Cover a missing @tag security when @security-severity is used

Author: atorralba

ql/ql/src/queries/style/MissingSecurityMetadata.ql

@@ -0,0 +1,51 @@
+/**
+ * @name Missing security metadata
+ * @description Security queries should have both a `@tag security` and a `@security-severity` tag.
+ * @kind problem
+ * @problem.severity warning
+ * @precision very-high
+ * @id ql/missing-security-metadata
+ * @tags correctness
+ */
+
+import ql
+
+predicate missingSecuritySeverity(QLDoc doc) {
+  exists(string s | s = doc.getContents() |
+    exists(string securityTag | securityTag = s.splitAt("@") |
+      securityTag.matches("tags%security%")
+    ) and
+    exists(string precisionTag | precisionTag = s.splitAt("@") |
+      precisionTag.matches("precision %")
+    ) and
+    not exists(string securitySeverity | securitySeverity = s.splitAt("@") |
+      securitySeverity.matches("security-severity %")
+    )
+  )
+}
+
+predicate missingSecurityTag(QLDoc doc) {
+  exists(string s | s = doc.getContents() |
+    exists(string securitySeverity | securitySeverity = s.splitAt("@") |
+      securitySeverity.matches("security-severity %")
+    ) and
+    exists(string precisionTag | precisionTag = s.splitAt("@") |
+      precisionTag.matches("precision %")
+    ) and
+    not exists(string securityTag | securityTag = s.splitAt("@") |
+      securityTag.matches("tags%security%")
+    )
+  )
+}
+
+from TopLevel t, string msg
+where
+  t.getLocation().getFile().getBaseName().matches("%.ql") and
+  not t.getLocation().getFile().getRelativePath().matches(["%/experimental/%", "%/examples/%"]) and
+  (
+    missingSecuritySeverity(t.getQLDoc()) and
+    msg = "This query file is missing a `@security-severity` tag."
+    or
+    missingSecurityTag(t.getQLDoc()) and msg = "This query file is missing a `@tag security`."
+  )
+select t, msg

ql/ql/src/queries/style/MissingSecuritySeverity.ql

@@ -0,0 +1,2 @@
+| testcases/BadNoSecurity.ql:1:1:15:9 | TopLevel | This query file is missing a `@tag security`. |
+| testcases/BadNoSeverity.ql:1:1:15:9 | TopLevel | This query file is missing a `@security-severity` tag. |

ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.expected

@@ -0,0 +1 @@
+queries/style/MissingSecurityMetadata.ql

ql/ql/test/queries/style/MissingSecurityMetadata/MissingSecurityMetadata.qlref

@@ -0,0 +1,15 @@
+/**
+ * @name Some query
+ * @description Some description
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 10.0
+ * @precision very-high
+ * @id ql/some-query
+ * @tags quality
+ */
+
+import ql
+
+from Class c
+select c