WIP: Create Action to generate CSV

[lindluni]

Work in progress to propose replacing the existing CSV with an updated format

[lindluni]

With this change, this is what the updated CSV file will look like, which now includes headers as well as severities (Critical, High, etc...):

codeql-results-javascript.csv

id,severity,short_description,full_description,file,startLine,startColumn,endLine,endColumn
js/trivial-conditional,Critical,"Useless conditional","If a conditional expression always evaluates to true or always evaluates to false, this suggests incomplete code or a logic error.","public/js/jquery.js",2,14223,2,14395
js/trivial-conditional,Critical,"Useless conditional","If a conditional expression always evaluates to true or always evaluates to false, this suggests incomplete code or a logic error.","public/js/jquery.js",2,15259,2,15263
js/trivial-conditional,Critical,"Useless conditional","If a conditional expression always evaluates to true or always evaluates to false, this suggests incomplete code or a logic error.","public/js/jquery.js",2,15407,2,15411
js/trivial-conditional,Critical,"Useless conditional","If a conditional expression always evaluates to true or always evaluates to false, this suggests incomplete code or a logic error.","public/js/jquery.js",4,4905,4,4906
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","app.ts",2,1,2,40
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","app.ts",26,1,26,78
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","app.ts",91,1,91,35
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","public/js/bootstrap.js",8,3,8,60
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","routes/login.js",7,1,7,38
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","public/js/jquery.js",2,11976,2,12022
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","public/js/jquery.js",4,16531,4,16546
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","public/js/jquery.js",4,16558,4,16602
js/automatic-semicolon-insertion,Critical,"Semicolon insertion","Code that uses automatic semicolon insertion inconsistently is hard to read and maintain.","public/js/jquery.js",4,31424,4,31546
js/polynomial-redos,High,"Polynomial regular expression used on uncontrolled data","A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks.","routes/products.js",121,14,121,31
js/redos,High,"Inefficient regular expression","A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks.","routes/products.js",120,48,120,59
js/missing-rate-limiting,High,"Missing rate limiting","An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks.","routes/login.js",19,28,42,1
js/sql-injection,High,"Database query built from user-controlled sources","Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.","model/auth.js",9,19,9,19
js/sql-injection,High,"Database query built from user-controlled sources","Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.","model/products.js",16,19,16,19
js/sql-injection,High,"Database query built from user-controlled sources","Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.","model/products.js",23,20,23,20
js/sql-injection,High,"Database query built from user-controlled sources","Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.","model/products.js",40,19,40,19
js/clear-text-cookie,Medium,"Clear text transmission of sensitive cookie","Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker.","app.ts",43,9,49,2
js/missing-token-validation,High,"Missing CSRF middleware","Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user.","app.ts",41,9,41,22
js/hardcoded-credentials,Critical,"Hard-coded credentials","Hard-coding credentials in source code may enable an attacker to gain unauthorized access.","app.ts",44,11,44,65
js/unsafe-html-expansion,Medium,"Unsafe expansion of self-closing HTML tag","Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities.","public/js/jquery.js",3,19206,3,19230
js/unsafe-html-expansion,Medium,"Unsafe expansion of self-closing HTML tag","Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities.","public/js/jquery.js",3,21896,3,21920
js/unsafe-jquery-plugin,Medium,"Unsafe jQuery plugin","A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","public/js/bootstrap.js",671,14,671,32
js/unsafe-jquery-plugin,Medium,"Unsafe jQuery plugin","A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","public/js/bootstrap.js",1302,49,1302,193
js/unsafe-jquery-plugin,Medium,"Unsafe jQuery plugin","A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","public/js/bootstrap.js",1455,46,1455,67
js/unsafe-jquery-plugin,Medium,"Unsafe jQuery plugin","A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","public/js/bootstrap.js",1985,20,1985,27
js/unsafe-jquery-plugin,Medium,"Unsafe jQuery plugin","A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","public/js/bootstrap.js",1999,7,1999,19
js/unsafe-jquery-plugin,Medium,"Unsafe jQuery plugin","A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","public/js/bootstrap.js",2220,22,2220,40
js/xss,Medium,"Client-side cross-site scripting","Writing user input directly to the DOM allows for a cross-site scripting vulnerability.","views/login.ejs",17,94,17,107
js/xss,Medium,"Client-side cross-site scripting","Writing user input directly to the DOM allows for a cross-site scripting vulnerability.","views/login.ejs",22,46,22,60
js/xss,Medium,"Client-side cross-site scripting","Writing user input directly to the DOM allows for a cross-site scripting vulnerability.","views/search.ejs",3,18,3,32
js/xss-through-dom,Medium,"DOM text reinterpreted as HTML","Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.","public/js/bootstrap.js",112,21,112,28
js/xss-through-dom,Medium,"DOM text reinterpreted as HTML","Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.","public/js/bootstrap.js",505,21,505,114
js/xss-through-dom,Medium,"DOM text reinterpreted as HTML","Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.","public/js/bootstrap.js",694,14,694,19
js/xss-through-dom,Medium,"DOM text reinterpreted as HTML","Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.","public/js/bootstrap.js",776,33,776,40
js/xss-through-dom,Medium,"DOM text reinterpreted as HTML","Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.","public/js/bootstrap.js",1233,21,1233,93
js/xss-through-dom,Medium,"DOM text reinterpreted as HTML","Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.","public/js/bootstrap.js",1557,70,1557,74
js/server-side-unvalidated-url-redirection,Medium,"Server-side URL redirect","Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.","routes/login.js",36,26,36,34
js/useless-expression,Critical,"Expression has no effect","An expression that has no effect and is used in a void context is most likely redundant and may indicate a bug.","views/layout.ejs",62,25,62,25
js/useless-expression,Critical,"Expression has no effect","An expression that has no effect and is used in a void context is most likely redundant and may indicate a bug.","public/js/jquery.js",2,17025,2,17064
js/useless-expression,Critical,"Expression has no effect","An expression that has no effect and is used in a void context is most likely redundant and may indicate a bug.","public/js/jquery.js",4,12983,4,13043
js/useless-expression,Critical,"Expression has no effect","An expression that has no effect and is used in a void context is most likely redundant and may indicate a bug.","public/js/jquery.js",4,12986,4,13043
js/comparison-between-incompatible-types,Critical,"Comparison between inconvertible types","An equality comparison between two values that cannot be meaningfully converted to the same type will always yield 'false', and an inequality comparison will always yield 'true'.","public/js/jquery.js",4,5740,4,5740
js/missing-variable-declaration,Critical,"Missing variable declaration","If a variable is not declared as a local variable, it becomes a global variable by default, which may be unintentional and could lead to unexpected behavior.","public/js/freewall.js",974,21,974,25
js/unused-local-variable,Critical,"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","app.ts",5,5,5,11
js/unused-local-variable,Critical,"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","public/js/freewall.js",815,17,815,23
js/unused-local-variable,Critical,"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","public/js/freewall.js",816,17,816,23
js/unused-local-variable,Critical,"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","public/js/freewall.js",970,21,970,25
js/unused-local-variable,Critical,"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","public/js/freewall.js",971,21,971,31
js/session-fixation,Medium,"Failure to abandon session","Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session.","routes/login.js",19,1,42,2
js/log-injection,High,"Log injection","Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user.","routes/login.js",25,18,25,61
js/ml-powered/path-injection,High,"Uncontrolled data used in path expression (experimental)","Accessing paths influenced by users can allow an attacker to access unexpected resources.","routes/login.js",14,37,14,56
js/ml-powered/path-injection,High,"Uncontrolled data used in path expression (experimental)","Accessing paths influenced by users can allow an attacker to access unexpected resources.","routes/login.js",14,71,14,86
js/ml-powered/path-injection,High,"Uncontrolled data used in path expression (experimental)","Accessing paths influenced by users can allow an attacker to access unexpected resources.","routes/products.js",83,46,83,50
js/ml-powered/sql-injection,High,"SQL database query built from user-controlled sources (experimental)","Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.","model/products.js",21,13,21,103
js/ml-powered/sql-injection,High,"SQL database query built from user-controlled sources (experimental)","Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.","model/products.js",21,13,21,64
js/ml-powered/sql-injection,High,"SQL database query built from user-controlled sources (experimental)","Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user.","routes/products.js",77,46,77,50

[Boberski]

Revised:

It all looks fine, going through this in more detail with the team.

Minor comment of perhaps rename column id to rule-id

And, it would be nice if you can get the CWE-ID's in there.

[arilivigni]

LGTM