hohn/codeql-cli-end-to-end
1
0
Fork 0
mirror of https://github.com/hohn/codeql-cli-end-to-end.git synced 2025-12-16 13:13:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

add section: install each pack's dependencies

Browse Source
This commit is contained in:
Michael Hohn
2023-06-16 15:06:30 -07:00
committed by =Michael Hohn
parent 9a8cc0c6f6
commit 914064e4bd
1 changed files with 204 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
readme.org
View File

@@ -1,206 +1,229 @@
* End-to-end demo of CodeQL command line usage * End-to-end demo of CodeQL command line usage
1. Want to run analyses (command line use - github) ** Run analyses
1. Get collection of databases (already handy) *** Get collection of databases (already handy)
1. [X] Get https://github.com/rvermeulen/codeql-workshop-vulnerable-linux-driver **** DONE Get https://github.com/rvermeulen/codeql-workshop-vulnerable-linux-driver
#+BEGIN_SRC text #+begin_src text
cd ~/local cd ~/local
git clone git@github.com:rvermeulen/codeql-workshop-vulnerable-linux-driver.git git clone git@github.com:rvermeulen/codeql-workshop-vulnerable-linux-driver.git
cd codeql-workshop-vulnerable-linux-driver/ cd codeql-workshop-vulnerable-linux-driver/
unzip vulnerable-linux-driver.zip unzip vulnerable-linux-driver.zip
tree -L 2 vulnerable-linux-driver-db/ tree -L 2 vulnerable-linux-driver-db/
vulnerable-linux-driver-db/ vulnerable-linux-driver-db/
├── codeql-database.yml ├── codeql-database.yml
├── db-cpp ├── db-cpp
│   ├── default │   ├── default
│   ├── semmlecode.cpp.dbscheme │   ├── semmlecode.cpp.dbscheme
│   └── semmlecode.cpp.dbscheme.stats │   └── semmlecode.cpp.dbscheme.stats
└── src.zip └── src.zip
3 directories, 4 files 3 directories, 4 files
#+END_SRC #+end_src
2. [X] Quick check using VS Code. Same steps will repeat: **** DONE Quick check using VS Code. Same steps will repeat:
1. select DB ***** select DB
2. select query ***** select query
3. run query ***** run query
4. view results ***** view results
**** DONE Install codeql
***** Full docs:
https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli#getting-started-with-the-codeql-cli
https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system#setting-up-the-codeql-cli-in-your-ci-system
***** In short:
#+begin_src sh
cd ~/local/codeql-cli-end-to-endw
# Decide on version / os via browser, then:
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.4/codeql-bundle-osx64.tar.gz
3. [ ] Install codeql # Fix attributes on mac
- Full docs: if [ `uname` = Darwin ] ; then
https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli#getting-started-with-the-codeql-cli xattr -c *.tar.gz
https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system#setting-up-the-codeql-cli-in-your-ci-system fi
In short:
#+BEGIN_SRC sh
cd ~/local/codeql-cli-end-to-endw
# Decide on version / os via browser, then:
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.4/codeql-bundle-osx64.tar.gz
# Fix attributes on mac # Extract
if [ `uname` = Darwin ] ; then tar zxf ./codeql-bundle-osx64.tar.gz
xattr -c *.tar.gz
fi
# Extract # Check binary
tar zxf ./codeql-bundle-osx64.tar.gz pwd
# /Users/hohn/local/codeql-cli-end-to-end
./codeql/codeql --version
# CodeQL command-line toolchain release 2.13.4.
# Copyright (C) 2019-2023 GitHub, Inc.
# Unpacked in: /Users/hohn/local/codeql-cli-end-to-end/codeql
# Analysis results depend critically on separately distributed query and
# extractor modules. To list modules that are visible to the toolchain,
# use 'codeql resolve qlpacks' and 'codeql resolve languages'.
# Check binary # Check packs
pwd 0:$ ./codeql/codeql resolve qlpacks |head -5
# /Users/hohn/local/codeql-cli-end-to-end # codeql/cpp-all (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/cpp-all/0.7.3)
# codeql/cpp-examples (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/cpp-examples/0.0.0)
# codeql/cpp-queries (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/cpp-queries/0.6.3)
# codeql/csharp-all (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/csharp-all/0.6.3)
# codeql/csharp-examples (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/csharp-examples/0.0.0)
./codeql/codeql --version # Fix the path
# CodeQL command-line toolchain release 2.13.4. export PATH=$(pwd -P)/codeql:"$PATH"
# Copyright (C) 2019-2023 GitHub, Inc.
# Unpacked in: /Users/hohn/local/codeql-cli-end-to-end/codeql
# Analysis results depend critically on separately distributed query and
# extractor modules. To list modules that are visible to the toolchain,
# use 'codeql resolve qlpacks' and 'codeql resolve languages'.
# Check packs # Check languages
0:$ ./codeql/codeql resolve qlpacks |head -5 codeql resolve languages | head -5
# codeql/cpp-all (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/cpp-all/0.7.3) # go (/Users/hohn/local/codeql-cli-end-to-end/codeql/go)
# codeql/cpp-examples (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/cpp-examples/0.0.0) # python (/Users/hohn/local/codeql-cli-end-to-end/codeql/python)
# codeql/cpp-queries (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/cpp-queries/0.6.3) # java (/Users/hohn/local/codeql-cli-end-to-end/codeql/java)
# codeql/csharp-all (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/csharp-all/0.6.3) # html (/Users/hohn/local/codeql-cli-end-to-end/codeql/html)
# codeql/csharp-examples (/Users/hohn/local/codeql-cli-end-to-end/codeql/qlpacks/codeql/csharp-examples/0.0.0) # xml (/Users/hohn/local/codeql-cli-end-to-end/codeql/xml)
#+end_src
***** A more fancy version
#+begin_src sh
# Reference urls:
# https://github.com/github/codeql-cli-binaries/releases/download/v2.8.0/codeql-linux64.zip
# https://github.com/github/codeql/archive/refs/tags/codeql-cli/v2.8.0.zip
#
# grab -- retrieve and extract codeql cli and library
# Usage: grab version url prefix
grab() {
version=$1; shift
platform=$1; shift
prefix=$1; shift
mkdir -p $prefix/codeql-$version &&
cd $prefix/codeql-$version || return
# Fix the path # Get cli
export PATH=$(pwd -P)/codeql:"$PATH" wget "https://github.com/github/codeql-cli-binaries/releases/download/$version/codeql-$platform.zip"
# Get lib
wget "https://github.com/github/codeql/archive/refs/tags/codeql-cli/$version.zip"
# Fix attributes
if [ `uname` = Darwin ] ; then
xattr -c *.zip
fi
# Extract
unzip -q codeql-$platform.zip
unzip -q $version.zip
# Rename library directory for VS Code
mv codeql-codeql-cli-$version/ ql
# remove archives?
# rm codeql-$platform.zip
# rm $version.zip
}
# Check languages grab v2.7.6 osx64 $HOME/local
codeql resolve languages | head -5 grab v2.8.3 osx64 $HOME/local
# go (/Users/hohn/local/codeql-cli-end-to-end/codeql/go) grab v2.8.4 osx64 $HOME/local
# python (/Users/hohn/local/codeql-cli-end-to-end/codeql/python)
# java (/Users/hohn/local/codeql-cli-end-to-end/codeql/java)
# html (/Users/hohn/local/codeql-cli-end-to-end/codeql/html)
# xml (/Users/hohn/local/codeql-cli-end-to-end/codeql/xml)
#+END_SRC grab v2.6.3 linux64 /opt
A more fancy version: grab v2.6.3 osx64 $HOME/local
#+BEGIN_SRC sh grab v2.4.6 osx64 $HOME/local
# Reference urls: #+end_src
# https://github.com/github/codeql-cli-binaries/releases/download/v2.8.0/codeql-linux64.zip ***** Most flexible in use, but more initial setup: gh, the GitHub
# https://github.com/github/codeql/archive/refs/tags/codeql-cli/v2.8.0.zip command-line tool from https://github.com/cli/cli
#
# grab -- retrieve and extract codeql cli and library
# Usage: grab version url prefix
grab() {
version=$1; shift
platform=$1; shift
prefix=$1; shift
mkdir -p $prefix/codeql-$version &&
cd $prefix/codeql-$version || return
# Get cli ****** gh api repos/{owner}/{repo}/releases
wget "https://github.com/github/codeql-cli-binaries/releases/download/$version/codeql-$platform.zip" https://cli.github.com/manual/gh_api
# Get lib ****** gh extension create
wget "https://github.com/github/codeql/archive/refs/tags/codeql-cli/$version.zip" https://cli.github.com/manual/gh_extension
# Fix attributes ****** gh codeql extension
if [ `uname` = Darwin ] ; then https://github.com/github/gh-codeql
xattr -c *.zip ****** gh gist list
fi https://cli.github.com/manual/gh_gist_list
# Extract
unzip -q codeql-$platform.zip
unzip -q $version.zip
# Rename library directory for VS Code
mv codeql-codeql-cli-$version/ ql
# remove archives?
# rm codeql-$platform.zip
# rm $version.zip
}
grab v2.7.6 osx64 $HOME/local #+begin_src text
grab v2.8.3 osx64 $HOME/local 0:$ gh codeql
grab v2.8.4 osx64 $HOME/local GitHub command-line wrapper for the CodeQL CLI.
#+end_src
**** TODO Install pack dependencies
***** Full docs
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#about-qlpackyml-files
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/pack-install
***** View installed docs via =-h= flag, highly recommended
#+begin_src sh
# Overview
codeql -h
grab v2.6.3 linux64 /opt # Sub 1
codeql pack -h
grab v2.6.3 osx64 $HOME/local # Sub 2
grab v2.4.6 osx64 $HOME/local codeql pack install -h
#+END_SRC #+end_src
***** In short
****** create the qlpack files if not there
#+begin_src sh
- Most flexible in use, but more initial setup: gh, the GitHub #+end_src
command-line tool from https://github.com/cli/cli ****** install each pack's dependencies via
=codeql pack install=
#+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
find . -name "qlpack.yml"
# ./queries/qlpack.yml
# ./solutions/qlpack.yml
# ./common/qlpack.yml
gh api repos/{owner}/{repo}/releases codeql pack install --no-strict-mode queries/
https://cli.github.com/manual/gh_api # Dependencies resolved. Installing packages...
# Install location: /Users/hohn/.codeql/packages
# Nothing to install.
# Package install location: /Users/hohn/.codeql/packages
# Nothing downloaded.
gh extension create for sub in `find . -name "qlpack.yml" | sed s@qlpack.yml@@g;`
https://cli.github.com/manual/gh_extension do
codeql pack install --no-strict-mode $sub
gh codeql extension done
https://github.com/github/gh-codeql #+end_src
install codeql cli and library? *** Run queries
**** Individual: 1 database -> N sarif files
gh gist list **** Use directory of queries: 1 database -> 1 sarif file (least effort)
https://cli.github.com/manual/gh_gist_list **** Use suite: 1 database -> 1 sarif file (more flexible, more effort)
**** Include versioning:
#+BEGIN_SRC text ***** codeql cli
0:$ gh codeql ***** query set version
GitHub command-line wrapper for the CodeQL CLI. Checks:
#+END_SRC **** Will include e.g.,
#+begin_src text
4. [ ] Install pack dependencies codeql database analyze --format=sarif-latest --rerun \
- Full docs --output $QUERY_RES_SARIF \
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#about-qlpackyml-files --search-path $QLGIT \
-j6 \
--ram=24000 \
2. Run queries -- \
1. Individual: 1 database -> N sarif files $DB \
2. Use directory of queries: 1 database -> 1 sarif file (least effort) $QLQUERY
3. Use suite: 1 database -> 1 sarif file (more flexible, more effort) #+end_src
4. Include versioning: **** Will include recommendations, e.g., 32 G ram, 4-6 cores.
1. codeql cli **** For building DBs: Common case: 15 minutes for || cpp compilation, can
2. query set version be 2 h with codeql.
Checks: ** Review results
1. Will include e.g., *** sarif viewer plugin
#+BEGIN_SRC text *** raw sarif with =jq=
codeql database analyze --format=sarif-latest --rerun \ *** sarif-cli
--output $QUERY_RES_SARIF \ **** dump
--search-path $QLGIT \ **** sql conversion
-j6 \ ** Running sequence
--ram=24000 \ *** Smallest query suite (security suite).
-- \ *** Check results.
$DB \ **** Lots of result (> 5000) -> cli review via compiler-style dump.
$QLQUERY **** Medium result sets (~ 2000) (sarif review plugin, can only load 5000
#+END_SRC results)
2. Will include recommendations, e.g., 32 G ram, 4-6 cores. **** Few results (sarif review plugin, can only load 5000 results)
3. For building DBs: Common case: 15 minutes for || cpp compilation, can *** Expand query
be 2 h with codeql. ** Compare results.
*** sarif-cli using compiler-style dump.
2. Want to review results
1. sarif viewer plugin
2. raw sarif with =jq=
3. sarif-cli
1. dump
2. sql conversion
3. Running sequence
1. Smallest query suite (security suite).
2. Check results.
1. Lots of result (> 5000) -> cli review via compiler-style dump.
2. Medium result sets (~ 2000) (sarif review plugin, can only load 5000
results)
3. Few results (sarif review plugin, can only load 5000 results)
3. Expand query
4. Compare results.
1. sarif-cli using compiler-style dump.
* Short end-to-end illustration * Short end-to-end illustration
1. Overall procedure 1. Overall procedure
2. Command-line use 2. Command-line use
1. For 3.2 also using sarif-cli 1. For 3.2 also using sarif-cli
3. sarif viewer plugin 3. sarif viewer plugin
https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
Sarif Viewer Sarif Viewer
v3.3.7 v3.3.7
Microsoft DevLabs Microsoft DevLabs
microsoft.com microsoft.com
53,335 53,335
(1) (1)
4. Details on query suite use (3. Use suite: 1 database -> 1 sarif file (more 4. Details on query suite use (3. Use suite: 1 database -> 1 sarif file (more
flexible, more effort)) flexible, more effort))