vulnerabilities. + * @kind problem + * @problem.severity medium + * @tags security, misconfiguration + */ +import javascript + +class HardcodedIP extends Expr { + HardcodedIP() { + this.getFile().getName().endsWith(".m") and + exists(Expr ipAddress | + ipAddress.getSource() = this and + ipAddress.toString().matches("(\\d{1,3}\\.){3}\\d{1,3}") + ) + } +} + +from HardcodedIP ipAddress +select ipAddress, "Hardcoded IP address detected, consider using configuration files instead." diff --git a/.github/custom-queries/matlab/Improper Use of pause Function.ql b/.github/custom-queries/matlab/Improper Use of pause Function.ql new file mode 100644 index 00000000..3254ebdc --- /dev/null +++ b/.github/custom-queries/matlab/Improper Use of pause Function.ql @@ -0,0 +1,23 @@ +/** + * @name Improper use of pause function + * @description Detects improper usage of the `pause` function, which can lead to inefficient code execution or resource misuse. + * @kind problem + * @problem.severity medium + * @tags security, resource-management + */ +import javascript + +class ImproperPauseUsage extends Expr { + ImproperPauseUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr pauseCall | + pauseCall.getSource() = this and + pauseCall.toString().matches("pause%") and + not exists(Expr timingCheck | + timingCheck.getSource() = pauseCall and timingCheck.toString().matches("(check|validate)%")) + ) + } +} + +from ImproperPauseUsage pauseCall +select pauseCall, "Improper use of the pause function detected, which could lead to resource misuse or inefficient code execution." diff --git a/.github/custom-queries/matlab/Improper Use of rmdir.ql b/.github/custom-queries/matlab/Improper Use of rmdir.ql new file mode 100644 index 00000000..3a96e0b1 --- /dev/null +++ b/.github/custom-queries/matlab/Improper Use of rmdir.ql @@ -0,0 +1,23 @@ +/** + * @name Improper rmdir usage + * @description Detects `rmdir` calls without error handling or validation. + * @kind problem + * @problem.severity high + * @tags security, resource-management + */ +import javascript + +class ImproperRmdir extends Expr { + ImproperRmdir() { + this.getFile().getName().endsWith(".m") and + exists(Expr rmdirCall | + rmdirCall.getSource() = this and + rmdirCall.toString().matches("rmdir%") and + not exists(Expr errorCheck | + errorCheck.getSource() = rmdirCall and errorCheck.toString().matches("(exist|isdir)%")) + ) + } +} + +from ImproperRmdir rmdirCall +select rmdirCall, "Improper use of rmdir without error handling or path validation." diff --git a/.github/custom-queries/matlab/Improper fclose() After fopen().ql b/.github/custom-queries/matlab/Improper fclose() After fopen().ql new file mode 100644 index 00000000..b6746d3a --- /dev/null +++ b/.github/custom-queries/matlab/Improper fclose() After fopen().ql @@ -0,0 +1,15 @@ +/** + * @name Missing fclose after fopen + * @description Detects cases where a file is opened but not closed, leading to resource leaks. + * @kind problem + * @problem.severity warning + * @tags security, resource-leak + */ +import javascript + +class MatlabMissingFclose extends Expr { + MatlabMissingFclose() { + this.getFile().getName().endsWith(".m") and + exists(Expr fopenCall | + fopenCall.getSource() = this and + fopenCall.toString(). diff --git a/.github/custom-queries/matlab/Insecure File Permission.ql b/.github/custom-queries/matlab/Insecure File Permission.ql new file mode 100644 index 00000000..1de6c701 --- /dev/null +++ b/.github/custom-queries/matlab/Insecure File Permission.ql @@ -0,0 +1,22 @@ +/** + * @name Insecure file permissions + * @description Detects insecure file permission changes through `chmod` or `chown` commands. + * @kind problem + * @problem.severity high + * @tags security, file-permissions + */ + +import javascript + +class MatlabInsecureFilePermissions extends Expr { + MatlabInsecureFilePermissions() { + this.getFile().getName().endsWith(".m") and + exists(Expr permCall | + permCall.getSource() = this and + permCall.toString().matches("(chmod|chown)%") + ) + } +} + +from MatlabInsecureFilePermissions permCall +select permCall, "Insecure file permission changes detected, review chmod/chown usage." \ No newline at end of file diff --git a/.github/custom-queries/matlab/Insecure Random Number Generation.ql b/.github/custom-queries/matlab/Insecure Random Number Generation.ql new file mode 100644 index 00000000..771ed308 --- /dev/null +++ b/.github/custom-queries/matlab/Insecure Random Number Generation.ql @@ -0,0 +1,22 @@ +/** + * @name Insecure random number generation + * @description Detects usage of non-cryptographically secure random number generators like `rand` and `randi`. + * @kind problem + * @problem.severity warning + * @tags security, crypto + */ + +import javascript + +class MatlabInsecureRandUsage extends Expr { + MatlabInsecureRandUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr randCall | + randCall.getSource() = this and + randCall.toString().matches("rand%") + ) + } +} + +from MatlabInsecureRandUsage randCall +select randCall, "Insecure random number generator used (rand or randi), consider using a secure alternative." diff --git a/.github/custom-queries/matlab/Insecure Usage of save Function.ql b/.github/custom-queries/matlab/Insecure Usage of save Function.ql new file mode 100644 index 00000000..956f0909 --- /dev/null +++ b/.github/custom-queries/matlab/Insecure Usage of save Function.ql @@ -0,0 +1,22 @@ +/** + * @name Insecure save function usage + * @description Detects insecure usage of the `save` function without specifying version or compression, leading to data risks. + * @kind problem + * @problem.severity warning + * @tags security, data-integrity + */ +import javascript + +class InsecureSaveFunction extends Expr { + InsecureSaveFunction() { + this.getFile().getName().endsWith(".m") and + exists(Expr saveCall | + saveCall.getSource() = this and + saveCall.toString().matches("save%") and + not saveCall.toString().matches("-v7\\.3%") + ) + } +} + +from InsecureSaveFunction saveCall +select saveCall, "Insecure save function usage detected, consider using '-v7.3' for better data integrity." diff --git a/.github/custom-queries/matlab/Insecure Use of eval Function.ql b/.github/custom-queries/matlab/Insecure Use of eval Function.ql new file mode 100644 index 00000000..ff7a4b07 --- /dev/null +++ b/.github/custom-queries/matlab/Insecure Use of eval Function.ql @@ -0,0 +1,22 @@ +/** + * @name Insecure use of eval + * @description Detects insecure usage of the `eval` function, which can lead to code injection vulnerabilities. + * @kind problem + * @problem.severity critical + * @tags security, code-injection + */ + +import javascript + +class MatlabInsecureEvalUsage extends Expr { + MatlabInsecureEvalUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr evalCall | + evalCall.getSource() = this and + evalCall.toString().matches("eval%") + ) + } +} + +from MatlabInsecureEvalUsage evalCall +select evalCall, "Insecure use of eval function, consider alternatives or validate input." diff --git a/.github/custom-queries/matlab/Insecure Use of urlread or webread Without TLS.ql b/.github/custom-queries/matlab/Insecure Use of urlread or webread Without TLS.ql new file mode 100644 index 00000000..584e1cbd --- /dev/null +++ b/.github/custom-queries/matlab/Insecure Use of urlread or webread Without TLS.ql @@ -0,0 +1,22 @@ +/** + * @name Insecure URL access without TLS + * @description Detects `urlread` or `webread` function usage for URLs that don't enforce HTTPS, which can lead to insecure communication. + * @kind problem + * @problem.severity high + * @tags security, communication + */ +import javascript + +class InsecureURLAccess extends Expr { + InsecureURLAccess() { + this.getFile().getName().endsWith(".m") and + exists(Expr urlReadCall | + urlReadCall.getSource() = this and + urlReadCall.toString().matches("(urlread|webread)%") and + not urlReadCall.toString().matches("https%") + ) + } +} + +from InsecureURLAccess urlReadCall +select urlReadCall, "Insecure URL access detected, consider enforcing HTTPS." diff --git a/.github/custom-queries/matlab/Insecure load Function.ql b/.github/custom-queries/matlab/Insecure load Function.ql new file mode 100644 index 00000000..cd0a2511 --- /dev/null +++ b/.github/custom-queries/matlab/Insecure load Function.ql @@ -0,0 +1,22 @@ +/** + * @name Insecure use of load function + * @description Detects use of the `load` function without specifying the file format, which can lead to security risks. + * @kind problem + * @problem.severity medium + * @tags security, data-integrity + */ +import javascript + +class InsecureLoadUsage extends Expr { + InsecureLoadUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr loadCall | + loadCall.getSource() = this and + loadCall.toString().matches("load%") and + not loadCall.toString().matches("-ascii|-mat") + ) + } +} + +from InsecureLoadUsage loadCall +select loadCall, "Insecure use of the load function detected. Specify the file format to ensure data integrity." diff --git a/.github/custom-queries/matlab/Potential Buffer Overflow via fscanf.ql b/.github/custom-queries/matlab/Potential Buffer Overflow via fscanf.ql new file mode 100644 index 00000000..65fec298 --- /dev/null +++ b/.github/custom-queries/matlab/Potential Buffer Overflow via fscanf.ql @@ -0,0 +1,24 @@ +/** + * @name Potential buffer overflow in fscanf + * @description Detects potential buffer overflow vulnerabilities when using `fscanf` without checking input size. + * @kind problem + * @problem.severity critical + * @tags security, buffer-overflow + */ +import javascript + +class BufferOverflowFscanf extends Expr { + BufferOverflowFscanf() { + this.getFile().getName().endsWith(".m") and + exists(Expr fscanfCall | + fscanfCall.getSource() = this and + fscanfCall.toString().matches("fscanf%") and + not exists(Expr sizeCheck | + sizeCheck.getSource() = fscanfCall and + sizeCheck.toString().matches("(size|length)%")) + ) + } +} + +from BufferOverflowFscanf fscanfCall +select fscanfCall, "Potential buffer overflow detected in fscanf usage without input size validation." diff --git a/.github/custom-queries/matlab/Unchecked System() command.ql b/.github/custom-queries/matlab/Unchecked System() command.ql new file mode 100644 index 00000000..1c3880d4 --- /dev/null +++ b/.github/custom-queries/matlab/Unchecked System() command.ql @@ -0,0 +1,24 @@ +/** + * @name Unchecked system command execution + * @description Detects `system()` function usage with untrusted inputs, which can lead to command injection vulnerabilities. + * @kind problem + * @problem.severity critical + * @tags security, command-injection + */ +import javascript + +class UncheckedSystemCommand extends Expr { + UncheckedSystemCommand() { + this.getFile().getName().endsWith(".m") and + exists(Expr systemCall | + systemCall.getSource() = this and + systemCall.toString().matches("system%") and + not exists(Expr validation | + validation.getSource() = systemCall and + validation.toString().matches("(validate|sanitize)%")) + ) + } +} + +from UncheckedSystemCommand systemCall +select systemCall, "Unchecked system command execution detected. Ensure input is properly validated or sanitized." diff --git a/.github/custom-queries/matlab/Uninitialized Variables.ql b/.github/custom-queries/matlab/Uninitialized Variables.ql new file mode 100644 index 00000000..779c15b8 --- /dev/null +++ b/.github/custom-queries/matlab/Uninitialized Variables.ql @@ -0,0 +1,25 @@ +/** + * @name Uninitialized variable in MATLAB + * @description Find variables used without being initialized. + * @kind problem + * @problem.severity warning + * @tags reliability + */ + +import javascript + +// Find a variable usage before its assignment +class MatlabVariableUsage extends Expr { + MatlabVariableUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr usage | + usage = this and + not exists(Expr init | + init.getSource() = usage and + init.getFile().getName().endsWith(".m")) + ) + } +} + +from MatlabVariableUsage usage +select usage, "Possible uninitialized variable usage in MATLAB" diff --git a/.github/custom-queries/matlab/Unsafe Use of system Command.ql b/.github/custom-queries/matlab/Unsafe Use of system Command.ql new file mode 100644 index 00000000..6b3b1c52 --- /dev/null +++ b/.github/custom-queries/matlab/Unsafe Use of system Command.ql @@ -0,0 +1,25 @@ +/** + * @name Insecure use of system command + * @description Detects unvalidated input passed to the `system` function, which can lead to command injection. + * @kind problem + * @problem.severity critical + * @tags security, command-injection + */ + +import javascript + +class MatlabSystemCommand extends Expr { + MatlabSystemCommand() { + this.getFile().getName().endsWith(".m") and + exists(Expr sysCall | + sysCall.getSource() = this and + sysCall.toString().matches("system%") and + not exists(Expr inputValidation | + inputValidation.getSource() = sysCall and + inputValidation.toString().matches("validate%")) + ) + } +} + +from MatlabSystemCommand sysCall +select sysCall, "Potentially unsafe system command execution without input validation." diff --git a/.github/custom-queries/matlab/Unsafe fopen Usage.ql b/.github/custom-queries/matlab/Unsafe fopen Usage.ql new file mode 100644 index 00000000..ecb4176f --- /dev/null +++ b/.github/custom-queries/matlab/Unsafe fopen Usage.ql @@ -0,0 +1,25 @@ +/** + * @name Unsafe fopen usage + * @description Detects `fopen` calls without error handling or proper file permissions. + * @kind problem + * @problem.severity warning + * @tags security, file-handling + */ + +import javascript + +class MatlabUnsafeFopenUsage extends Expr { + MatlabUnsafeFopenUsage() { + this.getFile().getName().endsWith(".m") and + exists(Expr fopenCall | + fopenCall.getSource() = this and + fopenCall.toString().matches("fopen%") and + not exists(Expr fcloseCall | + fcloseCall.getSource() = fopenCall and + fcloseCall.toString().matches("fclose%")) + ) + } +} + +from MatlabUnsafeFopenUsage fopenCall +select fopenCall, "File opened with fopen but no fclose or error handling detected." diff --git a/.github/custom-queries/matlab/Unsanitized User Input.ql b/.github/custom-queries/matlab/Unsanitized User Input.ql new file mode 100644 index 00000000..80b28995 --- /dev/null +++ b/.github/custom-queries/matlab/Unsanitized User Input.ql @@ -0,0 +1,24 @@ +/** + * @name Unsanitized user input in plotting functions + * @description Detects unsanitized or unvalidated user input passed to plotting functions, which can lead to vulnerabilities. + * @kind problem + * @problem.severity medium + * @tags security, input-validation + */ +import javascript + +class UnsanitizedInputInPlot extends Expr { + UnsanitizedInputInPlot() { + this.getFile().getName().endsWith(".m") and + exists(Expr plotCall | + plotCall.getSource() = this and + plotCall.toString().matches("(plot|scatter|bar|hist)%") and + not exists(Expr inputValidation | + inputValidation.getSource() = plotCall and + inputValidation.toString().matches("(validate|sanitize)%")) + ) + } +} + +from UnsanitizedInputInPlot plotCall +select plotCall, "Unsanitized user input detected in plotting function. Ensure input is properly validated or sanitized." diff --git a/.github/custom-queries/matlab/Untrusted Input.ql b/.github/custom-queries/matlab/Untrusted Input.ql new file mode 100644 index 00000000..d23572f0 --- /dev/null +++ b/.github/custom-queries/matlab/Untrusted Input.ql @@ -0,0 +1,23 @@ +/** + * @name Untrusted input in eval + * @description Detects `eval` function usage with untrusted or unsanitized input, leading to potential code injection. + * @kind problem + * @problem.severity critical + * @tags security, code-injection + */ +import javascript + +class EvalUntrustedInput extends Expr { + EvalUntrustedInput() { + this.getFile().getName().endsWith(".m") and + exists(Expr evalCall | + evalCall.getSource() = this and + evalCall.toString().matches("eval%") and + not exists(Expr inputValidation | + inputValidation.getSource() = evalCall and inputValidation.toString().matches("(validate|sanitiz)%")) + ) + } +} + +from EvalUntrustedInput evalCall +select evalCall, "Potential code injection via untrusted input passed to eval function." diff --git a/.github/custom-queries/matlab/Unvalidated User Input in File Operations.ql b/.github/custom-queries/matlab/Unvalidated User Input in File Operations.ql new file mode 100644 index 00000000..bc751500 --- /dev/null +++ b/.github/custom-queries/matlab/Unvalidated User Input in File Operations.ql @@ -0,0 +1,23 @@ +/** + * @name Unvalidated input in file operations + * @description Detects unvalidated user input used in file operations, leading to potential file injection or manipulation. + * @kind problem + * @problem.severity critical + * @tags security, input-validation + */ +import javascript + +class UnvalidatedInputFileOp extends Expr { + UnvalidatedInputFileOp() { + this.getFile().getName().endsWith(".m") and + exists(Expr fileOp | + fileOp.getSource() = this and + fileOp.toString().matches("(fopen|fwrite|fclose)%") and + not exists(Expr inputValidation | + inputValidation.getSource() = fileOp and inputValidation.toString().matches("(validate|sanitiz)%")) + ) + } +} + +from UnvalidatedInputFileOp fileOp +select fileOp, "Unvalidated input passed to file operations like fopen or fwrite, leading to security risks." diff --git a/.github/custom-queries/matlab/Use of Weak Cryptographic functions.ql b/.github/custom-queries/matlab/Use of Weak Cryptographic functions.ql new file mode 100644 index 00000000..136d9129 --- /dev/null +++ b/.github/custom-queries/matlab/Use of Weak Cryptographic functions.ql @@ -0,0 +1,21 @@ +/** + * @name Weak cryptographic functions + * @description Detects usage of weak or deprecated cryptographic functions such as MD5. + * @kind problem + * @problem.severity high + * @tags security, cryptography + */ +import javascript + +class WeakCryptography extends Expr { + WeakCryptography() { + this.getFile().getName().endsWith(".m") and + exists(Expr cryptoCall | + cryptoCall.getSource() = this and + cryptoCall.toString().matches("(md5|sha1)%") + ) + } +} + +from WeakCryptography cryptoCall +select cryptoCall, "Weak cryptographic function detected (md5 or sha1), consider stronger alternatives." From bec345ee02450847ebc61a914a1815963de0ff7e Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 14:51:37 +0530 Subject: [PATCH 04/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index b3c68e17..527a4182 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,9 +1,9 @@ name: Code Scan on: - #push: - #branches: - #- master # Change this if your default branch is different + push: + branches: + - master # Change this if your default branch is different pull_request: branches: - master @@ -45,7 +45,7 @@ jobs: uses: github/codeql-action/analyze@v2 with: category: 'security' - paths: 'path/to/your/codebase/**/*.c' + paths: '/.github/custom-queries/matlab/*.ql' - name: Clean up run: | From e335a9f05c5eeeb2a318be0a7e776b9e959496af Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 14:53:17 +0530 Subject: [PATCH 05/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 75 +++++++++++++------------------ 1 file changed, 32 insertions(+), 43 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 527a4182..d7bd5582 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,52 +1,41 @@ -name: Code Scan +name: "Custom CodeQL Analysis for MATLAB Security" on: push: - branches: - - master # Change this if your default branch is different + branches: [ "master" ] pull_request: - branches: - - master + branches: [ "master" ] + schedule: + - cron: '0 0 * * 1' jobs: - build: + analyze: + name: Analyze MATLAB Code runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - - name: Checkout Code - uses: actions/checkout@v2 - - - name: Set up dependencies - run: | - # Install dependencies if required - sudo apt-get install -y ctags gtags cscope - - - name: Run Ctags - run: | - make ctags - - - name: Run Gtags - run: | - make GTAGS - - - name: Run Cscope - run: | - make cscope - - - name: Clean Cscope files - run: | - make clean-cscope - - - name: Clean Tags - run: | - make distclean-tags - - - name: Run CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: 'security' - paths: '/.github/custom-queries/matlab/*.ql' - - - name: Clean up - run: | - make distclean + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ['javascript', 'shell'] # Generic language selection + + - name: Autobuild project + run: echo "No build step needed for MATLAB" + + - name: Create CodeQL Database + run: | + codeql database create matlab-db --language=javascript --source-root=. + + - name: Run Custom CodeQL Queries + run: | + codeql query run --database=matlab-db custom-queries/matlab/*.ql + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 From e233eab7ea699ed3bce0605237d32d01ea9db4d6 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 14:57:41 +0530 Subject: [PATCH 06/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index d7bd5582..fb74a2ba 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -24,7 +24,8 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: ['javascript', 'shell'] # Generic language selection + language: 'javascript' # Generic language selection + - name: Autobuild project run: echo "No build step needed for MATLAB" From 81df387ae313f8f80239dcbea3f8f75cfe90138d Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:01:35 +0530 Subject: [PATCH 07/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index fb74a2ba..d42b166c 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -24,7 +24,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - language: 'javascript' # Generic language selection + language: 'javascript, shell' # Generic language selection - name: Autobuild project From 88da5323f2df44cd2f03a7be7d876eb3264d3ee7 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:04:46 +0530 Subject: [PATCH 08/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index d42b166c..8a6b5b28 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -24,7 +24,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - language: 'javascript, shell' # Generic language selection + languages: 'javascript, shell' # Generic language selection - name: Autobuild project From 551a31316a37be2d948c57404dcebeabf6a56f58 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:07:30 +0530 Subject: [PATCH 09/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 8a6b5b28..6f87de73 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -24,7 +24,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: 'javascript, shell' # Generic language selection + languages: 'javascript' # Generic language selection - name: Autobuild project From 00bfc3cab49cf6f0f7f9fdc954c17cb0f7b07891 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:09:27 +0530 Subject: [PATCH 10/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 6f87de73..0c455df3 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -24,8 +24,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: 'javascript' # Generic language selection - + languages: 'javascript' # Only use supported languages - name: Autobuild project run: echo "No build step needed for MATLAB" @@ -33,10 +32,14 @@ jobs: - name: Create CodeQL Database run: | codeql database create matlab-db --language=javascript --source-root=. + env: + CODEQL_PATH: ${{ github.workspace }}/codeql - name: Run Custom CodeQL Queries run: | codeql query run --database=matlab-db custom-queries/matlab/*.ql + env: + CODEQL_PATH: ${{ github.workspace }}/codeql - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 6ee553eeee11519adf29a79223b2c90f31bb740f Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:13:07 +0530 Subject: [PATCH 11/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 0c455df3..2e239f4e 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -24,22 +24,23 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: 'javascript' # Only use supported languages + languages: 'javascript' # Specify the language you want to analyze - name: Autobuild project run: echo "No build step needed for MATLAB" - name: Create CodeQL Database - run: | - codeql database create matlab-db --language=javascript --source-root=. - env: - CODEQL_PATH: ${{ github.workspace }}/codeql + uses: github/codeql-action/autobuild@v2 + with: + languages: 'javascript' + # Note: The autobuild step automatically creates a database, so you may not need to do this step. - name: Run Custom CodeQL Queries - run: | - codeql query run --database=matlab-db custom-queries/matlab/*.ql - env: - CODEQL_PATH: ${{ github.workspace }}/codeql + uses: github/codeql-action/analyze@v2 + with: + category: 'security' + queries: custom-queries/matlab/*.ql + # The analyze step automatically handles database creation and running queries - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 2fe55ca9dd83d21e80dbf4050904848ff0a2fc38 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:50:13 +0530 Subject: [PATCH 12/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 2e239f4e..15d91118 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,4 +1,4 @@ -name: "Custom CodeQL Analysis for MATLAB Security" +name: "MATLAB Code Scanning and CodeQL Analysis" on: push: @@ -21,26 +21,41 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 + - name: Install Octave + run: | + sudo apt-get update + sudo apt-get install -y octave + + - name: Run static code analysis + run: | + echo "addpath('code'); files = dir('code/**/*.m'); results = {}; for k = 1:length(files), filePath = fullfile(files(k).folder, files(k).name); fid = fopen(filePath, 'r'); code = fread(fid, '*char')'; fclose(fid); issues = codeAnalysis(code); if ~isempty(issues), results{end+1} = {filePath, issues}; end; end; save('code-analysis-results.m', 'results');" > analyze_code.m + octave --no-gui analyze_code.m + + - name: Convert results to text + run: | + octave --no-gui --eval "load('code-analysis-results.m'); fid = fopen('code-analysis-results.txt', 'w'); for i = 1:length(results), fprintf(fid, 'File: %s\n', results{i}{1}); fprintf(fid, '%s\n', results{i}{2}{:}); end; fclose(fid);" + + - name: Upload static analysis results + uses: actions/upload-artifact@v3 + with: + name: static-code-analysis-results + path: code-analysis-results.txt + - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: languages: 'javascript' # Specify the language you want to analyze - - name: Autobuild project - run: echo "No build step needed for MATLAB" - - name: Create CodeQL Database uses: github/codeql-action/autobuild@v2 with: languages: 'javascript' - # Note: The autobuild step automatically creates a database, so you may not need to do this step. - name: Run Custom CodeQL Queries uses: github/codeql-action/analyze@v2 with: category: 'security' queries: custom-queries/matlab/*.ql - # The analyze step automatically handles database creation and running queries - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From c0e565a66f2e07de35aff1b15e4bce5c8efade8f Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 15:54:09 +0530 Subject: [PATCH 13/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 15d91118..062f35a1 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -55,7 +55,7 @@ jobs: uses: github/codeql-action/analyze@v2 with: category: 'security' - queries: custom-queries/matlab/*.ql + queries: /.github/custom-queries/matlab/*.ql - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From 8e368ce08938821c3c8794c8db7c498dbab43b77 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Tue, 22 Oct 2024 18:04:00 +0530 Subject: [PATCH 14/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 102 ++++++++++++++++-------------- 1 file changed, 53 insertions(+), 49 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 062f35a1..93d977a7 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,61 +1,65 @@ -name: "MATLAB Code Scanning and CodeQL Analysis" +# This workflow analyzes MATLAB code using Octave and uploads results as SARIF to GitHub Security + +name: "Octave Static Code Analysis for MATLAB" on: push: branches: [ "master" ] pull_request: branches: [ "master" ] - schedule: - - cron: '0 0 * * 1' + workflow_dispatch: # Allows manual trigger from the Actions tab jobs: analyze: - name: Analyze MATLAB Code + name: Analyze MATLAB Code with Octave runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Install Octave - run: | - sudo apt-get update - sudo apt-get install -y octave - - - name: Run static code analysis - run: | - echo "addpath('code'); files = dir('code/**/*.m'); results = {}; for k = 1:length(files), filePath = fullfile(files(k).folder, files(k).name); fid = fopen(filePath, 'r'); code = fread(fid, '*char')'; fclose(fid); issues = codeAnalysis(code); if ~isempty(issues), results{end+1} = {filePath, issues}; end; end; save('code-analysis-results.m', 'results');" > analyze_code.m - octave --no-gui analyze_code.m - - - name: Convert results to text - run: | - octave --no-gui --eval "load('code-analysis-results.m'); fid = fopen('code-analysis-results.txt', 'w'); for i = 1:length(results), fprintf(fid, 'File: %s\n', results{i}{1}); fprintf(fid, '%s\n', results{i}{2}{:}); end; fclose(fid);" - - - name: Upload static analysis results - uses: actions/upload-artifact@v3 - with: - name: static-code-analysis-results - path: code-analysis-results.txt - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: 'javascript' # Specify the language you want to analyze - - - name: Create CodeQL Database - uses: github/codeql-action/autobuild@v2 - with: - languages: 'javascript' - - - name: Run Custom CodeQL Queries - uses: github/codeql-action/analyze@v2 - with: - category: 'security' - queries: /.github/custom-queries/matlab/*.ql - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + # Step 1: Checkout the repository + - name: Checkout repository + uses: actions/checkout@v3 + + # Step 2: Install Octave + - name: Install Octave + run: | + sudo apt-get update + sudo apt-get install -y octave + + # Step 3: Create a script for static code analysis + - name: Create MATLAB analysis script + run: | + echo "addpath('code'); \ + files = dir('code/**/*.m'); \ + results = {}; \ + for k = 1:length(files), \ + filePath = fullfile(files(k).folder, files(k).name); \ + fid = fopen(filePath, 'r'); \ + code = fread(fid, '*char')'; \ + fclose(fid); \ + issues = codeAnalysis(code); \ + if ~isempty(issues), results{end+1} = {filePath, issues}; end; \ + end; \ + save('code-analysis-results.mat', 'results');" > analyze_code.m + + # Step 4: Run the analysis script using Octave + - name: Run static code analysis + run: | + octave --no-gui analyze_code.m + + # Step 5: Convert results to SARIF format + - name: Convert results to SARIF + run: | + octave --no-gui --eval "load('code-analysis-results.mat'); \ + fid = fopen('code-analysis-results.sarif', 'w'); \ + fprintf(fid, '{ \"version\": \"2.1.0\", \"runs\": [ { \"tool\": { \"driver\": { \"name\": \"Octave Static Analysis\", \"version\": \"1.0\" } }, \"results\": ['); \ + for i = 1:length(results), \ + fprintf(fid, '{ \"ruleId\": \"MATLAB001\", \"message\": { \"text\": \"%s\" }, \"locations\": [ { \"physicalLocation\": { \"artifactLocation\": { \"uri\": \"%s\" } } } ] },', results{i}{2}{:}, results{i}{1}); \ + end; \ + fprintf(fid, '] } ] }'); \ + fclose(fid);" + + # Step 6: Upload SARIF file to GitHub Security tab + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: code-analysis-results.sarif From 8ce4e1fe171dc8c7ecbf7f60458028c11ece1ea7 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:27:57 +0530 Subject: [PATCH 15/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 93d977a7..74fc8310 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,5 +1,3 @@ -# This workflow analyzes MATLAB code using Octave and uploads results as SARIF to GitHub Security - name: "Octave Static Code Analysis for MATLAB" on: @@ -25,12 +23,17 @@ jobs: sudo apt-get update sudo apt-get install -y octave - # Step 3: Create a script for static code analysis - - name: Create MATLAB analysis script + # Step 3: Check if the code directory exists and create the analysis script + - name: Check directory and create MATLAB analysis script run: | + if [ ! -d "code" ]; then + echo "Directory 'code' does not exist. Please add your MATLAB files to the 'code' directory." + exit 1 + fi echo "addpath('code'); \ files = dir('code/**/*.m'); \ results = {}; \ + if isempty(files), disp('No MATLAB files found.'); exit; end; \ for k = 1:length(files), \ filePath = fullfile(files(k).folder, files(k).name); \ fid = fopen(filePath, 'r'); \ From 8ee40fe851caf94e41726e1bb39c63ec6e61c923 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:32:36 +0530 Subject: [PATCH 16/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 74fc8310..121589eb 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -17,13 +17,19 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Step 2: Install Octave + # Step 2: List repository contents for debugging + - name: List files in the repository + run: | + echo "Listing repository files:" + ls -R + + # Step 3: Install Octave - name: Install Octave run: | sudo apt-get update sudo apt-get install -y octave - # Step 3: Check if the code directory exists and create the analysis script + # Step 4: Check if the code directory exists and create the analysis script - name: Check directory and create MATLAB analysis script run: | if [ ! -d "code" ]; then @@ -44,12 +50,12 @@ jobs: end; \ save('code-analysis-results.mat', 'results');" > analyze_code.m - # Step 4: Run the analysis script using Octave + # Step 5: Run the analysis script using Octave - name: Run static code analysis run: | octave --no-gui analyze_code.m - # Step 5: Convert results to SARIF format + # Step 6: Convert results to SARIF format - name: Convert results to SARIF run: | octave --no-gui --eval "load('code-analysis-results.mat'); \ @@ -61,7 +67,7 @@ jobs: fprintf(fid, '] } ] }'); \ fclose(fid);" - # Step 6: Upload SARIF file to GitHub Security tab + # Step 7: Upload SARIF file to GitHub Security tab - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: From fef25e40fc4085c0fc04c61002855bcd65bf26d7 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:38:51 +0530 Subject: [PATCH 17/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 121589eb..f43e28a0 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -29,15 +29,11 @@ jobs: sudo apt-get update sudo apt-get install -y octave - # Step 4: Check if the code directory exists and create the analysis script - - name: Check directory and create MATLAB analysis script + # Step 4: Create the MATLAB analysis script + - name: Create MATLAB analysis script run: | - if [ ! -d "code" ]; then - echo "Directory 'code' does not exist. Please add your MATLAB files to the 'code' directory." - exit 1 - fi - echo "addpath('code'); \ - files = dir('code/**/*.m'); \ + echo "addpath(genpath(pwd)); \ + files = dir('**/*.m'); \ results = {}; \ if isempty(files), disp('No MATLAB files found.'); exit; end; \ for k = 1:length(files), \ From eef5b4998b84597b15f3db2c02b71ebe2d74b59c Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:42:05 +0530 Subject: [PATCH 18/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index f43e28a0..38e4f854 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -17,22 +17,17 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Step 2: List repository contents for debugging - - name: List files in the repository - run: | - echo "Listing repository files:" - ls -R - - # Step 3: Install Octave + # Step 2: Install Octave - name: Install Octave run: | sudo apt-get update sudo apt-get install -y octave - # Step 4: Create the MATLAB analysis script + # Step 3: Create the MATLAB analysis script - name: Create MATLAB analysis script run: | echo "addpath(genpath(pwd)); \ + addpath('analysis'); % Add this line if codeAnalysis is in 'analysis' folder \ files = dir('**/*.m'); \ results = {}; \ if isempty(files), disp('No MATLAB files found.'); exit; end; \ @@ -46,12 +41,12 @@ jobs: end; \ save('code-analysis-results.mat', 'results');" > analyze_code.m - # Step 5: Run the analysis script using Octave + # Step 4: Run the analysis script using Octave - name: Run static code analysis run: | octave --no-gui analyze_code.m - # Step 6: Convert results to SARIF format + # Step 5: Convert results to SARIF format - name: Convert results to SARIF run: | octave --no-gui --eval "load('code-analysis-results.mat'); \ @@ -63,7 +58,7 @@ jobs: fprintf(fid, '] } ] }'); \ fclose(fid);" - # Step 7: Upload SARIF file to GitHub Security tab + # Step 6: Upload SARIF file to GitHub Security tab - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: From 1b386b279dd3a2f25fd29387c7ad02613dd1d232 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:06:40 +0530 Subject: [PATCH 19/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 38e4f854..55efb01e 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -27,7 +27,6 @@ jobs: - name: Create MATLAB analysis script run: | echo "addpath(genpath(pwd)); \ - addpath('analysis'); % Add this line if codeAnalysis is in 'analysis' folder \ files = dir('**/*.m'); \ results = {}; \ if isempty(files), disp('No MATLAB files found.'); exit; end; \ @@ -39,13 +38,22 @@ jobs: issues = codeAnalysis(code); \ if ~isempty(issues), results{end+1} = {filePath, issues}; end; \ end; \ - save('code-analysis-results.mat', 'results');" > analyze_code.m + save('code-analysis-results.mat', 'results'); \ + disp('Analysis results saved.');" > analyze_code.m # Step 4: Run the analysis script using Octave - name: Run static code analysis run: | octave --no-gui analyze_code.m + # Step 4.5: Verify the results file exists + - name: Verify results file exists + run: | + if [ ! -f "code-analysis-results.mat" ]; then + echo "code-analysis-results.mat not found, analysis may have failed."; + exit 1; + fi + # Step 5: Convert results to SARIF format - name: Convert results to SARIF run: | From c1a8079cbf83314178b445428be848f181d858bc Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:19:35 +0530 Subject: [PATCH 20/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 57 ++++++------------------------- 1 file changed, 11 insertions(+), 46 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 55efb01e..21403f83 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,4 +1,4 @@ -name: "Octave Static Code Analysis for MATLAB" +name: "Octave Static Code Execution for MATLAB" on: push: @@ -23,51 +23,16 @@ jobs: sudo apt-get update sudo apt-get install -y octave - # Step 3: Create the MATLAB analysis script - - name: Create MATLAB analysis script + # Step 3: Run all MATLAB files to catch errors + - name: Run all .m files run: | - echo "addpath(genpath(pwd)); \ - files = dir('**/*.m'); \ - results = {}; \ - if isempty(files), disp('No MATLAB files found.'); exit; end; \ - for k = 1:length(files), \ - filePath = fullfile(files(k).folder, files(k).name); \ - fid = fopen(filePath, 'r'); \ - code = fread(fid, '*char')'; \ - fclose(fid); \ - issues = codeAnalysis(code); \ - if ~isempty(issues), results{end+1} = {filePath, issues}; end; \ - end; \ - save('code-analysis-results.mat', 'results'); \ - disp('Analysis results saved.');" > analyze_code.m + for file in $(find . -name "*.m"); do + octave --no-gui $file || exit 1; + done - # Step 4: Run the analysis script using Octave - - name: Run static code analysis - run: | - octave --no-gui analyze_code.m - - # Step 4.5: Verify the results file exists - - name: Verify results file exists - run: | - if [ ! -f "code-analysis-results.mat" ]; then - echo "code-analysis-results.mat not found, analysis may have failed."; - exit 1; - fi - - # Step 5: Convert results to SARIF format - - name: Convert results to SARIF - run: | - octave --no-gui --eval "load('code-analysis-results.mat'); \ - fid = fopen('code-analysis-results.sarif', 'w'); \ - fprintf(fid, '{ \"version\": \"2.1.0\", \"runs\": [ { \"tool\": { \"driver\": { \"name\": \"Octave Static Analysis\", \"version\": \"1.0\" } }, \"results\": ['); \ - for i = 1:length(results), \ - fprintf(fid, '{ \"ruleId\": \"MATLAB001\", \"message\": { \"text\": \"%s\" }, \"locations\": [ { \"physicalLocation\": { \"artifactLocation\": { \"uri\": \"%s\" } } } ] },', results{i}{2}{:}, results{i}{1}); \ - end; \ - fprintf(fid, '] } ] }'); \ - fclose(fid);" - - # Step 6: Upload SARIF file to GitHub Security tab - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + # Step 4: Upload run results (if you log output) + - name: Upload results + uses: actions/upload-artifact@v3 with: - sarif_file: code-analysis-results.sarif + name: octave-execution-results + path: ./output.log # You can log results to a file From e03896dda0902b8125157dc6f2062b3d2c9173bd Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:21:37 +0530 Subject: [PATCH 21/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 21403f83..d5f315ac 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -23,16 +23,20 @@ jobs: sudo apt-get update sudo apt-get install -y octave - # Step 3: Run all MATLAB files to catch errors + # Step 3: Run all MATLAB files and log errors - name: Run all .m files run: | + mkdir -p output for file in $(find . -name "*.m"); do - octave --no-gui $file || exit 1; + octave --no-gui $file >> output/octave_output.log 2>&1 || { + echo "Error executing $file. Check output/octave_output.log for details." + exit 1 + } done - # Step 4: Upload run results (if you log output) - - name: Upload results + # Step 4: Upload results + - name: Upload output logs uses: actions/upload-artifact@v3 with: - name: octave-execution-results - path: ./output.log # You can log results to a file + name: octave-output + path: output/octave_output.log From 97c0b7a6e09fa23b3027e8321026382e9f388d47 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:27:11 +0530 Subject: [PATCH 22/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 54 +++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index d5f315ac..f378e251 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,4 +1,5 @@ -name: "Octave Static Code Execution for MATLAB" + +name: "Octave Static Code Analysis for MATLAB" on: push: @@ -22,21 +23,40 @@ jobs: run: | sudo apt-get update sudo apt-get install -y octave - - # Step 3: Run all MATLAB files and log errors - - name: Run all .m files + # Step 3: Create the MATLAB analysis script + - name: Create MATLAB analysis script run: | - mkdir -p output - for file in $(find . -name "*.m"); do - octave --no-gui $file >> output/octave_output.log 2>&1 || { - echo "Error executing $file. Check output/octave_output.log for details." - exit 1 - } - done - - # Step 4: Upload results - - name: Upload output logs - uses: actions/upload-artifact@v3 + echo "addpath(genpath(pwd)); \ + addpath('analysis'); % Add this line if codeAnalysis is in 'analysis' folder \ + files = dir('**/*.m'); \ + results = {}; \ + if isempty(files), disp('No MATLAB files found.'); exit; end; \ + for k = 1:length(files), \ + filePath = fullfile(files(k).folder, files(k).name); \ + fid = fopen(filePath, 'r'); \ + code = fread(fid, '*char')'; \ + fclose(fid); \ + issues = codeAnalysis(code); \ + if ~isempty(issues), results{end+1} = {filePath, issues}; end; \ + end; \ + save('code-analysis-results.mat', 'results');" > analyze_code.m + # Step 4: Run the analysis script using Octave + - name: Run static code analysis + run: | + octave --no-gui analyze_code.m + # Step 5: Convert results to SARIF format + - name: Convert results to SARIF + run: | + octave --no-gui --eval "load('code-analysis-results.mat'); \ + fid = fopen('code-analysis-results.sarif', 'w'); \ + fprintf(fid, '{ \"version\": \"2.1.0\", \"runs\": [ { \"tool\": { \"driver\": { \"name\": \"Octave Static Analysis\", \"version\": \"1.0\" } }, \"results\": ['); \ + for i = 1:length(results), \ + fprintf(fid, '{ \"ruleId\": \"MATLAB001\", \"message\": { \"text\": \"%s\" }, \"locations\": [ { \"physicalLocation\": { \"artifactLocation\": { \"uri\": \"%s\" } } } ] },', results{i}{2}{:}, results{i}{1}); \ + end; \ + fprintf(fid, '] } ] }'); \ + fclose(fid);" + # Step 6: Upload SARIF file to GitHub Security tab + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 with: - name: octave-output - path: output/octave_output.log + sarif_file: code-analysis-results.sarif From d413eddd050969e770eeff610c031e7dc85d3184 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:31:42 +0530 Subject: [PATCH 23/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index f378e251..e9fd6014 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,4 +1,3 @@ - name: "Octave Static Code Analysis for MATLAB" on: @@ -23,6 +22,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y octave + # Step 3: Create the MATLAB analysis script - name: Create MATLAB analysis script run: | @@ -40,11 +40,21 @@ jobs: if ~isempty(issues), results{end+1} = {filePath, issues}; end; \ end; \ save('code-analysis-results.mat', 'results');" > analyze_code.m + # Step 4: Run the analysis script using Octave - name: Run static code analysis run: | octave --no-gui analyze_code.m - # Step 5: Convert results to SARIF format + + # Step 5: Check if results file was created + - name: Check results file + run: | + if [ ! -f code-analysis-results.mat ]; then + echo "Results file not found!" + exit 1 + fi + + # Step 6: Convert results to SARIF format - name: Convert results to SARIF run: | octave --no-gui --eval "load('code-analysis-results.mat'); \ @@ -55,7 +65,8 @@ jobs: end; \ fprintf(fid, '] } ] }'); \ fclose(fid);" - # Step 6: Upload SARIF file to GitHub Security tab + + # Step 7: Upload SARIF file to GitHub Security tab - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: From 5748a2a2473b350beb5f87c5b92a51d5a6082b55 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:41:58 +0530 Subject: [PATCH 24/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 42 +++++++++++++++---------------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index e9fd6014..6d168daf 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -23,11 +23,19 @@ jobs: sudo apt-get update sudo apt-get install -y octave - # Step 3: Create the MATLAB analysis script + # Step 3: Find and log all .m files + - name: Find .m files + run: | + echo "Searching for .m files in the repository..." + find . -name "*.m" || { + echo "No .m files found!" + exit 1 + } + + # Step 4: Create the analysis script for Octave - name: Create MATLAB analysis script run: | echo "addpath(genpath(pwd)); \ - addpath('analysis'); % Add this line if codeAnalysis is in 'analysis' folder \ files = dir('**/*.m'); \ results = {}; \ if isempty(files), disp('No MATLAB files found.'); exit; end; \ @@ -36,38 +44,28 @@ jobs: fid = fopen(filePath, 'r'); \ code = fread(fid, '*char')'; \ fclose(fid); \ - issues = codeAnalysis(code); \ + issues = {}; \ + % Perform your custom analysis here and populate 'issues' \ if ~isempty(issues), results{end+1} = {filePath, issues}; end; \ end; \ save('code-analysis-results.mat', 'results');" > analyze_code.m - # Step 4: Run the analysis script using Octave + # Step 5: Run the analysis script using Octave - name: Run static code analysis run: | octave --no-gui analyze_code.m - # Step 5: Check if results file was created - - name: Check results file + # Step 6: Check if results file was created + - name: Check for results file run: | if [ ! -f code-analysis-results.mat ]; then echo "Results file not found!" exit 1 fi - # Step 6: Convert results to SARIF format - - name: Convert results to SARIF - run: | - octave --no-gui --eval "load('code-analysis-results.mat'); \ - fid = fopen('code-analysis-results.sarif', 'w'); \ - fprintf(fid, '{ \"version\": \"2.1.0\", \"runs\": [ { \"tool\": { \"driver\": { \"name\": \"Octave Static Analysis\", \"version\": \"1.0\" } }, \"results\": ['); \ - for i = 1:length(results), \ - fprintf(fid, '{ \"ruleId\": \"MATLAB001\", \"message\": { \"text\": \"%s\" }, \"locations\": [ { \"physicalLocation\": { \"artifactLocation\": { \"uri\": \"%s\" } } } ] },', results{i}{2}{:}, results{i}{1}); \ - end; \ - fprintf(fid, '] } ] }'); \ - fclose(fid);" - - # Step 7: Upload SARIF file to GitHub Security tab - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + # Step 7: Upload results + - name: Upload output logs + uses: actions/upload-artifact@v3 with: - sarif_file: code-analysis-results.sarif + name: octave-output + path: output/octave_output.log From 30e43661a27d5ed3a2f972e4a31cb8e776d1fcae Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:46:00 +0530 Subject: [PATCH 25/72] Create analyze-code.m --- .github/custom-queries/matlab/analyze-code.m | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/custom-queries/matlab/analyze-code.m diff --git a/.github/custom-queries/matlab/analyze-code.m b/.github/custom-queries/matlab/analyze-code.m new file mode 100644 index 00000000..fa80d130 --- /dev/null +++ b/.github/custom-queries/matlab/analyze-code.m @@ -0,0 +1,33 @@ +% Add the current working directory and subdirectories to the path +addpath(genpath(pwd)); + +% Find all .m files in the current directory and subdirectories +files = dir('**/*.m'); + +% Initialize results +results = {}; + +% Loop through each file and perform basic analysis (customize this part) +for k = 1:length(files) + filePath = fullfile(files(k).folder, files(k).name); + fid = fopen(filePath, 'r'); + + if fid == -1 + disp(['Could not open file: ', filePath]); + continue; + end + + code = fread(fid, '*char')'; % Read file contents + fclose(fid); + + % Custom analysis logic here (example: checking for keywords or patterns) + issues = {}; % You can add code to detect issues + + % Store file path and issues found in results + if ~isempty(issues) + results{end+1} = {filePath, issues}; + end +end + +% Save results to .mat file +save('code-analysis-results.mat', 'results'); From 72119002423703f65c5d4a3677a1105b1bbdd933 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 18:51:14 +0530 Subject: [PATCH 26/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 67 ++++++++++++++++++------------- 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 6d168daf..dfb54627 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - # Step 1: Checkout the repository + # Step 1: Checkout repository - name: Checkout repository uses: actions/checkout@v3 @@ -23,49 +23,58 @@ jobs: sudo apt-get update sudo apt-get install -y octave - # Step 3: Find and log all .m files + # Step 3: Check for .m files in the repository - name: Find .m files + id: find_files run: | - echo "Searching for .m files in the repository..." - find . -name "*.m" || { + m_files=$(find . -name "*.m") + if [ -z "$m_files" ]; then echo "No .m files found!" exit 1 - } + else + echo "$m_files" + fi - # Step 4: Create the analysis script for Octave + # Step 4: Create MATLAB analysis script in the correct location - name: Create MATLAB analysis script run: | - echo "addpath(genpath(pwd)); \ - files = dir('**/*.m'); \ - results = {}; \ - if isempty(files), disp('No MATLAB files found.'); exit; end; \ - for k = 1:length(files), \ - filePath = fullfile(files(k).folder, files(k).name); \ - fid = fopen(filePath, 'r'); \ - code = fread(fid, '*char')'; \ - fclose(fid); \ - issues = {}; \ - % Perform your custom analysis here and populate 'issues' \ - if ~isempty(issues), results{end+1} = {filePath, issues}; end; \ - end; \ - save('code-analysis-results.mat', 'results');" > analyze_code.m + echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m + echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m + echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m + echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m + echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m + echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m + echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m + echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m + echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m + echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m + echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m + echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m + echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m + echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m + echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m + echo " end" >> .github/custom-queries/matlab/analyze_code.m + echo "end" >> .github/custom-queries/matlab/analyze_code.m + echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m + echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m - # Step 5: Run the analysis script using Octave - - name: Run static code analysis + # Step 5: Run the static code analysis using Octave + - name: Run MATLAB code analysis with Octave run: | - octave --no-gui analyze_code.m + octave --no-gui .github/custom-queries/matlab/analyze_code.m - # Step 6: Check if results file was created - - name: Check for results file + # Step 6: Verify the analysis results + - name: Check for analysis results run: | if [ ! -f code-analysis-results.mat ]; then echo "Results file not found!" exit 1 fi - # Step 7: Upload results - - name: Upload output logs + # Step 7: Upload the results for review + - name: Upload results uses: actions/upload-artifact@v3 with: - name: octave-output - path: output/octave_output.log + name: code-analysis-results + path: code-analysis-results.mat From 5c4833930969204a41c40ec455b837eb5781fea1 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:19:34 +0530 Subject: [PATCH 27/72] Update analyze-code.m Enhanced rules --- .github/custom-queries/matlab/analyze-code.m | 125 ++++++++++++++++++- 1 file changed, 121 insertions(+), 4 deletions(-) diff --git a/.github/custom-queries/matlab/analyze-code.m b/.github/custom-queries/matlab/analyze-code.m index fa80d130..b96fe4fe 100644 --- a/.github/custom-queries/matlab/analyze-code.m +++ b/.github/custom-queries/matlab/analyze-code.m @@ -7,7 +7,7 @@ % Initialize results results = {}; -% Loop through each file and perform basic analysis (customize this part) +% Loop through each file and perform analysis for k = 1:length(files) filePath = fullfile(files(k).folder, files(k).name); fid = fopen(filePath, 'r'); @@ -20,9 +20,126 @@ code = fread(fid, '*char')'; % Read file contents fclose(fid); - % Custom analysis logic here (example: checking for keywords or patterns) - issues = {}; % You can add code to detect issues - + % Initialize issues for the current file + issues = {}; + + % Check for improper input handling in mathematical operations + if contains(code, '+') || contains(code, '-') || contains(code, '*') || contains(code, '/') || ... + contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') + if ~contains(code, 'validate') && ~contains(code, 'sanitize') + issues{end+1} = 'Improper input handling in mathematical operations detected.'; + end + end + + % Check for improper use of cd command + if contains(code, 'cd') + if ~contains(code, 'exist') && ~contains(code, 'isdir') + issues{end+1} = 'Improper use of cd command without validating the directory path.'; + end + end + + % Check for unsafe mkdir usage + if contains(code, 'mkdir') + if ~contains(code, 'exist') && ~contains(code, 'isdir') + issues{end+1} = 'Unsafe use of mkdir without checking for directory existence or permissions.'; + end + end + + % Check for deprecated functions usage + if contains(code, 'str2num') || contains(code, 'input') || contains(code, 'addpath') + issues{end+1} = 'Deprecated function usage detected. Consider updating to supported alternatives.'; + end + + % Additional Checks + + % 1. Check for hard-coded credentials + if contains(code, 'password') || contains(code, 'passwd') || contains(code, 'apiKey') || ... + contains(code, 'secret') || contains(code, 'token') + if ~contains(code, 'validate') && ~contains(code, 'sanitize') + issues{end+1} = 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'; + end + end + + % 2. Check for hard-coded IP addresses + if contains(code, '(\d{1,3}\.){3}\d{1,3}') % Regular expression for matching IP addresses + issues{end+1} = 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'; + end + + % 3. Check for improper use of pause function + if contains(code, 'pause') + if ~contains(code, 'check') && ~contains(code, 'validate') + issues{end+1} = 'Improper use of pause function detected without timing checks.'; + end + end + + % 4. Check for improper use of rmdir + if contains(code, 'rmdir') + if ~contains(code, 'exist') && ~contains(code, 'isdir') + issues{end+1} = 'Improper use of rmdir without validating the directory path.'; + end + end + + % 5. Check for missing fclose after fopen + if contains(code, 'fopen') + if ~contains(code, 'fclose') + issues{end+1} = 'Missing fclose after fopen. Ensure to close files to prevent resource leaks.'; + end + end + + % 6. Check for insecure file permissions + if contains(code, 'chmod') || contains(code, 'chown') + issues{end+1} = 'Insecure file permissions command detected. Review file permission handling.'; + end + + % 7. Check for insecure random number generation + if contains(code, 'rand') + issues{end+1} = 'Insecure random number generation detected. Consider using a cryptographically secure alternative.'; + end + + % 8. Check for insecure save function usage + if contains(code, 'save') && ~contains(code, '-v7.3') + issues{end+1} = 'Insecure save function usage detected. Consider using the -v7.3 option for saving files.'; + end + + % 9. Check for insecure use of eval + if contains(code, 'eval') + issues{end+1} = 'Potentially unsafe use of eval detected. Avoid using eval for executing arbitrary code.'; + end + + % 10. Check for unclosed figures + if contains(code, 'figure') && ~contains(code, 'close') + issues{end+1} = 'Figures created but not closed. Ensure to close figures to free up system resources.'; + end + + % 11. Check for lack of error handling + if contains(code, 'try') && ~contains(code, 'catch') + issues{end+1} = 'Try without catch. Ensure proper error handling is implemented.'; + end + + % 12. Check for usage of global variables + if contains(code, 'global') + issues{end+1} = 'Use of global variables detected. Minimize the use of global variables for better encapsulation.'; + end + + % 13. Check for comments not matching code + if contains(code, '%') + % Check for comment length versus code length + lines = strsplit(code, '\n'); + for line = lines + if length(line{1}) < 20 && contains(line{1}, '%') % Short comments + issues{end+1} = 'Comments should provide sufficient context; consider expanding short comments.'; + end + end + end + + % 14. Check for excessively long lines + lines = strsplit(code, '\n'); + for i = 1:length(lines) + if length(lines{i}) > 80 + issues{end+1} = sprintf('Line %d exceeds 80 characters. Consider breaking it into multiple lines.', i); + end + end + % Store file path and issues found in results if ~isempty(issues) results{end+1} = {filePath, issues}; From 71f080480c6a03d569a9f094827f73ca05b371e1 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:24:07 +0530 Subject: [PATCH 28/72] Update analyze-code.m --- .github/custom-queries/matlab/analyze-code.m | 109 +++---------------- 1 file changed, 15 insertions(+), 94 deletions(-) diff --git a/.github/custom-queries/matlab/analyze-code.m b/.github/custom-queries/matlab/analyze-code.m index b96fe4fe..7df7f908 100644 --- a/.github/custom-queries/matlab/analyze-code.m +++ b/.github/custom-queries/matlab/analyze-code.m @@ -4,8 +4,10 @@ % Find all .m files in the current directory and subdirectories files = dir('**/*.m'); -% Initialize results -results = {}; +% Initialize SARIF results structure +sarifVersion = '2.1.0'; +toolName = 'Octave Static Code Analyzer'; +results = struct('version', sarifVersion, 'runs', [], 'tool', struct('driver', struct('name', toolName))); % Loop through each file and perform analysis for k = 1:length(files) @@ -51,100 +53,19 @@ end % Additional Checks + % Check for hard-coded credentials, IPs, etc. (similar checks as before) - % 1. Check for hard-coded credentials - if contains(code, 'password') || contains(code, 'passwd') || contains(code, 'apiKey') || ... - contains(code, 'secret') || contains(code, 'token') - if ~contains(code, 'validate') && ~contains(code, 'sanitize') - issues{end+1} = 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'; - end - end - - % 2. Check for hard-coded IP addresses - if contains(code, '(\d{1,3}\.){3}\d{1,3}') % Regular expression for matching IP addresses - issues{end+1} = 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'; - end - - % 3. Check for improper use of pause function - if contains(code, 'pause') - if ~contains(code, 'check') && ~contains(code, 'validate') - issues{end+1} = 'Improper use of pause function detected without timing checks.'; - end - end - - % 4. Check for improper use of rmdir - if contains(code, 'rmdir') - if ~contains(code, 'exist') && ~contains(code, 'isdir') - issues{end+1} = 'Improper use of rmdir without validating the directory path.'; - end - end - - % 5. Check for missing fclose after fopen - if contains(code, 'fopen') - if ~contains(code, 'fclose') - issues{end+1} = 'Missing fclose after fopen. Ensure to close files to prevent resource leaks.'; - end - end - - % 6. Check for insecure file permissions - if contains(code, 'chmod') || contains(code, 'chown') - issues{end+1} = 'Insecure file permissions command detected. Review file permission handling.'; - end - - % 7. Check for insecure random number generation - if contains(code, 'rand') - issues{end+1} = 'Insecure random number generation detected. Consider using a cryptographically secure alternative.'; - end - - % 8. Check for insecure save function usage - if contains(code, 'save') && ~contains(code, '-v7.3') - issues{end+1} = 'Insecure save function usage detected. Consider using the -v7.3 option for saving files.'; - end - - % 9. Check for insecure use of eval - if contains(code, 'eval') - issues{end+1} = 'Potentially unsafe use of eval detected. Avoid using eval for executing arbitrary code.'; - end - - % 10. Check for unclosed figures - if contains(code, 'figure') && ~contains(code, 'close') - issues{end+1} = 'Figures created but not closed. Ensure to close figures to free up system resources.'; - end - - % 11. Check for lack of error handling - if contains(code, 'try') && ~contains(code, 'catch') - issues{end+1} = 'Try without catch. Ensure proper error handling is implemented.'; - end - - % 12. Check for usage of global variables - if contains(code, 'global') - issues{end+1} = 'Use of global variables detected. Minimize the use of global variables for better encapsulation.'; - end - - % 13. Check for comments not matching code - if contains(code, '%') - % Check for comment length versus code length - lines = strsplit(code, '\n'); - for line = lines - if length(line{1}) < 20 && contains(line{1}, '%') % Short comments - issues{end+1} = 'Comments should provide sufficient context; consider expanding short comments.'; - end - end - end - - % 14. Check for excessively long lines - lines = strsplit(code, '\n'); - for i = 1:length(lines) - if length(lines{i}) > 80 - issues{end+1} = sprintf('Line %d exceeds 80 characters. Consider breaking it into multiple lines.', i); - end - end - - % Store file path and issues found in results + % Store results in SARIF format if issues are found if ~isempty(issues) - results{end+1} = {filePath, issues}; + result = struct(); + result.locations = struct('physicalLocation', struct('artifactLocation', struct('uri', filePath))); + result.annotations = struct('message', struct('text', issues), 'severity', 'warning'); + results.runs(end+1) = struct('tool', struct('driver', struct('name', toolName)), 'results', result); end end -% Save results to .mat file -save('code-analysis-results.mat', 'results'); +% Save results to a SARIF file +sarifFileName = 'code-analysis-results.sarif'; +fid = fopen(sarifFileName, 'w'); +fprintf(fid, '%s\n', jsonencode(results)); +fclose(fid); From 19bca76c9cfb615a4c70446f16afdac40cc7b1e1 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:24:37 +0530 Subject: [PATCH 29/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 38 ++++++++++++++++++------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index dfb54627..4adfcd20 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -22,7 +22,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y octave - + # Step 3: Check for .m files in the repository - name: Find .m files id: find_files @@ -42,22 +42,29 @@ jobs: echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m - echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m - echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m - echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m + echo "% Initialize results" >> .github/custom-queries/matlab/analyze_code.m + echo "results = struct('version', '2.1.0', 'runs', [], 'tool', struct('driver', struct('name', 'Octave Static Code Analyzer')));" >> .github/custom-queries/matlab/analyze_code.m + echo "% Loop through each file and perform analysis" >> .github/custom-queries/matlab/analyze_code.m echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m - echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m - echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m - echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m + echo " if fid == -1" >> .github/custom-queries/matlab/analyze_code.m + echo " disp(['Could not open file: ', filePath]);" >> .github/custom-queries/matlab/analyze_code.m + echo " continue;" >> .github/custom-queries/matlab/analyze_code.m + echo " end" >> .github/custom-queries/matlab/analyze_code.m + echo " code = fread(fid, '*char')'; fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m + # [Insert additional analysis checks here, as shown above] echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m - echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m + echo " result = struct();" >> .github/custom-queries/matlab/analyze_code.m + echo " result.locations = struct('physicalLocation', struct('artifactLocation', struct('uri', filePath)));" >> .github/custom-queries/matlab/analyze_code.m + echo " result.annotations = struct('message', struct('text', issues), 'severity', 'warning');" >> .github/custom-queries/matlab/analyze_code.m + echo " results.runs(end+1) = struct('tool', struct('driver', struct('name', 'Octave Static Code Analyzer')), 'results', result);" >> .github/custom-queries/matlab/analyze_code.m echo " end" >> .github/custom-queries/matlab/analyze_code.m echo "end" >> .github/custom-queries/matlab/analyze_code.m - echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m - echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Save results to SARIF file" >> .github/custom-queries/matlab/analyze_code.m + echo "sarifFileName = 'code-analysis-results.sarif';" >> .github/custom-queries/matlab/analyze_code.m + echo "fid = fopen(sarifFileName, 'w'); fprintf(fid, '%s\\n', jsonencode(results)); fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m # Step 5: Run the static code analysis using Octave - name: Run MATLAB code analysis with Octave @@ -67,14 +74,13 @@ jobs: # Step 6: Verify the analysis results - name: Check for analysis results run: | - if [ ! -f code-analysis-results.mat ]; then + if [ ! -f code-analysis-results.sarif ]; then echo "Results file not found!" exit 1 fi - # Step 7: Upload the results for review - - name: Upload results - uses: actions/upload-artifact@v3 + # Step 7: Upload results for review + - name: Upload results to the Security tab + uses: github/codeql-action/upload-sarif@v2 with: - name: code-analysis-results - path: code-analysis-results.mat + sarif_file: code-analysis-results.sarif From 4cc14bbd896edc097c9606ea08d8be7b26fd5761 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:27:09 +0530 Subject: [PATCH 30/72] Update analyze-code.m --- .github/custom-queries/matlab/analyze-code.m | 108 ++++++++++++++++--- 1 file changed, 96 insertions(+), 12 deletions(-) diff --git a/.github/custom-queries/matlab/analyze-code.m b/.github/custom-queries/matlab/analyze-code.m index 7df7f908..cf747383 100644 --- a/.github/custom-queries/matlab/analyze-code.m +++ b/.github/custom-queries/matlab/analyze-code.m @@ -4,10 +4,8 @@ % Find all .m files in the current directory and subdirectories files = dir('**/*.m'); -% Initialize SARIF results structure -sarifVersion = '2.1.0'; -toolName = 'Octave Static Code Analyzer'; -results = struct('version', sarifVersion, 'runs', [], 'tool', struct('driver', struct('name', toolName))); +% Initialize results +results = struct('version', '2.1.0', 'runs', []); % Loop through each file and perform analysis for k = 1:length(files) @@ -53,19 +51,105 @@ end % Additional Checks - % Check for hard-coded credentials, IPs, etc. (similar checks as before) - % Store results in SARIF format if issues are found + % 1. Check for hard-coded credentials + if contains(code, 'password') || contains(code, 'passwd') || contains(code, 'apiKey') || ... + contains(code, 'secret') || contains(code, 'token') + if ~contains(code, 'validate') && ~contains(code, 'sanitize') + issues{end+1} = 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'; + end + end + + % 2. Check for hard-coded IP addresses + if ~isempty(regexp(code, '(\d{1,3}\.){3}\d{1,3}', 'once')) % Regular expression for matching IP addresses + issues{end+1} = 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'; + end + + % 3. Check for improper use of pause function + if contains(code, 'pause') + if ~contains(code, 'check') && ~contains(code, 'validate') + issues{end+1} = 'Improper use of pause function detected without timing checks.'; + end + end + + % 4. Check for improper use of rmdir + if contains(code, 'rmdir') + if ~contains(code, 'exist') && ~contains(code, 'isdir') + issues{end+1} = 'Improper use of rmdir without validating the directory path.'; + end + end + + % 5. Check for missing fclose after fopen + if contains(code, 'fopen') + if ~contains(code, 'fclose') + issues{end+1} = 'Missing fclose after fopen. Ensure to close files to prevent resource leaks.'; + end + end + + % 6. Check for insecure file permissions + if contains(code, 'chmod') || contains(code, 'chown') + issues{end+1} = 'Insecure file permissions command detected. Review file permission handling.'; + end + + % 7. Check for insecure random number generation + if contains(code, 'rand') + issues{end+1} = 'Insecure random number generation detected. Consider using a cryptographically secure alternative.'; + end + + % 8. Check for insecure save function usage + if contains(code, 'save') && ~contains(code, '-v7.3') + issues{end+1} = 'Insecure save function usage detected. Consider using the -v7.3 option for saving files.'; + end + + % 9. Check for insecure use of eval + if contains(code, 'eval') + issues{end+1} = 'Potentially unsafe use of eval detected. Avoid using eval for executing arbitrary code.'; + end + + % 10. Check for unclosed figures + if contains(code, 'figure') && ~contains(code, 'close') + issues{end+1} = 'Figures created but not closed. Ensure to close figures to free up system resources.'; + end + + % 11. Check for lack of error handling + if contains(code, 'try') && ~contains(code, 'catch') + issues{end+1} = 'Try without catch. Ensure proper error handling is implemented.'; + end + + % 12. Check for usage of global variables + if contains(code, 'global') + issues{end+1} = 'Use of global variables detected. Minimize the use of global variables for better encapsulation.'; + end + + % 13. Check for comments not matching code + if contains(code, '%') + % Check for comment length versus code length + lines = strsplit(code, '\n'); + for line = lines + if length(line{1}) < 20 && contains(line{1}, '%') % Short comments + issues{end+1} = 'Comments should provide sufficient context; consider expanding short comments.'; + end + end + end + + % 14. Check for excessively long lines + lines = strsplit(code, '\n'); + for i = 1:length(lines) + if length(lines{i}) > 80 + issues{end+1} = sprintf('Line %d exceeds 80 characters. Consider breaking it into multiple lines.', i); + end + end + + % Store file path and issues found in results if ~isempty(issues) - result = struct(); - result.locations = struct('physicalLocation', struct('artifactLocation', struct('uri', filePath))); - result.annotations = struct('message', struct('text', issues), 'severity', 'warning'); - results.runs(end+1) = struct('tool', struct('driver', struct('name', toolName)), 'results', result); + issueInstances = struct('ruleId', 'CustomRule', 'message', issues, 'locations', struct('physicalLocation', struct('artifactLocation', struct('uri', filePath)))); + results.runs(end+1).results(end+1) = issueInstances; end end -% Save results to a SARIF file +% Save results to SARIF format sarifFileName = 'code-analysis-results.sarif'; fid = fopen(sarifFileName, 'w'); -fprintf(fid, '%s\n', jsonencode(results)); +fprintf(fid, '{"version": "2.1.0", "runs": [%s]}', jsonencode(results.runs)); fclose(fid); +disp(['Results saved to ', sarifFileName]); From c0473bf2b986d03781fc16d2adc0bb4591028704 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:34:39 +0530 Subject: [PATCH 31/72] Update analyze-code.m --- .github/custom-queries/matlab/analyze-code.m | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/.github/custom-queries/matlab/analyze-code.m b/.github/custom-queries/matlab/analyze-code.m index cf747383..b96fe4fe 100644 --- a/.github/custom-queries/matlab/analyze-code.m +++ b/.github/custom-queries/matlab/analyze-code.m @@ -5,7 +5,7 @@ files = dir('**/*.m'); % Initialize results -results = struct('version', '2.1.0', 'runs', []); +results = {}; % Loop through each file and perform analysis for k = 1:length(files) @@ -61,7 +61,7 @@ end % 2. Check for hard-coded IP addresses - if ~isempty(regexp(code, '(\d{1,3}\.){3}\d{1,3}', 'once')) % Regular expression for matching IP addresses + if contains(code, '(\d{1,3}\.){3}\d{1,3}') % Regular expression for matching IP addresses issues{end+1} = 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'; end @@ -142,14 +142,9 @@ % Store file path and issues found in results if ~isempty(issues) - issueInstances = struct('ruleId', 'CustomRule', 'message', issues, 'locations', struct('physicalLocation', struct('artifactLocation', struct('uri', filePath)))); - results.runs(end+1).results(end+1) = issueInstances; + results{end+1} = {filePath, issues}; end end -% Save results to SARIF format -sarifFileName = 'code-analysis-results.sarif'; -fid = fopen(sarifFileName, 'w'); -fprintf(fid, '{"version": "2.1.0", "runs": [%s]}', jsonencode(results.runs)); -fclose(fid); -disp(['Results saved to ', sarifFileName]); +% Save results to .mat file +save('code-analysis-results.mat', 'results'); From ce709a263c196474216ce9f51ce934eeff8ef2c4 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:35:28 +0530 Subject: [PATCH 32/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 75 ++++++++++--------------------- 1 file changed, 23 insertions(+), 52 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 4adfcd20..47e1bc79 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - # Step 1: Checkout repository + # Step 1: Checkout the repository - name: Checkout repository uses: actions/checkout@v3 @@ -22,65 +22,36 @@ jobs: run: | sudo apt-get update sudo apt-get install -y octave - - # Step 3: Check for .m files in the repository - - name: Find .m files - id: find_files - run: | - m_files=$(find . -name "*.m") - if [ -z "$m_files" ]; then - echo "No .m files found!" - exit 1 - else - echo "$m_files" - fi - # Step 4: Create MATLAB analysis script in the correct location + # Step 3: Create the MATLAB analysis script - name: Create MATLAB analysis script run: | - echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m - echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m - echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m - echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m - echo "% Initialize results" >> .github/custom-queries/matlab/analyze_code.m - echo "results = struct('version', '2.1.0', 'runs', [], 'tool', struct('driver', struct('name', 'Octave Static Code Analyzer')));" >> .github/custom-queries/matlab/analyze_code.m - echo "% Loop through each file and perform analysis" >> .github/custom-queries/matlab/analyze_code.m - echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m - echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m - echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m - echo " if fid == -1" >> .github/custom-queries/matlab/analyze_code.m - echo " disp(['Could not open file: ', filePath]);" >> .github/custom-queries/matlab/analyze_code.m - echo " continue;" >> .github/custom-queries/matlab/analyze_code.m - echo " end" >> .github/custom-queries/matlab/analyze_code.m - echo " code = fread(fid, '*char')'; fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m - echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m - # [Insert additional analysis checks here, as shown above] - echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m - echo " result = struct();" >> .github/custom-queries/matlab/analyze_code.m - echo " result.locations = struct('physicalLocation', struct('artifactLocation', struct('uri', filePath)));" >> .github/custom-queries/matlab/analyze_code.m - echo " result.annotations = struct('message', struct('text', issues), 'severity', 'warning');" >> .github/custom-queries/matlab/analyze_code.m - echo " results.runs(end+1) = struct('tool', struct('driver', struct('name', 'Octave Static Code Analyzer')), 'results', result);" >> .github/custom-queries/matlab/analyze_code.m - echo " end" >> .github/custom-queries/matlab/analyze_code.m - echo "end" >> .github/custom-queries/matlab/analyze_code.m - echo "% Save results to SARIF file" >> .github/custom-queries/matlab/analyze_code.m - echo "sarifFileName = 'code-analysis-results.sarif';" >> .github/custom-queries/matlab/analyze_code.m - echo "fid = fopen(sarifFileName, 'w'); fprintf(fid, '%s\\n', jsonencode(results)); fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m + echo "Your analyze_code.m content here" > .github/custom-queries/matlab/analyze_code.m - # Step 5: Run the static code analysis using Octave - - name: Run MATLAB code analysis with Octave + # Step 4: Run the analysis script using Octave + - name: Run static code analysis run: | octave --no-gui .github/custom-queries/matlab/analyze_code.m - # Step 6: Verify the analysis results - - name: Check for analysis results + # Step 5: Convert results from .mat to SARIF + - name: Convert MAT to SARIF run: | - if [ ! -f code-analysis-results.sarif ]; then - echo "Results file not found!" - exit 1 - fi - - # Step 7: Upload results for review - - name: Upload results to the Security tab + # Load the .mat file and convert it to a SARIF file + octave --no-gui -e " + load('code-analysis-results.mat'); + sarif = struct('version', '2.1.0', 'runs', []); + for i = 1:length(results) + fileIssues = results{i, 2}; + sarif.runs(end + 1) = struct('tool', struct('driver', struct('name', 'MATLAB Static Analysis', 'version', '1.0')), ... + 'results', struct('ruleId', 'MATLAB_Analysis', ... + 'message', struct('text', fileIssues), ... + 'locations', struct('physicalLocation', struct('artifactLocation', struct('uri', results{i, 1}))))); + end + save('code-analysis-results.sarif', 'sarif', '-json'); + " + + # Step 6: Upload SARIF file to GitHub Security tab + - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: sarif_file: code-analysis-results.sarif From 37e83a1e74f878aeaf664da102e8b859840d4cd7 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:39:08 +0530 Subject: [PATCH 33/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 47e1bc79..31211120 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -26,12 +26,12 @@ jobs: # Step 3: Create the MATLAB analysis script - name: Create MATLAB analysis script run: | - echo "Your analyze_code.m content here" > .github/custom-queries/matlab/analyze_code.m + echo "Your analyze-code.m content here" > .github/custom-queries/matlab/analyze-code.m # Step 4: Run the analysis script using Octave - name: Run static code analysis run: | - octave --no-gui .github/custom-queries/matlab/analyze_code.m + octave --no-gui .github/custom-queries/matlab/analyze-code.m # Step 5: Convert results from .mat to SARIF - name: Convert MAT to SARIF From d2f2edbe5cfbb05efe02ca19251eb1895bfa8702 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Thu, 24 Oct 2024 19:47:02 +0530 Subject: [PATCH 34/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 76 +++++++++++++++++++------------ 1 file changed, 47 insertions(+), 29 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 31211120..3f992e48 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - # Step 1: Checkout the repository + # Step 1: Checkout repository - name: Checkout repository uses: actions/checkout@v3 @@ -22,36 +22,54 @@ jobs: run: | sudo apt-get update sudo apt-get install -y octave - - # Step 3: Create the MATLAB analysis script + # Step 3: Check for .m files in the repository + - name: Find .m files + id: find_files + run: | + m_files=$(find . -name "*.m") + if [ -z "$m_files" ]; then + echo "No .m files found!" + exit 1 + else + echo "$m_files" + fi + # Step 4: Create MATLAB analysis script in the correct location - name: Create MATLAB analysis script run: | - echo "Your analyze-code.m content here" > .github/custom-queries/matlab/analyze-code.m - - # Step 4: Run the analysis script using Octave - - name: Run static code analysis + echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m + echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m + echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m + echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m + echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m + echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m + echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m + echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m + echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m + echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m + echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m + echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m + echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m + echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m + echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m + echo " end" >> .github/custom-queries/matlab/analyze_code.m + echo "end" >> .github/custom-queries/matlab/analyze_code.m + echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m + echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m + # Step 5: Run the static code analysis using Octave + - name: Run MATLAB code analysis with Octave run: | - octave --no-gui .github/custom-queries/matlab/analyze-code.m - - # Step 5: Convert results from .mat to SARIF - - name: Convert MAT to SARIF + octave --no-gui .github/custom-queries/matlab/analyze_code.m + # Step 6: Verify the analysis results + - name: Check for analysis results run: | - # Load the .mat file and convert it to a SARIF file - octave --no-gui -e " - load('code-analysis-results.mat'); - sarif = struct('version', '2.1.0', 'runs', []); - for i = 1:length(results) - fileIssues = results{i, 2}; - sarif.runs(end + 1) = struct('tool', struct('driver', struct('name', 'MATLAB Static Analysis', 'version', '1.0')), ... - 'results', struct('ruleId', 'MATLAB_Analysis', ... - 'message', struct('text', fileIssues), ... - 'locations', struct('physicalLocation', struct('artifactLocation', struct('uri', results{i, 1}))))); - end - save('code-analysis-results.sarif', 'sarif', '-json'); - " - - # Step 6: Upload SARIF file to GitHub Security tab - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + if [ ! -f code-analysis-results.mat ]; then + echo "Results file not found!" + exit 1 + fi + # Step 7: Upload the results for review + - name: Upload results + uses: actions/upload-artifact@v3 with: - sarif_file: code-analysis-results.sarif + name: code-analysis-results + path: code-analysis-results.mat From 675af000e1a91b732e8b9f69ab6d964aef54c33e Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:32:05 +0530 Subject: [PATCH 35/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 3f992e48..b4988769 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -17,11 +17,12 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Step 2: Install Octave - - name: Install Octave + # Step 2: Install Octave and required dependencies + - name: Install Octave and dependencies run: | sudo apt-get update - sudo apt-get install -y octave + sudo apt-get install -y octave libsarif-dev + # Step 3: Check for .m files in the repository - name: Find .m files id: find_files @@ -33,6 +34,7 @@ jobs: else echo "$m_files" fi + # Step 4: Create MATLAB analysis script in the correct location - name: Create MATLAB analysis script run: | @@ -56,20 +58,20 @@ jobs: echo "end" >> .github/custom-queries/matlab/analyze_code.m echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m + # Step 5: Run the static code analysis using Octave - name: Run MATLAB code analysis with Octave run: | octave --no-gui .github/custom-queries/matlab/analyze_code.m - # Step 6: Verify the analysis results - - name: Check for analysis results + + # Step 6: Convert the .mat file to SARIF + - name: Convert .mat to SARIF run: | - if [ ! -f code-analysis-results.mat ]; then - echo "Results file not found!" - exit 1 - fi - # Step 7: Upload the results for review - - name: Upload results + matlab -nodisplay -nosplash -r "convertMatToSarif('code-analysis-results.mat', 'code-analysis-results.sarif')" + + # Step 7: Upload the SARIF results for review + - name: Upload SARIF results uses: actions/upload-artifact@v3 with: name: code-analysis-results - path: code-analysis-results.mat + path: code-analysis-results.sarif From 6d508ab180b26eb21c5344db3043606f1e3d74fa Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:50:53 +0530 Subject: [PATCH 36/72] Update analyze-code.m --- .github/custom-queries/matlab/analyze-code.m | 74 ++++++++++++++------ 1 file changed, 51 insertions(+), 23 deletions(-) diff --git a/.github/custom-queries/matlab/analyze-code.m b/.github/custom-queries/matlab/analyze-code.m index b96fe4fe..3e73666e 100644 --- a/.github/custom-queries/matlab/analyze-code.m +++ b/.github/custom-queries/matlab/analyze-code.m @@ -11,114 +11,114 @@ for k = 1:length(files) filePath = fullfile(files(k).folder, files(k).name); fid = fopen(filePath, 'r'); - + if fid == -1 disp(['Could not open file: ', filePath]); continue; end - + code = fread(fid, '*char')'; % Read file contents fclose(fid); - + % Initialize issues for the current file issues = {}; % Check for improper input handling in mathematical operations if contains(code, '+') || contains(code, '-') || contains(code, '*') || contains(code, '/') || ... - contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') + contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') if ~contains(code, 'validate') && ~contains(code, 'sanitize') - issues{end+1} = 'Improper input handling in mathematical operations detected.'; + issues{end+1} = struct('ruleId', 'ImproperInputHandling', 'message', 'Improper input handling in mathematical operations detected.'); end end % Check for improper use of cd command if contains(code, 'cd') if ~contains(code, 'exist') && ~contains(code, 'isdir') - issues{end+1} = 'Improper use of cd command without validating the directory path.'; + issues{end+1} = struct('ruleId', 'ImproperCdUsage', 'message', 'Improper use of cd command without validating the directory path.'); end end % Check for unsafe mkdir usage if contains(code, 'mkdir') if ~contains(code, 'exist') && ~contains(code, 'isdir') - issues{end+1} = 'Unsafe use of mkdir without checking for directory existence or permissions.'; + issues{end+1} = struct('ruleId', 'UnsafeMkdirUsage', 'message', 'Unsafe use of mkdir without checking for directory existence or permissions.'); end end % Check for deprecated functions usage if contains(code, 'str2num') || contains(code, 'input') || contains(code, 'addpath') - issues{end+1} = 'Deprecated function usage detected. Consider updating to supported alternatives.'; + issues{end+1} = struct('ruleId', 'DeprecatedFunctionUsage', 'message', 'Deprecated function usage detected. Consider updating to supported alternatives.'); end % Additional Checks % 1. Check for hard-coded credentials if contains(code, 'password') || contains(code, 'passwd') || contains(code, 'apiKey') || ... - contains(code, 'secret') || contains(code, 'token') + contains(code, 'secret') || contains(code, 'token') if ~contains(code, 'validate') && ~contains(code, 'sanitize') - issues{end+1} = 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'; + issues{end+1} = struct('ruleId', 'HardcodedCredentials', 'message', 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'); end end % 2. Check for hard-coded IP addresses if contains(code, '(\d{1,3}\.){3}\d{1,3}') % Regular expression for matching IP addresses - issues{end+1} = 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'; + issues{end+1} = struct('ruleId', 'HardcodedIpAddress', 'message', 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'); end % 3. Check for improper use of pause function if contains(code, 'pause') if ~contains(code, 'check') && ~contains(code, 'validate') - issues{end+1} = 'Improper use of pause function detected without timing checks.'; + issues{end+1} = struct('ruleId', 'ImproperPauseUsage', 'message', 'Improper use of pause function detected without timing checks.'); end end % 4. Check for improper use of rmdir if contains(code, 'rmdir') if ~contains(code, 'exist') && ~contains(code, 'isdir') - issues{end+1} = 'Improper use of rmdir without validating the directory path.'; + issues{end+1} = struct('ruleId', 'ImproperRmdirUsage', 'message', 'Improper use of rmdir without validating the directory path.'); end end % 5. Check for missing fclose after fopen if contains(code, 'fopen') if ~contains(code, 'fclose') - issues{end+1} = 'Missing fclose after fopen. Ensure to close files to prevent resource leaks.'; + issues{end+1} = struct('ruleId', 'MissingFclose', 'message', 'Missing fclose after fopen. Ensure to close files to prevent resource leaks.'); end end % 6. Check for insecure file permissions if contains(code, 'chmod') || contains(code, 'chown') - issues{end+1} = 'Insecure file permissions command detected. Review file permission handling.'; + issues{end+1} = struct('ruleId', 'InsecureFilePermissions', 'message', 'Insecure file permissions command detected. Review file permission handling.'); end % 7. Check for insecure random number generation if contains(code, 'rand') - issues{end+1} = 'Insecure random number generation detected. Consider using a cryptographically secure alternative.'; + issues{end+1} = struct('ruleId', 'InsecureRandomNumberGeneration', 'message', 'Insecure random number generation detected. Consider using a cryptographically secure alternative.'); end % 8. Check for insecure save function usage if contains(code, 'save') && ~contains(code, '-v7.3') - issues{end+1} = 'Insecure save function usage detected. Consider using the -v7.3 option for saving files.'; + issues{end+1} = struct('ruleId', 'InsecureSaveUsage', 'message', 'Insecure save function usage detected. Consider using the -v7.3 option for saving files.'); end % 9. Check for insecure use of eval if contains(code, 'eval') - issues{end+1} = 'Potentially unsafe use of eval detected. Avoid using eval for executing arbitrary code.'; + issues{end+1} = struct('ruleId', 'InsecureEvalUsage', 'message', 'Potentially unsafe use of eval detected. Avoid using eval for executing arbitrary code.'); end % 10. Check for unclosed figures if contains(code, 'figure') && ~contains(code, 'close') - issues{end+1} = 'Figures created but not closed. Ensure to close figures to free up system resources.'; + issues{end+1} = struct('ruleId', 'UnclosedFigures', 'message', 'Figures created but not closed. Ensure to close figures to free up system resources.'); end % 11. Check for lack of error handling if contains(code, 'try') && ~contains(code, 'catch') - issues{end+1} = 'Try without catch. Ensure proper error handling is implemented.'; + issues{end+1} = struct('ruleId', 'MissingCatch', 'message', 'Try without catch. Ensure proper error handling is implemented.'); end % 12. Check for usage of global variables if contains(code, 'global') - issues{end+1} = 'Use of global variables detected. Minimize the use of global variables for better encapsulation.'; + issues{end+1} = struct('ruleId', 'GlobalVariables', 'message', 'Use of global variables detected. Minimize the use of global variables for better encapsulation.'); end % 13. Check for comments not matching code @@ -127,7 +127,7 @@ lines = strsplit(code, '\n'); for line = lines if length(line{1}) < 20 && contains(line{1}, '%') % Short comments - issues{end+1} = 'Comments should provide sufficient context; consider expanding short comments.'; + issues{end+1} = struct('ruleId', 'ShortComments', 'message', 'Comments should provide sufficient context; consider expanding short comments.'); end end end @@ -136,10 +136,30 @@ lines = strsplit(code, '\n'); for i = 1:length(lines) if length(lines{i}) > 80 - issues{end+1} = sprintf('Line %d exceeds 80 characters. Consider breaking it into multiple lines.', i); + issues{end+1} = struct('ruleId', 'LongLines', 'message', sprintf('Line %d exceeds 80 characters. Consider breaking it into multiple lines.', i)); end end + % 15. Check for hard-coded paths + if contains(code, fullfile(pwd)) + issues{end+1} = struct('ruleId', 'HardcodedPaths', 'message', 'Hard-coded path detected. Use relative paths or environment variables for better portability.'); + end + + % 16. Check for redundant code + % ... (Implement code for redundant code detection) + + % 17. Check for inefficient algorithms + % ... (Implement code for inefficient algorithm detection) + + % 18. Check for inconsistent formatting + % ... (Implement code for inconsistent formatting detection) + + % 19. Check for unused variables + % ... (Implement code for unused variable detection) + + % 20. Check for magic numbers + % ... (Implement code for magic number detection) + % Store file path and issues found in results if ~isempty(issues) results{end+1} = {filePath, issues}; @@ -148,3 +168,11 @@ % Save results to .mat file save('code-analysis-results.mat', 'results'); + +% Convert results to SARIF format +sarif = struct('version', '2.1.0', 'runs', {}); +sarif.runs(1).toolName = 'Octave Static Code Analysis'; + +for i = 1:length(results) + filePath = results{i}{1}; + issues = results{i}{2}; From c451cd20ae4cbb6821e5b294e54c48c38ea55360 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:51:28 +0530 Subject: [PATCH 37/72] Update matlab-scan.yml From 9402125b57d335cf053950b3bb1c0b00eacb1e0c Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 14:54:18 +0530 Subject: [PATCH 38/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index b4988769..56220679 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -21,7 +21,13 @@ jobs: - name: Install Octave and dependencies run: | sudo apt-get update - sudo apt-get install -y octave libsarif-dev + sudo apt-get install -y octave + + # Add the SARIF repository (adjust as needed) + sudo add-apt-repository ppa:sarif/ppa + + sudo apt-get update + sudo apt-get install -y libsarif-dev # Step 3: Check for .m files in the repository - name: Find .m files From f2001b22b79d4a658d03ced2f426136d5d9e6043 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:02:31 +0530 Subject: [PATCH 39/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 86 +++++++++++++------------------ 1 file changed, 36 insertions(+), 50 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 56220679..bf278a38 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -5,7 +5,7 @@ on: branches: [ "master" ] pull_request: branches: [ "master" ] - workflow_dispatch: # Allows manual trigger from the Actions tab + workflow_dispatch: jobs: analyze: @@ -17,65 +17,51 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - # Step 2: Install Octave and required dependencies - - name: Install Octave and dependencies + # Step 2: Install Octave + - name: Install Octave run: | sudo apt-get update sudo apt-get install -y octave - # Add the SARIF repository (adjust as needed) - sudo add-apt-repository ppa:sarif/ppa - - sudo apt-get update - sudo apt-get install -y libsarif-dev - - # Step 3: Check for .m files in the repository - - name: Find .m files - id: find_files - run: | - m_files=$(find . -name "*.m") - if [ -z "$m_files" ]; then - echo "No .m files found!" - exit 1 - else - echo "$m_files" - fi - - # Step 4: Create MATLAB analysis script in the correct location - - name: Create MATLAB analysis script + # Step 3: Create Octave analysis script + - name: Create Octave analysis script run: | - echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m - echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m - echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m - echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m - echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m - echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m - echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m - echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m - echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m - echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m - echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m - echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m - echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m - echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m - echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m - echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m - echo " end" >> .github/custom-queries/matlab/analyze_code.m - echo "end" >> .github/custom-queries/matlab/analyze_code.m - echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m - echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Add current directory and subdirectories to path" > analyze_code.m + echo "addpath(genpath(pwd));" >> analyze_code.m + echo "% Find all .m files" >> analyze_code.m + echo "files = dir('**/*.m');" >> analyze_code.m + echo "% Initialize analysis results" >> analyze_code.m + echo "results = struct();" >> analyze_code.m + echo "% Analyze each file" >> analyze_code.m + echo "for k = 1:length(files)" >> analyze_code.m + echo " filePath = fullfile(files(k).folder, files(k).name);" >> analyze_code.m + echo " % Insert analysis logic here; store any issues found" >> analyze_code.m + echo " results(k).file = filePath;" >> analyze_code.m + echo " results(k).issues = 'Example issue description';" >> analyze_code.m + echo "end" >> analyze_code.m + echo "% Save the results to a JSON file" >> analyze_code.m + echo "jsonwrite('code-analysis-results.json', results);" >> analyze_code.m - # Step 5: Run the static code analysis using Octave - - name: Run MATLAB code analysis with Octave + # Step 4: Run the static code analysis using Octave + - name: Run Octave analysis run: | - octave --no-gui .github/custom-queries/matlab/analyze_code.m + octave --no-gui analyze_code.m - # Step 6: Convert the .mat file to SARIF - - name: Convert .mat to SARIF + # Step 5: Convert JSON to SARIF + - name: Convert JSON to SARIF run: | - matlab -nodisplay -nosplash -r "convertMatToSarif('code-analysis-results.mat', 'code-analysis-results.sarif')" + python3 -c " +import json +import sarif_om as sarif +with open('code-analysis-results.json') as f: + issues = json.load(f) +runs = [sarif.Run(tool=sarif.Tool(name='Octave Analysis'), results=[sarif.Result(ruleId='example-rule', message=sarif.Message(text=issue['issues']), locations=[sarif.Location(physicalLocation=sarif.PhysicalLocation(artifactLocation=sarif.ArtifactLocation(uri=issue['file'])))]) for issue in issues])] +sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) +with open('code-analysis-results.sarif', 'w') as sarif_file: + sarif_file.write(sarif_log.json(exclude_none=True)) + " - # Step 7: Upload the SARIF results for review + # Step 6: Upload the SARIF results - name: Upload SARIF results uses: actions/upload-artifact@v3 with: From 3efbb436000e1934b85beb3e43dff750160f2099 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:03:03 +0530 Subject: [PATCH 40/72] Rename analyze-code.m to analyze_code.m --- .github/custom-queries/matlab/{analyze-code.m => analyze_code.m} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/custom-queries/matlab/{analyze-code.m => analyze_code.m} (100%) diff --git a/.github/custom-queries/matlab/analyze-code.m b/.github/custom-queries/matlab/analyze_code.m similarity index 100% rename from .github/custom-queries/matlab/analyze-code.m rename to .github/custom-queries/matlab/analyze_code.m From b1e5c22b77cff1cb8582c6987a9559900be20833 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:06:06 +0530 Subject: [PATCH 41/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index bf278a38..784607e1 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -48,6 +48,10 @@ jobs: octave --no-gui analyze_code.m # Step 5: Convert JSON to SARIF + - name: Install SARIF Conversion Library + run: | + pip install sarif-om + - name: Convert JSON to SARIF run: | python3 -c " @@ -55,7 +59,22 @@ import json import sarif_om as sarif with open('code-analysis-results.json') as f: issues = json.load(f) -runs = [sarif.Run(tool=sarif.Tool(name='Octave Analysis'), results=[sarif.Result(ruleId='example-rule', message=sarif.Message(text=issue['issues']), locations=[sarif.Location(physicalLocation=sarif.PhysicalLocation(artifactLocation=sarif.ArtifactLocation(uri=issue['file'])))]) for issue in issues])] +runs = [sarif.Run( + tool=sarif.Tool(name='Octave Analysis'), + results=[ + sarif.Result( + ruleId='example-rule', + message=sarif.Message(text=issue['issues']), + locations=[ + sarif.Location( + physicalLocation=sarif.PhysicalLocation( + artifactLocation=sarif.ArtifactLocation(uri=issue['file']) + ) + ) + ] + ) for issue in issues + ] +)] sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) with open('code-analysis-results.sarif', 'w') as sarif_file: sarif_file.write(sarif_log.json(exclude_none=True)) From 1808b350fde3151860c32609817f875ea196d5c5 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:07:32 +0530 Subject: [PATCH 42/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 784607e1..20a353d0 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -47,18 +47,21 @@ jobs: run: | octave --no-gui analyze_code.m - # Step 5: Convert JSON to SARIF + # Step 5: Install SARIF Conversion Library - name: Install SARIF Conversion Library run: | pip install sarif-om + # Step 6: Convert JSON to SARIF - name: Convert JSON to SARIF run: | python3 -c " import json import sarif_om as sarif + with open('code-analysis-results.json') as f: issues = json.load(f) + runs = [sarif.Run( tool=sarif.Tool(name='Octave Analysis'), results=[ @@ -76,11 +79,12 @@ runs = [sarif.Run( ] )] sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) + with open('code-analysis-results.sarif', 'w') as sarif_file: sarif_file.write(sarif_log.json(exclude_none=True)) " - # Step 6: Upload the SARIF results + # Step 7: Upload the SARIF results - name: Upload SARIF results uses: actions/upload-artifact@v3 with: From 312bf66d8bea4b5bcb76f7e5a25c9c70602d831d Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:09:38 +0530 Subject: [PATCH 43/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 48 ++++++++++++++++--------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 20a353d0..9e996e4f 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -56,32 +56,34 @@ jobs: - name: Convert JSON to SARIF run: | python3 -c " -import json -import sarif_om as sarif + import json + import sarif_om as sarif -with open('code-analysis-results.json') as f: - issues = json.load(f) + with open('code-analysis-results.json') as f: + issues = json.load(f) -runs = [sarif.Run( - tool=sarif.Tool(name='Octave Analysis'), - results=[ - sarif.Result( - ruleId='example-rule', - message=sarif.Message(text=issue['issues']), - locations=[ - sarif.Location( - physicalLocation=sarif.PhysicalLocation( - artifactLocation=sarif.ArtifactLocation(uri=issue['file']) - ) - ) - ] - ) for issue in issues - ] -)] -sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) + runs = [ + sarif.Run( + tool=sarif.Tool(name='Octave Analysis'), + results=[ + sarif.Result( + ruleId='example-rule', + message=sarif.Message(text=issue['issues']), + locations=[ + sarif.Location( + physicalLocation=sarif.PhysicalLocation( + artifactLocation=sarif.ArtifactLocation(uri=issue['file']) + ) + ) + ] + ) for issue in issues + ] + ) + ] -with open('code-analysis-results.sarif', 'w') as sarif_file: - sarif_file.write(sarif_log.json(exclude_none=True)) + sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) + with open('code-analysis-results.sarif', 'w') as sarif_file: + sarif_file.write(sarif_log.json(exclude_None=True)) " # Step 7: Upload the SARIF results From 50e538cfaccf35408429692b6320367041565c16 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:14:58 +0530 Subject: [PATCH 44/72] Update analyze_code.m --- .github/custom-queries/matlab/analyze_code.m | 146 +------------------ 1 file changed, 8 insertions(+), 138 deletions(-) diff --git a/.github/custom-queries/matlab/analyze_code.m b/.github/custom-queries/matlab/analyze_code.m index 3e73666e..906293de 100644 --- a/.github/custom-queries/matlab/analyze_code.m +++ b/.github/custom-queries/matlab/analyze_code.m @@ -23,7 +23,9 @@ % Initialize issues for the current file issues = {}; - % Check for improper input handling in mathematical operations + % Perform various analysis checks (as before)... + + % Example check: Check for improper input handling in mathematical operations if contains(code, '+') || contains(code, '-') || contains(code, '*') || contains(code, '/') || ... contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') if ~contains(code, 'validate') && ~contains(code, 'sanitize') @@ -31,148 +33,16 @@ end end - % Check for improper use of cd command - if contains(code, 'cd') - if ~contains(code, 'exist') && ~contains(code, 'isdir') - issues{end+1} = struct('ruleId', 'ImproperCdUsage', 'message', 'Improper use of cd command without validating the directory path.'); - end - end - - % Check for unsafe mkdir usage - if contains(code, 'mkdir') - if ~contains(code, 'exist') && ~contains(code, 'isdir') - issues{end+1} = struct('ruleId', 'UnsafeMkdirUsage', 'message', 'Unsafe use of mkdir without checking for directory existence or permissions.'); - end - end - - % Check for deprecated functions usage - if contains(code, 'str2num') || contains(code, 'input') || contains(code, 'addpath') - issues{end+1} = struct('ruleId', 'DeprecatedFunctionUsage', 'message', 'Deprecated function usage detected. Consider updating to supported alternatives.'); - end - - % Additional Checks - - % 1. Check for hard-coded credentials - if contains(code, 'password') || contains(code, 'passwd') || contains(code, 'apiKey') || ... - contains(code, 'secret') || contains(code, 'token') - if ~contains(code, 'validate') && ~contains(code, 'sanitize') - issues{end+1} = struct('ruleId', 'HardcodedCredentials', 'message', 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'); - end - end - - % 2. Check for hard-coded IP addresses - if contains(code, '(\d{1,3}\.){3}\d{1,3}') % Regular expression for matching IP addresses - issues{end+1} = struct('ruleId', 'HardcodedIpAddress', 'message', 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'); - end - - % 3. Check for improper use of pause function - if contains(code, 'pause') - if ~contains(code, 'check') && ~contains(code, 'validate') - issues{end+1} = struct('ruleId', 'ImproperPauseUsage', 'message', 'Improper use of pause function detected without timing checks.'); - end - end - - % 4. Check for improper use of rmdir - if contains(code, 'rmdir') - if ~contains(code, 'exist') && ~contains(code, 'isdir') - issues{end+1} = struct('ruleId', 'ImproperRmdirUsage', 'message', 'Improper use of rmdir without validating the directory path.'); - end - end - - % 5. Check for missing fclose after fopen - if contains(code, 'fopen') - if ~contains(code, 'fclose') - issues{end+1} = struct('ruleId', 'MissingFclose', 'message', 'Missing fclose after fopen. Ensure to close files to prevent resource leaks.'); - end - end - - % 6. Check for insecure file permissions - if contains(code, 'chmod') || contains(code, 'chown') - issues{end+1} = struct('ruleId', 'InsecureFilePermissions', 'message', 'Insecure file permissions command detected. Review file permission handling.'); - end - - % 7. Check for insecure random number generation - if contains(code, 'rand') - issues{end+1} = struct('ruleId', 'InsecureRandomNumberGeneration', 'message', 'Insecure random number generation detected. Consider using a cryptographically secure alternative.'); - end - - % 8. Check for insecure save function usage - if contains(code, 'save') && ~contains(code, '-v7.3') - issues{end+1} = struct('ruleId', 'InsecureSaveUsage', 'message', 'Insecure save function usage detected. Consider using the -v7.3 option for saving files.'); - end - - % 9. Check for insecure use of eval - if contains(code, 'eval') - issues{end+1} = struct('ruleId', 'InsecureEvalUsage', 'message', 'Potentially unsafe use of eval detected. Avoid using eval for executing arbitrary code.'); - end - - % 10. Check for unclosed figures - if contains(code, 'figure') && ~contains(code, 'close') - issues{end+1} = struct('ruleId', 'UnclosedFigures', 'message', 'Figures created but not closed. Ensure to close figures to free up system resources.'); - end - - % 11. Check for lack of error handling - if contains(code, 'try') && ~contains(code, 'catch') - issues{end+1} = struct('ruleId', 'MissingCatch', 'message', 'Try without catch. Ensure proper error handling is implemented.'); - end - - % 12. Check for usage of global variables - if contains(code, 'global') - issues{end+1} = struct('ruleId', 'GlobalVariables', 'message', 'Use of global variables detected. Minimize the use of global variables for better encapsulation.'); - end - - % 13. Check for comments not matching code - if contains(code, '%') - % Check for comment length versus code length - lines = strsplit(code, '\n'); - for line = lines - if length(line{1}) < 20 && contains(line{1}, '%') % Short comments - issues{end+1} = struct('ruleId', 'ShortComments', 'message', 'Comments should provide sufficient context; consider expanding short comments.'); - end - end - end - - % 14. Check for excessively long lines - lines = strsplit(code, '\n'); - for i = 1:length(lines) - if length(lines{i}) > 80 - issues{end+1} = struct('ruleId', 'LongLines', 'message', sprintf('Line %d exceeds 80 characters. Consider breaking it into multiple lines.', i)); - end - end - - % 15. Check for hard-coded paths - if contains(code, fullfile(pwd)) - issues{end+1} = struct('ruleId', 'HardcodedPaths', 'message', 'Hard-coded path detected. Use relative paths or environment variables for better portability.'); - end - - % 16. Check for redundant code - % ... (Implement code for redundant code detection) - - % 17. Check for inefficient algorithms - % ... (Implement code for inefficient algorithm detection) - - % 18. Check for inconsistent formatting - % ... (Implement code for inconsistent formatting detection) - - % 19. Check for unused variables - % ... (Implement code for unused variable detection) - - % 20. Check for magic numbers - % ... (Implement code for magic number detection) - % Store file path and issues found in results if ~isempty(issues) results{end+1} = {filePath, issues}; end end -% Save results to .mat file +% Save results as a .mat file save('code-analysis-results.mat', 'results'); -% Convert results to SARIF format -sarif = struct('version', '2.1.0', 'runs', {}); -sarif.runs(1).toolName = 'Octave Static Code Analysis'; - -for i = 1:length(results) - filePath = results{i}{1}; - issues = results{i}{2}; +% Save results as JSON file +fid = fopen('code-analysis-results.json', 'w'); +fwrite(fid, jsonencode(results)); +fclose(fid); From a3ef04e6ecfc0e2a0e11826aa3a3cd1c9d8324d0 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:15:04 +0530 Subject: [PATCH 45/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 86 +++++++++++-------------------- 1 file changed, 30 insertions(+), 56 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 9e996e4f..c6280c81 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,58 +1,37 @@ -name: "Octave Static Code Analysis for MATLAB" +name: Octave Static Code Analysis on: push: - branches: [ "master" ] - pull_request: - branches: [ "master" ] - workflow_dispatch: + branches: + - master jobs: analyze: - name: Analyze MATLAB Code with Octave runs-on: ubuntu-latest steps: - # Step 1: Checkout repository - - name: Checkout repository - uses: actions/checkout@v3 + # Step 1: Checkout the repository + - name: Checkout code + uses: actions/checkout@v2 - # Step 2: Install Octave + # Step 2: Set up Octave - name: Install Octave run: | sudo apt-get update sudo apt-get install -y octave - # Step 3: Create Octave analysis script - - name: Create Octave analysis script + # Step 3: Install Python and required packages + - name: Install Python run: | - echo "% Add current directory and subdirectories to path" > analyze_code.m - echo "addpath(genpath(pwd));" >> analyze_code.m - echo "% Find all .m files" >> analyze_code.m - echo "files = dir('**/*.m');" >> analyze_code.m - echo "% Initialize analysis results" >> analyze_code.m - echo "results = struct();" >> analyze_code.m - echo "% Analyze each file" >> analyze_code.m - echo "for k = 1:length(files)" >> analyze_code.m - echo " filePath = fullfile(files(k).folder, files(k).name);" >> analyze_code.m - echo " % Insert analysis logic here; store any issues found" >> analyze_code.m - echo " results(k).file = filePath;" >> analyze_code.m - echo " results(k).issues = 'Example issue description';" >> analyze_code.m - echo "end" >> analyze_code.m - echo "% Save the results to a JSON file" >> analyze_code.m - echo "jsonwrite('code-analysis-results.json', results);" >> analyze_code.m + sudo apt-get install -y python3 python3-pip + pip3 install sarif-om # Step 4: Run the static code analysis using Octave - name: Run Octave analysis run: | octave --no-gui analyze_code.m - # Step 5: Install SARIF Conversion Library - - name: Install SARIF Conversion Library - run: | - pip install sarif-om - - # Step 6: Convert JSON to SARIF + # Step 5: Convert JSON to SARIF - name: Convert JSON to SARIF run: | python3 -c " @@ -62,33 +41,28 @@ jobs: with open('code-analysis-results.json') as f: issues = json.load(f) - runs = [ - sarif.Run( - tool=sarif.Tool(name='Octave Analysis'), - results=[ - sarif.Result( - ruleId='example-rule', - message=sarif.Message(text=issue['issues']), - locations=[ - sarif.Location( - physicalLocation=sarif.PhysicalLocation( - artifactLocation=sarif.ArtifactLocation(uri=issue['file']) - ) - ) - ] - ) for issue in issues - ] - ) - ] + runs = [sarif.Run( + tool=sarif.Tool(name='Octave Analysis'), + results=[ + sarif.Result( + ruleId=issue[1][i]['ruleId'], + message=sarif.Message(text=issue[1][i]['message']), + locations=[sarif.Location( + physicalLocation=sarif.PhysicalLocation( + artifactLocation=sarif.ArtifactLocation(uri=issue[0]) + ) + )] + ) for i in range(len(issue[1])) + ] + ) for issue in issues] sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) with open('code-analysis-results.sarif', 'w') as sarif_file: - sarif_file.write(sarif_log.json(exclude_None=True)) + sarif_file.write(sarif_log.json(exclude_none=True)) " - # Step 7: Upload the SARIF results + # Step 6: Upload the SARIF results - name: Upload SARIF results - uses: actions/upload-artifact@v3 + uses: github/codeql-action/upload-sarif@v1 with: - name: code-analysis-results - path: code-analysis-results.sarif + sarif_file: code-analysis-results.sarif From 78733824ff6aad8082fa29cf9c6760af5e597894 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:19:45 +0530 Subject: [PATCH 46/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index c6280c81..42b823aa 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -29,6 +29,8 @@ jobs: # Step 4: Run the static code analysis using Octave - name: Run Octave analysis run: | + export DISPLAY="" + cd .github/custom-queries/matlab # Change to the directory containing the script octave --no-gui analyze_code.m # Step 5: Convert JSON to SARIF @@ -42,17 +44,17 @@ jobs: issues = json.load(f) runs = [sarif.Run( - tool=sarif.Tool(name='Octave Analysis'), + tool=sarif.Tool(name='Octave Analysis'), results=[ sarif.Result( - ruleId=issue[1][i]['ruleId'], - message=sarif.Message(text=issue[1][i]['message']), + ruleId=issue[1][i]['ruleId'], + message=sarif.Message(text=issue[1][i]['message']), locations=[sarif.Location( physicalLocation=sarif.PhysicalLocation( artifactLocation=sarif.ArtifactLocation(uri=issue[0]) ) )] - ) for i in range(len(issue[1])) + ) for i in range(len(issue[1])) ] ) for issue in issues] From 6b2c2453955002b76069adcbf87e37e85973b580 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:22:46 +0530 Subject: [PATCH 47/72] Update analyze_code.m --- .github/custom-queries/matlab/analyze_code.m | 38 ++++++++++++++++++-- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/.github/custom-queries/matlab/analyze_code.m b/.github/custom-queries/matlab/analyze_code.m index 906293de..89d0f173 100644 --- a/.github/custom-queries/matlab/analyze_code.m +++ b/.github/custom-queries/matlab/analyze_code.m @@ -23,8 +23,7 @@ % Initialize issues for the current file issues = {}; - % Perform various analysis checks (as before)... - + % Perform various analysis checks % Example check: Check for improper input handling in mathematical operations if contains(code, '+') || contains(code, '-') || contains(code, '*') || contains(code, '/') || ... contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') @@ -42,7 +41,40 @@ % Save results as a .mat file save('code-analysis-results.mat', 'results'); +% Custom function to convert results to JSON format +function jsonStr = custom_jsonencode(data) + % Convert cell array to JSON string manually + jsonStr = '['; + for i = 1:length(data) + filePath = data{i}{1}; + issues = data{i}{2}; + + jsonStr = [jsonStr, '{']; + jsonStr = [jsonStr, '"filePath": "', filePath, '",']; + jsonStr = [jsonStr, '"issues": [']; + + for j = 1:length(issues) + issue = issues{j}; + jsonStr = [jsonStr, '{']; + jsonStr = [jsonStr, '"ruleId": "', issue.ruleId, '",']; + jsonStr = [jsonStr, '"message": "', issue.message, '"']; + jsonStr = [jsonStr, '}']; + + if j < length(issues) + jsonStr = [jsonStr, ', ']; % Add a comma for other issues + end + end + + jsonStr = [jsonStr, ']}']; + + if i < length(data) + jsonStr = [jsonStr, ', ']; % Add a comma for other files + end + end + jsonStr = [jsonStr, ']']; % Close the JSON array +end + % Save results as JSON file fid = fopen('code-analysis-results.json', 'w'); -fwrite(fid, jsonencode(results)); +fwrite(fid, custom_jsonencode(results), 'char'); fclose(fid); From a59a48d90adb095c10b662cef9a7ec95a23b3f1d Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:26:43 +0530 Subject: [PATCH 48/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 72 ++++++++++++++----------------- 1 file changed, 33 insertions(+), 39 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 42b823aa..44a939c1 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,70 +1,64 @@ -name: Octave Static Code Analysis +name: MATLAB Code Analysis on: push: branches: - - master + - main # Adjust the branch as needed + pull_request: jobs: analyze: runs-on: ubuntu-latest steps: - # Step 1: Checkout the repository - name: Checkout code uses: actions/checkout@v2 - # Step 2: Set up Octave - - name: Install Octave - run: | - sudo apt-get update - sudo apt-get install -y octave + - name: Set up Octave + run: sudo apt-get install -y octave - # Step 3: Install Python and required packages - - name: Install Python + - name: Run Octave code analysis run: | - sudo apt-get install -y python3 python3-pip - pip3 install sarif-om + cd .github/custom-queries/matlab # Change to the directory containing the script + octave --no-gui analyze_code.m - # Step 4: Run the static code analysis using Octave - - name: Run Octave analysis + - name: Install Python dependencies run: | - export DISPLAY="" - cd .github/custom-queries/matlab # Change to the directory containing the script - octave --no-gui analyze_code.m + python3 -m pip install --upgrade pip + pip install sarif-om - # Step 5: Convert JSON to SARIF - - name: Convert JSON to SARIF + - name: Convert results to SARIF run: | python3 -c " import json import sarif_om as sarif + # Load the JSON results from the analysis with open('code-analysis-results.json') as f: issues = json.load(f) - runs = [sarif.Run( - tool=sarif.Tool(name='Octave Analysis'), - results=[ - sarif.Result( - ruleId=issue[1][i]['ruleId'], - message=sarif.Message(text=issue[1][i]['message']), - locations=[sarif.Location( - physicalLocation=sarif.PhysicalLocation( - artifactLocation=sarif.ArtifactLocation(uri=issue[0]) - ) - )] - ) for i in range(len(issue[1])) - ] - ) for issue in issues] + # Build SARIF runs from the loaded issues + runs = [ + sarif.Run( + tool=sarif.Tool(name='Octave Analysis'), + results=[ + sarif.Result( + ruleId=issue[1][i]['ruleId'], # Use single quotes for consistency + message=sarif.Message(text=issue[1][i]['message']), + locations=[sarif.Location( + physicalLocation=sarif.PhysicalLocation( + artifactLocation=sarif.ArtifactLocation(uri=issue[0]) + ) + )] + ) for i in range(len(issue[1])) + ] + ) for issue in issues + ] + # Create a SARIF log sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) + + # Write the SARIF log to a file with open('code-analysis-results.sarif', 'w') as sarif_file: sarif_file.write(sarif_log.json(exclude_none=True)) " - - # Step 6: Upload the SARIF results - - name: Upload SARIF results - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: code-analysis-results.sarif From 968b8ab84f4c6417fbd2961cae42e3c2d9792ee4 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:27:51 +0530 Subject: [PATCH 49/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 44a939c1..bf20edf7 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -3,7 +3,7 @@ name: MATLAB Code Analysis on: push: branches: - - main # Adjust the branch as needed + - master # Adjust the branch as needed pull_request: jobs: From df221a9b74a9f3c2072fe3e0aedea389c52da90a Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:54:54 +0530 Subject: [PATCH 50/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index bf20edf7..597a4436 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -3,7 +3,7 @@ name: MATLAB Code Analysis on: push: branches: - - master # Adjust the branch as needed + - main # Adjust the branch as needed pull_request: jobs: @@ -22,6 +22,11 @@ jobs: cd .github/custom-queries/matlab # Change to the directory containing the script octave --no-gui analyze_code.m + - name: List generated files (optional) + run: | + cd .github/custom-queries/matlab # Ensure you're in the correct directory + ls -la # List files to confirm the JSON file is created + - name: Install Python dependencies run: | python3 -m pip install --upgrade pip @@ -34,7 +39,7 @@ jobs: import sarif_om as sarif # Load the JSON results from the analysis - with open('code-analysis-results.json') as f: + with open('.github/custom-queries/matlab/code-analysis-results.json') as f: issues = json.load(f) # Build SARIF runs from the loaded issues @@ -59,6 +64,6 @@ jobs: sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) # Write the SARIF log to a file - with open('code-analysis-results.sarif', 'w') as sarif_file: + with open('.github/custom-queries/matlab/code-analysis-results.sarif', 'w') as sarif_file: sarif_file.write(sarif_log.json(exclude_none=True)) " From 11b3051dde0d76cd8e977a6274e212e8bc5581f5 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:55:29 +0530 Subject: [PATCH 51/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 597a4436..98b9f847 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -3,7 +3,7 @@ name: MATLAB Code Analysis on: push: branches: - - main # Adjust the branch as needed + - master # Adjust the branch as needed pull_request: jobs: From 27c791ad57b318118728e75140027be74483238b Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:00:22 +0530 Subject: [PATCH 52/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 32 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 98b9f847..5afc177e 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,37 +1,30 @@ name: MATLAB Code Analysis -on: +on:  push: branches: - - master # Adjust the branch as needed + - master # Adjust as necessary pull_request: + branches: + - master # Adjust as necessary jobs: analyze: runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Checkout repository uses: actions/checkout@v2 - - name: Set up Octave + - name: Install Octave run: sudo apt-get install -y octave - - name: Run Octave code analysis + - name: Run Octave Analysis run: | + export DISPLAY="" cd .github/custom-queries/matlab # Change to the directory containing the script octave --no-gui analyze_code.m - - name: List generated files (optional) - run: | - cd .github/custom-queries/matlab # Ensure you're in the correct directory - ls -la # List files to confirm the JSON file is created - - - name: Install Python dependencies - run: | - python3 -m pip install --upgrade pip - pip install sarif-om - - name: Convert results to SARIF run: | python3 -c " @@ -61,9 +54,14 @@ jobs: ] # Create a SARIF log - sarif_log = sarif.SarifLog(schemaVersion='2.1.0', runs=runs) + sarif_log = sarif.SarifLog(runs=runs) # Removed schemaVersion here # Write the SARIF log to a file with open('.github/custom-queries/matlab/code-analysis-results.sarif', 'w') as sarif_file: - sarif_file.write(sarif_log.json(exclude_none=True)) + sarif_file.write(sarif_log.json(exclude_none=True, schema_version='2.1.0')) # Specify schema_version here " + + - name: Upload SARIF results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: '.github/custom-queries/matlab/code-analysis-results.sarif' From bcf2aaa41128d75939d3433eea0aad2679d11b12 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:02:16 +0530 Subject: [PATCH 53/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 5afc177e..a7de57d7 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,6 +1,6 @@ name: MATLAB Code Analysis -on:  +on: push: branches: - master # Adjust as necessary From 93181bd8d5f33f71b103f172a4d5b82f760188b6 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:05:13 +0530 Subject: [PATCH 54/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index a7de57d7..a38e0f64 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,12 +1,12 @@ name: MATLAB Code Analysis -on: +on:  push: branches: - - master # Adjust as necessary + - master # Adjusted to master branch pull_request: branches: - - master # Adjust as necessary + - master # Adjusted to master branch jobs: analyze: @@ -19,6 +19,11 @@ jobs: - name: Install Octave run: sudo apt-get install -y octave + - name: Install Python dependencies + run: | + python3 -m pip install --upgrade pip + pip install sarif-om + - name: Run Octave Analysis run: | export DISPLAY="" From 262ed7600fa646526ece46fec2001fc0f224ecd7 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:10:19 +0530 Subject: [PATCH 55/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index a38e0f64..42c6a31c 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,12 +1,14 @@ name: MATLAB Code Analysis -on:  +on: push: branches: - - master # Adjusted to master branch + - master # Adjust as necessary pull_request: branches: - - master # Adjusted to master branch + - master # Adjust as necessary + + jobs: analyze: From 4693e84219e24e13da84f54f4dd84eec605b410a Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:12:41 +0530 Subject: [PATCH 56/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 42c6a31c..05dbe51d 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,6 +1,6 @@ name: MATLAB Code Analysis -on: +on: push: branches: - master # Adjust as necessary @@ -8,8 +8,6 @@ on: branches: - master # Adjust as necessary - - jobs: analyze: runs-on: ubuntu-latest @@ -61,11 +59,11 @@ jobs: ] # Create a SARIF log - sarif_log = sarif.SarifLog(runs=runs) # Removed schemaVersion here + sarif_log = sarif.SarifLog(version='2.1.0', runs=runs) # Added schema version # Write the SARIF log to a file with open('.github/custom-queries/matlab/code-analysis-results.sarif', 'w') as sarif_file: - sarif_file.write(sarif_log.json(exclude_none=True, schema_version='2.1.0')) # Specify schema_version here + sarif_file.write(sarif_log.json(exclude_none=True)) " - name: Upload SARIF results From a32cd7b13f65f04d0088c93f20ff816e08eadfc2 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:14:48 +0530 Subject: [PATCH 57/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 05dbe51d..45d378a6 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -63,7 +63,7 @@ jobs: # Write the SARIF log to a file with open('.github/custom-queries/matlab/code-analysis-results.sarif', 'w') as sarif_file: - sarif_file.write(sarif_log.json(exclude_none=True)) + sarif_file.write(sarif_log.json(exclude_none=True)) # Use serialize method " - name: Upload SARIF results From b416809a6d0ddce878aa3ebee5fd9db197792d74 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:16:26 +0530 Subject: [PATCH 58/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 45d378a6..ef17848d 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -63,7 +63,7 @@ jobs: # Write the SARIF log to a file with open('.github/custom-queries/matlab/code-analysis-results.sarif', 'w') as sarif_file: - sarif_file.write(sarif_log.json(exclude_none=True)) # Use serialize method + sarif_file.write(sarif_log.serialize(exclude_none=True)) # Use serialize method " - name: Upload SARIF results From 8737e55e6e5ce8742579d495df8c2ca27f0e4642 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:19:36 +0530 Subject: [PATCH 59/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index ef17848d..1cbbcdae 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -63,7 +63,7 @@ jobs: # Write the SARIF log to a file with open('.github/custom-queries/matlab/code-analysis-results.sarif', 'w') as sarif_file: - sarif_file.write(sarif_log.serialize(exclude_none=True)) # Use serialize method + json.dump(sarif_log.to_dict(exclude_none=True), sarif_file) " - name: Upload SARIF results From 4e14116b403987fed48758c7f6e84a9a09ffef03 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:29:45 +0530 Subject: [PATCH 60/72] Update analyze_code.m --- .github/custom-queries/matlab/analyze_code.m | 176 +++++++++++++++---- 1 file changed, 138 insertions(+), 38 deletions(-) diff --git a/.github/custom-queries/matlab/analyze_code.m b/.github/custom-queries/matlab/analyze_code.m index 89d0f173..6ac3a595 100644 --- a/.github/custom-queries/matlab/analyze_code.m +++ b/.github/custom-queries/matlab/analyze_code.m @@ -23,12 +23,120 @@ % Initialize issues for the current file issues = {}; - % Perform various analysis checks - % Example check: Check for improper input handling in mathematical operations + % Check for improper input handling in mathematical operations if contains(code, '+') || contains(code, '-') || contains(code, '*') || contains(code, '/') || ... contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') if ~contains(code, 'validate') && ~contains(code, 'sanitize') - issues{end+1} = struct('ruleId', 'ImproperInputHandling', 'message', 'Improper input handling in mathematical operations detected.'); + issues{end+1} = 'Improper input handling in mathematical operations detected.'; + end + end + + % Check for improper use of cd command + if contains(code, 'cd') + if ~contains(code, 'exist') && ~contains(code, 'isdir') + issues{end+1} = 'Improper use of cd command without validating the directory path.'; + end + end + + % Check for unsafe mkdir usage + if contains(code, 'mkdir') + if ~contains(code, 'exist') && ~contains(code, 'isdir') + issues{end+1} = 'Unsafe use of mkdir without checking for directory existence or permissions.'; + end + end + + % Check for deprecated functions usage + if contains(code, 'str2num') || contains(code, 'input') || contains(code, 'addpath') + issues{end+1} = 'Deprecated function usage detected. Consider updating to supported alternatives.'; + end + + % Additional Checks + + % 1. Check for hard-coded credentials + if contains(code, 'password') || contains(code, 'passwd') || contains(code, 'apiKey') || ... + contains(code, 'secret') || contains(code, 'token') + if ~contains(code, 'validate') && ~contains(code, 'sanitize') + issues{end+1} = 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'; + end + end + + % 2. Check for hard-coded IP addresses + if contains(code, '(\d{1,3}\.){3}\d{1,3}') % Regular expression for matching IP addresses + issues{end+1} = 'Hard-coded IP address detected. Consider using a configuration file or environment variables.'; + end + + % 3. Check for improper use of pause function + if contains(code, 'pause') + if ~contains(code, 'check') && ~contains(code, 'validate') + issues{end+1} = 'Improper use of pause function detected without timing checks.'; + end + end + + % 4. Check for improper use of rmdir + if contains(code, 'rmdir') + if ~contains(code, 'exist') && ~contains(code, 'isdir') + issues{end+1} = 'Improper use of rmdir without validating the directory path.'; + end + end + + % 5. Check for missing fclose after fopen + if contains(code, 'fopen') + if ~contains(code, 'fclose') + issues{end+1} = 'Missing fclose after fopen. Ensure to close files to prevent resource leaks.'; + end + end + + % 6. Check for insecure file permissions + if contains(code, 'chmod') || contains(code, 'chown') + issues{end+1} = 'Insecure file permissions command detected. Review file permission handling.'; + end + + % 7. Check for insecure random number generation + if contains(code, 'rand') + issues{end+1} = 'Insecure random number generation detected. Consider using a cryptographically secure alternative.'; + end + + % 8. Check for insecure save function usage + if contains(code, 'save') && ~contains(code, '-v7.3') + issues{end+1} = 'Insecure save function usage detected. Consider using the -v7.3 option for saving files.'; + end + + % 9. Check for insecure use of eval + if contains(code, 'eval') + issues{end+1} = 'Potentially unsafe use of eval detected. Avoid using eval for executing arbitrary code.'; + end + + % 10. Check for unclosed figures + if contains(code, 'figure') && ~contains(code, 'close') + issues{end+1} = 'Figures created but not closed. Ensure to close figures to free up system resources.'; + end + + % 11. Check for lack of error handling + if contains(code, 'try') && ~contains(code, 'catch') + issues{end+1} = 'Try without catch. Ensure proper error handling is implemented.'; + end + + % 12. Check for usage of global variables + if contains(code, 'global') + issues{end+1} = 'Use of global variables detected. Minimize the use of global variables for better encapsulation.'; + end + + % 13. Check for comments not matching code + if contains(code, '%') + % Check for comment length versus code length + lines = strsplit(code, '\n'); + for line = lines + if length(line{1}) < 20 && contains(line{1}, '%') % Short comments + issues{end+1} = 'Comments should provide sufficient context; consider expanding short comments.'; + end + end + end + + % 14. Check for excessively long lines + lines = strsplit(code, '\n'); + for i = 1:length(lines) + if length(lines{i}) > 80 + issues{end+1} = sprintf('Line %d exceeds 80 characters. Consider breaking it into multiple lines.', i); end end @@ -38,43 +146,35 @@ end end -% Save results as a .mat file +% Save results to .mat file save('code-analysis-results.mat', 'results'); -% Custom function to convert results to JSON format -function jsonStr = custom_jsonencode(data) - % Convert cell array to JSON string manually - jsonStr = '['; - for i = 1:length(data) - filePath = data{i}{1}; - issues = data{i}{2}; - - jsonStr = [jsonStr, '{']; - jsonStr = [jsonStr, '"filePath": "', filePath, '",']; - jsonStr = [jsonStr, '"issues": [']; - - for j = 1:length(issues) - issue = issues{j}; - jsonStr = [jsonStr, '{']; - jsonStr = [jsonStr, '"ruleId": "', issue.ruleId, '",']; - jsonStr = [jsonStr, '"message": "', issue.message, '"']; - jsonStr = [jsonStr, '}']; - - if j < length(issues) - jsonStr = [jsonStr, ', ']; % Add a comma for other issues - end - end - - jsonStr = [jsonStr, ']}']; - - if i < length(data) - jsonStr = [jsonStr, ', ']; % Add a comma for other files - end +% Convert results to SARIF format using jsonlab +addpath('jsonlab'); % Assuming jsonlab is in the same directory or on the path + +% Create SARIF report structure +sarif_report = struct('version', '2.1.0', 'runs', {}); + +% Populate SARIF report with analysis results +for i = 1:length(results) + filePath = results{i}{1}; + issues = results{i}{2}; + + % Create SARIF result object + sarif_result = struct('toolName', 'MATLAB Code Analyzer', 'toolVersion', '1.0', 'results', {}); + + % Create SARIF location object + sarif_location = struct('path', filePath, 'startLine', 1, 'endLine', 1); % Adjust startLine and endLine as needed + + % Create SARIF message object + for j = 1:length(issues) + sarif_message = struct('text', issues{j}, 'kind', 'issue', 'level', 'warning'); % Adjust level as needed + sarif_message.locations = {sarif_location}; % Add more locations if necessary + sarif_result.results = [sarif_result.results, sarif_message]; end - jsonStr = [jsonStr, ']']; % Close the JSON array + + sarif_report.runs = [sarif_report.runs, sarif_result]; end -% Save results as JSON file -fid = fopen('code-analysis-results.json', 'w'); -fwrite(fid, custom_jsonencode(results), 'char'); -fclose(fid); +% Save SARIF report to a JSON file +savejson('sarif_report.json', sarif_report); From 140bbfebcf70be2083c21a0ff69f6fef9954412a Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:31:46 +0530 Subject: [PATCH 61/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 110 ++++++++++++++++-------------- 1 file changed, 58 insertions(+), 52 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 1cbbcdae..56662e3a 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,72 +1,78 @@ -name: MATLAB Code Analysis - +name: "Octave Static Code Analysis for MATLAB" on: push: - branches: - - master # Adjust as necessary + branches: [ "master" ] pull_request: - branches: - - master # Adjust as necessary + branches: [ "master" ] + workflow_dispatch: # Allows manual trigger from the Actions tab jobs: analyze: + name: Analyze MATLAB Code with Octave runs-on: ubuntu-latest - steps: + # Step 1: Checkout repository - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 + # Step 2: Install Octave - name: Install Octave - run: sudo apt-get install -y octave - - - name: Install Python dependencies run: | - python3 -m pip install --upgrade pip - pip install sarif-om + sudo apt-get update + sudo apt-get install -y octave - - name: Run Octave Analysis + # Step 3: Check for .m files in the repository + - name: Find .m files + id: find_files run: | - export DISPLAY="" - cd .github/custom-queries/matlab # Change to the directory containing the script - octave --no-gui analyze_code.m + m_files=$(find . -name "*.m") + if [ -z "$m_files" ]; then + echo "No .m files found!" + exit 1 + else + echo "$m_files" + fi - - name: Convert results to SARIF + # Step 4: Create MATLAB analysis script in the correct location + - name: Create MATLAB analysis script run: | - python3 -c " - import json - import sarif_om as sarif - - # Load the JSON results from the analysis - with open('.github/custom-queries/matlab/code-analysis-results.json') as f: - issues = json.load(f) + echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m + echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m + echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m + echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m + echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m + echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m + echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m + echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m + echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m + echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m + echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m + echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m + echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m + echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m + echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m + echo " end" >> .github/custom-queries/matlab/analyze_code.m + echo "end" >> .github/custom-queries/matlab/analyze_code.m + echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m + echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m - # Build SARIF runs from the loaded issues - runs = [ - sarif.Run( - tool=sarif.Tool(name='Octave Analysis'), - results=[ - sarif.Result( - ruleId=issue[1][i]['ruleId'], # Use single quotes for consistency - message=sarif.Message(text=issue[1][i]['message']), - locations=[sarif.Location( - physicalLocation=sarif.PhysicalLocation( - artifactLocation=sarif.ArtifactLocation(uri=issue[0]) - ) - )] - ) for i in range(len(issue[1])) - ] - ) for issue in issues - ] - - # Create a SARIF log - sarif_log = sarif.SarifLog(version='2.1.0', runs=runs) # Added schema version + # Step 5: Run the static code analysis using Octave + - name: Run MATLAB code analysis with Octave + run: | + octave --no-gui .github/custom-queries/matlab/analyze_code.m - # Write the SARIF log to a file - with open('.github/custom-queries/matlab/code-analysis-results.sarif', 'w') as sarif_file: - json.dump(sarif_log.to_dict(exclude_none=True), sarif_file) - " + # Step 6: Verify the analysis results + - name: Check for analysis results + run: | + if [ ! -f code-analysis-results.mat ]; then + echo "Results file not found!" + exit 1 + fi - - name: Upload SARIF results - uses: github/codeql-action/upload-sarif@v1 + # Step 7: Upload the SARIF report + - name: Upload SARIF report + uses: actions/upload-artifact@v3 with: - sarif_file: '.github/custom-queries/matlab/code-analysis-results.sarif' + name: sarif-report + path: sarif_report.json From ca35a5b7a79b1696a8d0420468cca5eb75028773 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:39:37 +0530 Subject: [PATCH 62/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 56662e3a..195af6b7 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -62,17 +62,20 @@ jobs: run: | octave --no-gui .github/custom-queries/matlab/analyze_code.m - # Step 6: Verify the analysis results - - name: Check for analysis results + # Step 6: Convert JSON to CSV + - name: Convert JSON to CSV run: | - if [ ! -f code-analysis-results.mat ]; then - echo "Results file not found!" - exit 1 - fi + json2csv code-analysis-results.json code-analysis-results.csv + + # Step 7: Convert CSV to SARIF (using a third-party tool) + - name: Convert CSV to SARIF + run: | + # Replace with the command to run your chosen SARIF conversion tool + sarif-converter code-analysis-results.csv sarif-report.sarif - # Step 7: Upload the SARIF report + # Step 8: Upload the SARIF report - name: Upload SARIF report uses: actions/upload-artifact@v3 with: name: sarif-report - path: sarif_report.json + path: sarif-report.sarif From 8041d31dc3a82bc34a6e2a9f697e0f472cadc21c Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:41:57 +0530 Subject: [PATCH 63/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 40 +++++++------------------------ 1 file changed, 8 insertions(+), 32 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 195af6b7..3b441fb8 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -37,45 +37,21 @@ jobs: - name: Create MATLAB analysis script run: | echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m - echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m - echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m - echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m - echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m - echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m - echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m - echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m - echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m - echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m - echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m - echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m - echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m - echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m - echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m - echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m - echo " end" >> .github/custom-queries/matlab/analyze_code.m - echo "end" >> .github/custom-queries/matlab/analyze_code.m - echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m - echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m + # ... (rest of the code) # Step 5: Run the static code analysis using Octave - name: Run MATLAB code analysis with Octave run: | octave --no-gui .github/custom-queries/matlab/analyze_code.m - # Step 6: Convert JSON to CSV - - name: Convert JSON to CSV + # Step 6: Install json2csv (if not already installed) + - name: Install json2csv package run: | - json2csv code-analysis-results.json code-analysis-results.csv + npm install -g json2csv - # Step 7: Convert CSV to SARIF (using a third-party tool) - - name: Convert CSV to SARIF + # Step 7: Convert JSON to CSV + - name: Convert JSON to CSV run: | - # Replace with the command to run your chosen SARIF conversion tool - sarif-converter code-analysis-results.csv sarif-report.sarif + json2csv code-analysis-results.json code-analysis-results.csv - # Step 8: Upload the SARIF report - - name: Upload SARIF report - uses: actions/upload-artifact@v3 - with: - name: sarif-report - path: sarif-report.sarif + # ... (rest of your steps for SARIF conversion and upload) From 6e65a00c1c3366a13dce6ea3528182e638669ad4 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:50:37 +0530 Subject: [PATCH 64/72] Create convert_to_sarif.py --- .../custom-queries/matlab/convert_to_sarif.py | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/custom-queries/matlab/convert_to_sarif.py diff --git a/.github/custom-queries/matlab/convert_to_sarif.py b/.github/custom-queries/matlab/convert_to_sarif.py new file mode 100644 index 00000000..fc1ea0d2 --- /dev/null +++ b/.github/custom-queries/matlab/convert_to_sarif.py @@ -0,0 +1,53 @@ +import scipy.io +import json + +# Load the .mat file +data = scipy.io.loadmat('code-analysis-results.mat') +results = data.get('results', []) + +# SARIF template +sarif = { + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "MATLAB Code Analysis", + "informationUri": "https://github.com/username/repo", + "rules": [ + { + "id": "MATLAB001", + "name": "MATLAB Code Issue", + "shortDescription": {"text": "Identified MATLAB Code Issue"}, + "fullDescription": {"text": "This issue was identified in the MATLAB code."}, + "defaultConfiguration": {"level": "warning"} + } + ] + } + }, + "results": [] + } + ] +} + +# Convert each entry in the results to SARIF format +for item in results: + file_path = item[0][0] + issues = item[1][0] + for issue in issues: + sarif_issue = { + "ruleId": "MATLAB001", + "message": {"text": issue[0]}, + "locations": [ + { + "physicalLocation": { + "artifactLocation": {"uri": file_path}, + } + } + ] + } + sarif["runs"][0]["results"].append(sarif_issue) + +# Write to SARIF file +with open('code-analysis-results.sarif', 'w') as f: + json.dump(sarif, f, indent=2) From 1931f4f3614e9861956b888b02f2f41c61bb1203 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:56:19 +0530 Subject: [PATCH 65/72] Update analyze_code.m --- .github/custom-queries/matlab/analyze_code.m | 40 +++----------------- 1 file changed, 5 insertions(+), 35 deletions(-) diff --git a/.github/custom-queries/matlab/analyze_code.m b/.github/custom-queries/matlab/analyze_code.m index 6ac3a595..b96fe4fe 100644 --- a/.github/custom-queries/matlab/analyze_code.m +++ b/.github/custom-queries/matlab/analyze_code.m @@ -11,21 +11,21 @@ for k = 1:length(files) filePath = fullfile(files(k).folder, files(k).name); fid = fopen(filePath, 'r'); - + if fid == -1 disp(['Could not open file: ', filePath]); continue; end - + code = fread(fid, '*char')'; % Read file contents fclose(fid); - + % Initialize issues for the current file issues = {}; % Check for improper input handling in mathematical operations if contains(code, '+') || contains(code, '-') || contains(code, '*') || contains(code, '/') || ... - contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') + contains(code, '^') || contains(code, 'sqrt') || contains(code, 'log') if ~contains(code, 'validate') && ~contains(code, 'sanitize') issues{end+1} = 'Improper input handling in mathematical operations detected.'; end @@ -54,7 +54,7 @@ % 1. Check for hard-coded credentials if contains(code, 'password') || contains(code, 'passwd') || contains(code, 'apiKey') || ... - contains(code, 'secret') || contains(code, 'token') + contains(code, 'secret') || contains(code, 'token') if ~contains(code, 'validate') && ~contains(code, 'sanitize') issues{end+1} = 'Hard-coded credentials detected. Avoid hard-coding sensitive information.'; end @@ -148,33 +148,3 @@ % Save results to .mat file save('code-analysis-results.mat', 'results'); - -% Convert results to SARIF format using jsonlab -addpath('jsonlab'); % Assuming jsonlab is in the same directory or on the path - -% Create SARIF report structure -sarif_report = struct('version', '2.1.0', 'runs', {}); - -% Populate SARIF report with analysis results -for i = 1:length(results) - filePath = results{i}{1}; - issues = results{i}{2}; - - % Create SARIF result object - sarif_result = struct('toolName', 'MATLAB Code Analyzer', 'toolVersion', '1.0', 'results', {}); - - % Create SARIF location object - sarif_location = struct('path', filePath, 'startLine', 1, 'endLine', 1); % Adjust startLine and endLine as needed - - % Create SARIF message object - for j = 1:length(issues) - sarif_message = struct('text', issues{j}, 'kind', 'issue', 'level', 'warning'); % Adjust level as needed - sarif_message.locations = {sarif_location}; % Add more locations if necessary - sarif_result.results = [sarif_result.results, sarif_message]; - end - - sarif_report.runs = [sarif_report.runs, sarif_result]; -end - -% Save SARIF report to a JSON file -savejson('sarif_report.json', sarif_report); From 2000737bb507c36e44eb18d292e8cd5bb9f63f17 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:56:24 +0530 Subject: [PATCH 66/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 48 ++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 13 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 3b441fb8..ed6ac90f 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -1,4 +1,5 @@ name: "Octave Static Code Analysis for MATLAB" + on: push: branches: [ "master" ] @@ -10,6 +11,7 @@ jobs: analyze: name: Analyze MATLAB Code with Octave runs-on: ubuntu-latest + steps: # Step 1: Checkout repository - name: Checkout repository @@ -20,7 +22,6 @@ jobs: run: | sudo apt-get update sudo apt-get install -y octave - # Step 3: Check for .m files in the repository - name: Find .m files id: find_files @@ -32,26 +33,47 @@ jobs: else echo "$m_files" fi - # Step 4: Create MATLAB analysis script in the correct location - name: Create MATLAB analysis script run: | echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m - # ... (rest of the code) - + echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m + echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m + echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m + echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m + echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m + echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m + echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m + echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m + echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m + echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m + echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m + echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m + echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m + echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m + echo " end" >> .github/custom-queries/matlab/analyze_code.m + echo "end" >> .github/custom-queries/matlab/analyze_code.m + echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m + echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m # Step 5: Run the static code analysis using Octave - name: Run MATLAB code analysis with Octave run: | octave --no-gui .github/custom-queries/matlab/analyze_code.m - - # Step 6: Install json2csv (if not already installed) - - name: Install json2csv package + # Step 6: Verify the analysis results + - name: Check for analysis results run: | - npm install -g json2csv + if [ ! -f code-analysis-results.mat ]; then + echo "Results file not found!" + exit 1 + fi + # Step 7: Upload the results for review + - name: Upload results + uses: actions/upload-artifact@v3 + with: + name: code-analysis-results + path: code-analysis-results.mat - # Step 7: Convert JSON to CSV - - name: Convert JSON to CSV + - name: Convert .mat results to SARIF run: | - json2csv code-analysis-results.json code-analysis-results.csv - - # ... (rest of your steps for SARIF conversion and upload) + python .github/custom-queries/matlab/convert_to_sarif.py From 0e0320c2bb5fc78589a7ff85da57f63bb8dfca8e Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:59:16 +0530 Subject: [PATCH 67/72] Create convert_to_sarif.m --- .../custom-queries/matlab/convert_to_sarif.m | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/custom-queries/matlab/convert_to_sarif.m diff --git a/.github/custom-queries/matlab/convert_to_sarif.m b/.github/custom-queries/matlab/convert_to_sarif.m new file mode 100644 index 00000000..b2618616 --- /dev/null +++ b/.github/custom-queries/matlab/convert_to_sarif.m @@ -0,0 +1,46 @@ +% Load the results from the .mat file +load('code-analysis-results.mat', 'results'); + +% Initialize SARIF structure +sarif.version = "2.1.0"; +sarif.runs = struct([]); + +% Initialize run object +run.tool.driver.name = "Octave Static Code Analysis for MATLAB"; +run.tool.driver.version = "1.0"; +run.results = []; + +% Populate SARIF results +for i = 1:length(results) + filePath = results{i}{1}; + issues = results{i}{2}; + + % Loop over each issue found in the file + for j = 1:length(issues) + % Create SARIF result entry for each issue + sarifResult = struct(); + sarifResult.ruleId = "MATLABIssue"; % Identifier for the issue type + sarifResult.level = "warning"; + sarifResult.message = struct('text', issues{j}); + + % Specify the location + sarifResult.locations = struct([]); + sarifResult.locations(1).physicalLocation.artifactLocation.uri = filePath; + sarifResult.locations(1).physicalLocation.region.startLine = 1; % Set startLine if available + + % Add result to the SARIF run + run.results = [run.results, sarifResult]; + end +end + +% Add the populated run to SARIF +sarif.runs = [sarif.runs, run]; + +% Save SARIF output to a JSON file +jsonText = jsonencode(sarif); +fid = fopen('code-analysis-results.sarif', 'w'); +if fid == -1 + error('Could not create SARIF file'); +end +fwrite(fid, jsonText, 'char'); +fclose(fid); From 8c03c5e0ebb50a1448fc1c79fcf16df0f9b2ddf4 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:59:19 +0530 Subject: [PATCH 68/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index ed6ac90f..c6aba9c9 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -22,6 +22,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y octave + # Step 3: Check for .m files in the repository - name: Find .m files id: find_files @@ -33,6 +34,7 @@ jobs: else echo "$m_files" fi + # Step 4: Create MATLAB analysis script in the correct location - name: Create MATLAB analysis script run: | @@ -56,10 +58,12 @@ jobs: echo "end" >> .github/custom-queries/matlab/analyze_code.m echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m + # Step 5: Run the static code analysis using Octave - name: Run MATLAB code analysis with Octave run: | octave --no-gui .github/custom-queries/matlab/analyze_code.m + # Step 6: Verify the analysis results - name: Check for analysis results run: | @@ -67,13 +71,15 @@ jobs: echo "Results file not found!" exit 1 fi - # Step 7: Upload the results for review - - name: Upload results - uses: actions/upload-artifact@v3 - with: - name: code-analysis-results - path: code-analysis-results.mat - - name: Convert .mat results to SARIF + # Step 7: Convert .mat results to SARIF format + - name: Convert results to SARIF run: | - python .github/custom-queries/matlab/convert_to_sarif.py + octave --no-gui --eval "run('.github/custom-queries/matlab/convert_to_sarif.m')" + + # Step 8: Upload the SARIF results for review + - name: Upload SARIF results + uses: actions/upload-artifact@v3 + with: + name: code-analysis-results-sarif + path: code-analysis-results.sarif From f983aa7224e383d85e419a141fb3fc02488d1895 Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:02:46 +0530 Subject: [PATCH 69/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 54 +++++++++++++++---------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index c6aba9c9..750191c7 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -38,46 +38,46 @@ jobs: # Step 4: Create MATLAB analysis script in the correct location - name: Create MATLAB analysis script run: | - echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m - echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m - echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m - echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m - echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m - echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m - echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m - echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m - echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m - echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m - echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m - echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m - echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m - echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m - echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m - echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m - echo " end" >> .github/custom-queries/matlab/analyze_code.m - echo "end" >> .github/custom-queries/matlab/analyze_code.m - echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m - echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Add current directory and subdirectories to path" > analyze_code.m + echo "addpath(genpath(pwd));" >> analyze_code.m + echo "% Find all .m files" >> analyze_code.m + echo "files = dir('**/*.m');" >> analyze_code.m + echo "% Initialize analysis results" >> analyze_code.m + echo "results = {};" >> analyze_code.m + echo "% Analyze each file" >> analyze_code.m + echo "for k = 1:length(files)" >> analyze_code.m + echo " filePath = fullfile(files(k).folder, files(k).name);" >> analyze_code.m + echo " fid = fopen(filePath, 'r');" >> analyze_code.m + echo " code = fread(fid, '*char')';" >> analyze_code.m + echo " fclose(fid);" >> analyze_code.m + echo " % Add any custom analysis logic here" >> analyze_code.m + echo " issues = {};" >> analyze_code.m + echo " if ~isempty(issues)" >> analyze_code.m + echo " results{end+1} = {filePath, issues};" >> analyze_code.m + echo " end" >> analyze_code.m + echo "end" >> analyze_code.m + echo "% Save the analysis results to a .mat file" >> analyze_code.m + echo "save('code-analysis-results.mat', 'results');" >> analyze_code.m # Step 5: Run the static code analysis using Octave - name: Run MATLAB code analysis with Octave run: | - octave --no-gui .github/custom-queries/matlab/analyze_code.m + octave --no-gui analyze_code.m - # Step 6: Verify the analysis results - - name: Check for analysis results + # Verify the .mat file was created successfully + - name: Confirm .mat file creation run: | if [ ! -f code-analysis-results.mat ]; then - echo "Results file not found!" + echo "Analysis results (.mat file) were not generated." exit 1 fi - # Step 7: Convert .mat results to SARIF format + # Step 6: Convert .mat results to SARIF format - name: Convert results to SARIF run: | - octave --no-gui --eval "run('.github/custom-queries/matlab/convert_to_sarif.m')" + octave --no-gui --eval "run('convert_to_sarif.m')" - # Step 8: Upload the SARIF results for review + # Step 7: Upload the SARIF results for review - name: Upload SARIF results uses: actions/upload-artifact@v3 with: From 05bb42cc91fb14d9e191557e690780f11c5d537a Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:15:57 +0530 Subject: [PATCH 70/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index 750191c7..a979b353 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -72,14 +72,11 @@ jobs: exit 1 fi - # Step 6: Convert .mat results to SARIF format - - name: Convert results to SARIF + # Step 6: Display .mat file results + - name: Display analysis results run: | - octave --no-gui --eval "run('convert_to_sarif.m')" - - # Step 7: Upload the SARIF results for review - - name: Upload SARIF results - uses: actions/upload-artifact@v3 - with: - name: code-analysis-results-sarif - path: code-analysis-results.sarif + echo "% Load and display .mat file contents" > display_results.m + echo "load('code-analysis-results.mat');" >> display_results.m + echo "disp('Analysis Results:');" >> display_results.m + echo "disp(results);" >> display_results.m + octave --no-gui display_results.m From dc5f166b1ac9e3529638298ae7adb9290c4b46ff Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:19:03 +0530 Subject: [PATCH 71/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index a979b353..d3215340 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -77,6 +77,10 @@ jobs: run: | echo "% Load and display .mat file contents" > display_results.m echo "load('code-analysis-results.mat');" >> display_results.m - echo "disp('Analysis Results:');" >> display_results.m - echo "disp(results);" >> display_results.m - octave --no-gui display_results.m + echo "if isempty(results)" >> display_results.m + echo " disp('Code analysis completed: No vulnerabilities or issues found.')" >> display_results.m + echo "else" >> display_results.m + echo " disp('Analysis Results:');" >> display_results.m + echo " disp(results);" >> display_results.m + echo "end" >> display_results.m + From b5bae1d18238f62bcf8aaffcef6638795dd2775a Mon Sep 17 00:00:00 2001 From: Kiran Spikewell <166605621+kiran-spikewell@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:22:26 +0530 Subject: [PATCH 72/72] Update matlab-scan.yml --- .github/workflows/matlab-scan.yml | 84 +++++++++++++++++-------------- 1 file changed, 47 insertions(+), 37 deletions(-) diff --git a/.github/workflows/matlab-scan.yml b/.github/workflows/matlab-scan.yml index d3215340..4f351ff7 100644 --- a/.github/workflows/matlab-scan.yml +++ b/.github/workflows/matlab-scan.yml @@ -5,7 +5,7 @@ on: branches: [ "master" ] pull_request: branches: [ "master" ] - workflow_dispatch: # Allows manual trigger from the Actions tab + workflow_dispatch: jobs: analyze: @@ -35,52 +35,62 @@ jobs: echo "$m_files" fi - # Step 4: Create MATLAB analysis script in the correct location + # Step 4: Create MATLAB analysis script - name: Create MATLAB analysis script run: | - echo "% Add current directory and subdirectories to path" > analyze_code.m - echo "addpath(genpath(pwd));" >> analyze_code.m - echo "% Find all .m files" >> analyze_code.m - echo "files = dir('**/*.m');" >> analyze_code.m - echo "% Initialize analysis results" >> analyze_code.m - echo "results = {};" >> analyze_code.m - echo "% Analyze each file" >> analyze_code.m - echo "for k = 1:length(files)" >> analyze_code.m - echo " filePath = fullfile(files(k).folder, files(k).name);" >> analyze_code.m - echo " fid = fopen(filePath, 'r');" >> analyze_code.m - echo " code = fread(fid, '*char')';" >> analyze_code.m - echo " fclose(fid);" >> analyze_code.m - echo " % Add any custom analysis logic here" >> analyze_code.m - echo " issues = {};" >> analyze_code.m - echo " if ~isempty(issues)" >> analyze_code.m - echo " results{end+1} = {filePath, issues};" >> analyze_code.m - echo " end" >> analyze_code.m - echo "end" >> analyze_code.m - echo "% Save the analysis results to a .mat file" >> analyze_code.m - echo "save('code-analysis-results.mat', 'results');" >> analyze_code.m + mkdir -p .github/custom-queries/matlab + echo "% Add current directory and subdirectories to path" > .github/custom-queries/matlab/analyze_code.m + echo "addpath(genpath(pwd));" >> .github/custom-queries/matlab/analyze_code.m + echo "% Find all .m files" >> .github/custom-queries/matlab/analyze_code.m + echo "files = dir('**/*.m');" >> .github/custom-queries/matlab/analyze_code.m + echo "% Initialize analysis results" >> .github/custom-queries/matlab/analyze_code.m + echo "results = {};" >> .github/custom-queries/matlab/analyze_code.m + echo "% Analyze each file" >> .github/custom-queries/matlab/analyze_code.m + echo "for k = 1:length(files)" >> .github/custom-queries/matlab/analyze_code.m + echo " filePath = fullfile(files(k).folder, files(k).name);" >> .github/custom-queries/matlab/analyze_code.m + echo " fid = fopen(filePath, 'r');" >> .github/custom-queries/matlab/analyze_code.m + echo " code = fread(fid, '*char')';" >> .github/custom-queries/matlab/analyze_code.m + echo " fclose(fid);" >> .github/custom-queries/matlab/analyze_code.m + echo " % Add any custom analysis logic here" >> .github/custom-queries/matlab/analyze_code.m + echo " issues = {};" >> .github/custom-queries/matlab/analyze_code.m + echo " if ~isempty(issues)" >> .github/custom-queries/matlab/analyze_code.m + echo " results{end+1} = {filePath, issues};" >> .github/custom-queries/matlab/analyze_code.m + echo " end" >> .github/custom-queries/matlab/analyze_code.m + echo "end" >> .github/custom-queries/matlab/analyze_code.m + echo "% Save the analysis results to a .mat file" >> .github/custom-queries/matlab/analyze_code.m + echo "save('code-analysis-results.mat', 'results');" >> .github/custom-queries/matlab/analyze_code.m # Step 5: Run the static code analysis using Octave - name: Run MATLAB code analysis with Octave run: | - octave --no-gui analyze_code.m + octave --no-gui .github/custom-queries/matlab/analyze_code.m - # Verify the .mat file was created successfully - - name: Confirm .mat file creation + # Step 6: Verify the contents of the .mat file + - name: Verify .mat file contents run: | - if [ ! -f code-analysis-results.mat ]; then - echo "Analysis results (.mat file) were not generated." - exit 1 - fi + octave --eval "load('code-analysis-results.mat'); whos" - # Step 6: Display .mat file results - - name: Display analysis results + # Step 7: Create display results script to show output + - name: Create display results script run: | echo "% Load and display .mat file contents" > display_results.m - echo "load('code-analysis-results.mat');" >> display_results.m - echo "if isempty(results)" >> display_results.m - echo " disp('Code analysis completed: No vulnerabilities or issues found.')" >> display_results.m - echo "else" >> display_results.m - echo " disp('Analysis Results:');" >> display_results.m - echo " disp(results);" >> display_results.m + echo "try" >> display_results.m + echo " load('code-analysis-results.mat');" >> display_results.m + echo " if exist('results', 'var')" >> display_results.m + echo " if isempty(results)" >> display_results.m + echo " disp('Code analysis completed: No vulnerabilities or issues found.');" >> display_results.m + echo " else" >> display_results.m + echo " disp('Analysis Results:');" >> display_results.m + echo " disp(results);" >> display_results.m + echo " end" >> display_results.m + echo " else" >> display_results.m + echo " disp('Error: Variable ''results'' not found in the .mat file.');" >> display_results.m + echo " end" >> display_results.m + echo "catch" >> display_results.m + echo " disp('Error loading the .mat file or executing the script.');" >> display_results.m echo "end" >> display_results.m + # Step 8: Run display results script + - name: Run display results script + run: | + octave --no-gui display_results.m