[Track] Enhancement KCL IaC Security through a CodeQL approach.

[flyinox]

Specifically, it is necessary to describe the AST node information of KCL in the form of a dbschema and to add a query library. In addition, an extractor should be written to extract AST information into a database defined by the dbschema. This would enable the analysis and querying of KCL code using the QL infrastructure.

• [x] KCL DB scheme Description: https://github.com/kcl-lang/codeql-kcl/blob/main/dbscheme/kcl.dbscheme
• [x] Extractor impled in KCL Java SDK: https://github.com/kcl-lang/lib/pull/28
  • [x] KCL Parser API #970
  • [x] KCL Semantic API #996 #989
  • [x] Light KCL Java SDK https://github.com/kcl-lang/kcl-java
  • [x] Extractor: https://github.com/kcl-lang/codeql-kcl
• [ ] CI Integration
• [ ] CodeQL Query Run in KCL IDE Extension
• [ ] Common query libraries

Impl

• https://github.com/kcl-lang/codeql-kcl

Ref

IaC & CodeQL

• https://github.com/github/codeql
• https://github.com/advanced-security/codeql-extractor-iac
• https://github.com/colindembovsky/iac-codeql
• https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/devsecops-infrastructure-as-code

KCL

• Token & AST: https://github.com/kcl-lang/kcl/tree/main/kclvm/ast
• Error: https://github.com/kcl-lang/kcl/tree/main/kclvm/error
• Semantic Model: https://github.com/kcl-lang/kcl/tree/main/kclvm/sema/src/core