Automatically install Python QL pack

Author: sylwia-budzynska

src/seclab_taskflows/mcp_servers/codeql_python/mcp_server.py

@@ -20,6 +20,8 @@
 import json
 from sqlalchemy import create_engine
 from sqlalchemy.orm import Session
+import subprocess
+import importlib.resources
 
 from .codeql_sqlite_models import Base, Source
 from ..utils import process_repo
@@ -211,4 +213,9 @@ def clear_codeql_repo(owner: str, repo: str):
     return f"Cleared {deleted_sources} sources from repo {repo}."
 
 if __name__ == "__main__":
+    # Check if codeql/python-all pack is installed, if not install it
+    if not os.path.isdir('/.codeql/packages/codeql/python-all'):
+        pack_path = importlib.resources.files('seclab_taskflows.mcp_servers.codeql_python.queries').joinpath('mcp-python')
+        print(f"Installing CodeQL pack from {pack_path}")
+        subprocess.run(["codeql", "pack", "install", pack_path])
     mcp.run(show_banner=False, transport="http", host="127.0.0.1", port=9998)

src/seclab_taskflows/taskflows/audit/remote_sources_local.yaml

@@ -33,6 +33,16 @@ taskflow:
       toolboxes:
         - seclab_taskflows.toolboxes.gh_code_scanning
         - seclab_taskflows.toolboxes.codeql_python
+  - task:
+      must_complete: true
+      exclude_from_context: true
+      model: general_tasks
+      agents:
+        - seclab_taskflow_agent.personalities.assistant
+      user_prompt: |
+        Fetch the zipball of the repository {{ GLOBALS_repo }}.
+      toolboxes:
+        - seclab_taskflows.toolboxes.local_gh_resources
   - task:
       must_complete: true
       exclude_from_context: true
@@ -53,7 +63,6 @@ taskflow:
       agents:
         - seclab_taskflows.personalities.auditor
       user_prompt: |
-        Fetch the zipball of the repository {{ GLOBALS_repo }} and use it to analyze the source.
         The source is a {{ RESULT_type }} in {{ RESULT_repo }} in the location {{ RESULT_source_location }} on line {{ RESULT_line }}.
         If the source is in a folder relating to tests or demo code, skip the analysis and update the source entry in the codeql_sqlite database indicating it is not relevant.
         Analyze what the source endpoint is used for.
@@ -75,12 +84,11 @@ taskflow:
         the error you encountered.
       toolboxes:
         - seclab_taskflows.toolboxes.codeql_python
-        - seclab_taskflows.toolboxes.local_gh_resources
         - seclab_taskflows.toolboxes.local_file_viewer
   - task:
       must_complete: true
       agents:
-        - seclab_taskflows.personalities.web_application_security_expert
+        - seclab_taskflows.personalities.auditor
       model: code_analysis
       user_prompt: |
         Fetch the sources of the repo {{ GLOBALS_repo }} and give a summary of the notes.