Add minimal working Nix env

Create a shell environment with a CodeQL CLI that includes the Ql
extractor to create CodeQL databases of QL files.

Author: rvermeulen

scripts/codeql/codeql-cli/2.16.0.nix

@@ -0,0 +1,42 @@
+{ lib, stdenv, fetchzip, withQlExtractor ? null}:
+
+stdenv.mkDerivation rec {
+  pname = "codeql-cli";
+  version = "2.16.0";
+  platform = if stdenv.isDarwin then "osx64" else "linux64";
+
+  dontConfigure = true;
+  dontBuild = true;
+  dontStrip = true;
+
+  src = fetchzip {
+    url = "https://github.com/github/codeql-cli-binaries/releases/download/v${version}/codeql-${platform}.zip";
+    hash = "sha256-trWUSMOT7h7J5ejjp9PzhGgBS3DYsJxzcv6aYKuk8TI="; 
+  };
+  
+  buildInputs = if isNull withQlExtractor then [ ] else [ withQlExtractor ];
+  inherit withQlExtractor;
+
+  installPhase = ''
+    # codeql directory should not be top-level, otherwise,
+    # it'll include /nix/store to resolve extractors.
+    env
+    mkdir -p $out/{codeql,bin}
+    cp -R * $out/codeql/
+
+    ln -s $out/codeql/codeql $out/bin/
+
+    if [ -n "$withQlExtractor" ]; then
+      # Copy the extractor, because CodeQL doesn't follow symlinks.
+      cp -R $withQlExtractor $out/codeql/ql
+    fi
+  '';
+
+
+  meta = with lib; {
+    description = "Semantic code analysis engine";
+    homepage = "https://codeql.github.com";
+    platforms = lib.platforms.linux ++ lib.platforms.darwin;
+    license = licenses.unfree;
+  };
+}

scripts/codeql/default.nix

@@ -0,0 +1,9 @@
+let
+    pkgs = import <nixpkgs> {};
+in
+rec {
+    ql-extractor_0_0_1 = pkgs.callPackage ./ql-extractor/0.0.1.nix {inherit codeql-cli_2_16_0;};
+    codeql-cli_2_16_0 = pkgs.callPackage ./codeql-cli/2.16.0.nix {};
+    codeql-cli_2_16_0_with_ql_extractor = pkgs.callPackage ./codeql-cli/2.16.0.nix { withQlExtractor = ql-extractor_0_0_1; };
+
+}

scripts/codeql/ql-extractor/0.0.1.nix

@@ -0,0 +1,43 @@
+{ stdenv, lib, fetchFromGitHub, rustPlatform, gh, libiconv, which, jq, codeql-cli_2_16_0}:
+
+rustPlatform.buildRustPackage rec { 
+    pname = "codeql-ql-extractor";
+    version = "0.0.1";
+  
+    dontConfigure = true;
+    dontStrip = true;
+
+    src = fetchFromGitHub {
+        owner = "github";
+        repo = "codeql";
+        rev = "codeql-cli/v2.16.0";
+        sha256 = "x2EFoOt1MZRXxIZt6hF86Z1Qu/hVUoOVla562TApVwo=";
+    };
+
+    sourceRoot = "${src.name}/ql";
+
+    cargoLock = {
+        lockFile = "${src.outPath}/ql/Cargo.lock";
+        outputHashes = {
+            "tree-sitter-json-0.20.0" = "sha256-fIh/bKxHMnok8D+xQlyyp5GaO2Ra/U2Y/5IjQ+t4+xY=";
+            "tree-sitter-ql-0.19.0" = "sha256-2QOtNguYAIhIhGuVqyx/33gFu3OqcxAPBZOk85Q226M=";
+            "tree-sitter-ql-dbscheme-0.0.1" = "sha256-wp0LtcbkP2lxbmE9rppO9cK+RATTjZxOb0EWfdKT884=";
+        };
+    };
+
+    nativeBuildInputs = [ gh libiconv which codeql-cli_2_16_0 jq]; 
+
+    platform = if stdenv.isLinux then "linux64" else "osx64";
+
+    installPhase = ''
+        runHook preInstall
+        mkdir -p $out/tools/$platform
+        cargo run --profile release --bin codeql-extractor-ql -- generate --dbscheme ql/src/ql.dbscheme --library ql/src/codeql_ql/ast/internal/TreeSitter.qll
+        codeql query format -i ql/src/codeql_ql/ast/internal/TreeSitter.qll
+        # For some reason the fixupPhase isn't working, so we do it manually
+        patchShebangs tools/
+        cp -r codeql-extractor.yml tools ql/src/ql.dbscheme ql/src/ql.dbscheme.stats $out/
+        cp $(cargo metadata --format-version 1 | jq -r '.target_directory')/release/codeql-extractor-ql $out/tools/$platform/extractor
+        runHook postInstall
+        '';
+}

scripts/codeql/ql-extractor/default.nix

@@ -0,0 +1,6 @@
+let
+    pkgs = import <nixpkgs> {};
+in
+{
+    ql-extractor_0_0_1 = pkgs.callPackage ./0.0.1.nix {};
+}

shell.nix

@@ -0,0 +1,15 @@
+let
+  nixpkgs = fetchTarball "https://github.com/NixOS/nixpkgs/archive/0e148322b344eab7c8d52f6e59b0d95ba73fb62e.tar.gz";
+  pkgs = (import nixpkgs { config = {}; overlays = []; }) // (import ./scripts/codeql/default.nix);
+in
+
+pkgs.mkShell {
+  packages = with pkgs; [
+    clang-tools_14
+    python39
+    git
+    gh 
+    jq
+    codeql-cli_2_16_0_with_ql_extractor
+  ];
+}