Use directory of queries: 1 database -> 1 sarif file (least effort)

2025-12-16 13:13:03 +01:00 · 2023-06-20 10:09:58 -07:00
parent 5225d9eeff
commit 3cfff08896
1 changed files with 35 additions and 15 deletions
--- a/readme.org
+++ b/readme.org
@@ -215,7 +215,7 @@
       PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
       DB=$PROJ/vulnerable-linux-driver-db
       QLQUERY=$PROJ/solutions/BufferOverflow.ql
-       QUERY_RES_SARIF=$PROJ/$(cd $PROJ && git rev-parse --short HEAD).sarif
+       QUERY_RES_SARIF=$PROJ/$(cd $PROJ && git rev-parse --short HEAD)-BufferOverflow.sarif
       #* Run query
       pushd $PROJ
@@ -286,25 +286,45 @@
     #+END_SRC
-**** NEXT Use directory of queries: 1 database -> 1 sarif file (least effort)
+**** Use directory of queries: 1 database -> 1 sarif file (least effort)
     #+BEGIN_SRC sh
       #* Set environment
       P1_PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
       P1_DB=$PROJ/vulnerable-linux-driver-db
       P1_QLQUERYDIR=$PROJ/solutions/
       P1_QUERY_RES_SARIF=$PROJ/$(cd $PROJ && git rev-parse --short HEAD).sarif
-**** Use suite: 1 database -> 1 sarif file (more flexible, more effort)
+       #* check variables
       set | grep P1_
       #* Run query
       pushd $PROJ
       codeql database analyze --format=sarif-latest --rerun   \
              --output $P1_QUERY_RES_SARIF                     \
              -j6                                              \
              --ram=24000                                      \
              --                                               \
              $P1_DB                                           \
              $P1_PROJ/solutions/
     #+END_SRC
     We can compare SARIF result sizes:
     #+BEGIN_SRC sh
       ls -la "$qo" $P1_QUERY_RES_SARIF $QUERY_RES_SARIF
     #+END_SRC
     And for these tiny results, it's mostly metadata:
     #+BEGIN_SRC text
       -rw-r--r-- 1 hohn staff 29K Jun 20 10:06 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189-BufferOverflow.sarif
       -rw-r--r-- 1 hohn staff 33K Jun 20 10:02 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189.sarif
       -rw-r--r-- 1 hohn staff 28K Jun 20 09:51 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif
     #+END_SRC
 **** TODO Use suite: 1 database -> 1 sarif file (more flexible, more effort)
 **** Include versioning:
 ***** codeql cli
 ***** query set version
      Checks:
 **** Will include e.g.,
     #+begin_src text
       codeql database analyze --format=sarif-latest --rerun   \
       --output $QUERY_RES_SARIF                        \
       --search-path $QLGIT                             \
       -j6                                              \
       --ram=24000                                      \
       --                                               \
       $DB                                              \
       $QLQUERY
     #+end_src
 **** Will include recommendations, e.g., 32 G ram, 4-6 cores.
 **** For building DBs: Common case: 15 minutes for || cpp compilation, can
     be 2 h with codeql.
 ** Review results