advanced-security · knewbury01 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/codeql/codeql-config.yaml b/.github/codeql/codeql-config.yaml
@@ -6,5 +6,11 @@ queries:
   - uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
   - uses: ./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls
 
+packs:
+  javascript:
+    - advanced-security/javascript-sap-ui5-models
+    - advanced-security/javascript-sap-cap-models
+    - advanced-security/javascript-sap-xsjs-models
+
 paths-ignore:
   - "**/frameworks/*/test/models"
diff --git a/.github/workflows/code_scanning.yml b/.github/workflows/code_scanning.yml
@@ -2,12 +2,12 @@ name: "Code Scanning"
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [ "main" ]
+    branches: ["main"]
   schedule:
-    - cron: '39 12 * * 2'
+    - cron: "39 12 * * 2"
   workflow_dispatch:
 
 permissions:
@@ -19,88 +19,80 @@ env:
 jobs:
   analyze-javascript:
     name: Analyze
-    runs-on: 'ubuntu-latest'
+    runs-on: "ubuntu-latest"
     permissions:
       actions: read
       contents: read
       security-events: write
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v6
+      - name: Checkout repository
+        uses: actions/checkout@v6
 
-    - name: Prepare local CodeQL model packs
-      run: |
-        mkdir -p .github/codeql/extensions
-        for ext in $(find . -name 'qlpack.yml' -exec fgrep -l dataExtensions {} \;); do
-          dir=$(dirname $ext)
-          echo "Moving $ext to .github/codeql/extensions/$dir"
-          mkdir -p .github/codeql/extensions/$dir
-          mv $dir .github/codeql/extensions/$dir
-        done
+      - name: Extract CodeQL bundle version from qlt.conf.json
+        run: |
+          echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
 
-    - name: Extract CodeQL bundle version from qlt.conf.json
-      run: |
-        echo "BUNDLE_VERSION=$(jq .CodeQLCLIBundle qlt.conf.json -r)" >> $GITHUB_ENV
+      - name: Initialize CodeQL
+        id: initialize-codeql
+        uses: github/codeql-action/init@v4
+        env:
+          # Add our custom extractor to the CodeQL search path
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"init":["--search-path","${{ github.workspace }}/extractors:${{ github.workspace }}"]}}'
+        with:
+          languages: javascript
+          config-file: ./.github/codeql/codeql-config.yaml
+          db-location: ${{ runner.temp }}/codeql-database
+          tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
+          debug: true
 
-    - name: Initialize CodeQL
-      id: initialize-codeql
-      uses: github/codeql-action/init@v4
-      env:
-        # Add our custom extractor to the CodeQL search path
-        CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"init":["--search-path","${{ github.workspace }}/extractors"]}}'
-      with:
-        languages: javascript
-        config-file: ./.github/codeql/codeql-config.yaml
-        db-location: ${{ runner.temp }}/codeql-database
-        tools: https://github.com/github/codeql-action/releases/download/${{env.BUNDLE_VERSION}}/codeql-bundle-linux64.tar.gz
-        debug: true
+      - name: Run CDS extractor
+        shell: bash
+        run: |
+          export CODEQL_DIST="$(dirname "${{ steps.initialize-codeql.outputs.codeql-path }}")"
+          export CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${{ runner.temp }}/codeql-database/javascript"
+          ${{ github.workspace }}/scripts/compile-cds.sh
 
-    - name: Run CDS extractor
-      shell: bash
-      run: |
-        export CODEQL_DIST="$(dirname "${{ steps.initialize-codeql.outputs.codeql-path }}")"
-        export CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${{ runner.temp }}/codeql-database/javascript"
-        ${{ github.workspace }}/scripts/compile-cds.sh
+      - name: Perform CodeQL Analysis
+        id: analyze
+        uses: github/codeql-action/analyze@v4
+        env:
+          LGTM_INDEX_XML_MODE: all
+          LGTM_INDEX_FILETYPES: ".json:JSON"
+          # Add our CodeQL workspace to the path to search for packs to then resolve the MaD locally
+          CODEQL_ACTION_EXTRA_OPTIONS: '{"database":{"run-queries":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"],"interpret-results":["--additional-packs","${{ github.workspace }}/javascript/frameworks/xsjs/ext:${{ github.workspace }}/javascript/frameworks/cap/ext:${{ github.workspace }}/javascript/frameworks/ui5/ext"]}}'
 
-    - name: Perform CodeQL Analysis
-      id: analyze
-      uses: github/codeql-action/analyze@v4
-      env:
-        LGTM_INDEX_XML_MODE: all
-        LGTM_INDEX_FILETYPES: ".json:JSON"
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
 
-    - name: Setup Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: '3.10'
+      - uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip
 
-    - uses: actions/cache@v4
-      with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip
+      - name: Validate results
+        continue-on-error: true
+        id: validate
+        run: |
+          pip install sarif-tools
+          sarif --version
+          sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
+          cat sarif-diff.json
+          ! grep -q "[1-9]" sarif-diff.json
 
-    - name: Validate results
-      continue-on-error: true
-      id: validate
-      run: |
-        pip install sarif-tools
-        sarif --version
-        sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
-        cat sarif-diff.json
-        ! grep -q "[1-9]" sarif-diff.json
+      - name: Upload sarif change
+        if: steps.validate.outcome != 'success'
+        uses: actions/upload-artifact@v6
+        with:
+          name: sarif
+          path: |
+            sarif-diff.json
+            ${{ steps.analyze.outputs.sarif-output }}
 
-    - name: Upload sarif change
-      if: steps.validate.outcome != 'success'
-      uses: actions/upload-artifact@v6
-      with:
-        name: sarif
-        path: |
-          sarif-diff.json
-          ${{ steps.analyze.outputs.sarif-output }}
-
-    - name: Unexpected Code Scanning results
-      if: steps.validate.outcome != 'success'
-      run: |
-        cat sarif-diff.json
-        echo "::error::Unexpected Code Scanning results!" && exit 1
+      - name: Unexpected Code Scanning results
+        if: steps.validate.outcome != 'success'
+        run: |
+          cat sarif-diff.json
+          echo "::error::Unexpected Code Scanning results!" && exit 1
diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected