mirror of
https://github.com/hohn/codeql-cli-end-to-end.git
synced 2025-12-16 13:13:03 +01:00
add section: install each pack's dependencies
This commit is contained in:
Michael Hohn
committed by
=Michael Hohn
=Michael Hohn
parent
9a8cc0c6f6
commit
914064e4bd
157
readme.org
157
readme.org
@@ -1,9 +1,9 @@
|
||||
* End-to-end demo of CodeQL command line usage
|
||||
|
||||
1. Want to run analyses (command line use - github)
|
||||
1. Get collection of databases (already handy)
|
||||
1. [X] Get https://github.com/rvermeulen/codeql-workshop-vulnerable-linux-driver
|
||||
#+BEGIN_SRC text
|
||||
** Run analyses
|
||||
*** Get collection of databases (already handy)
|
||||
**** DONE Get https://github.com/rvermeulen/codeql-workshop-vulnerable-linux-driver
|
||||
#+begin_src text
|
||||
cd ~/local
|
||||
git clone git@github.com:rvermeulen/codeql-workshop-vulnerable-linux-driver.git
|
||||
cd codeql-workshop-vulnerable-linux-driver/
|
||||
@@ -18,19 +18,18 @@
|
||||
└── src.zip
|
||||
|
||||
3 directories, 4 files
|
||||
#+END_SRC
|
||||
2. [X] Quick check using VS Code. Same steps will repeat:
|
||||
1. select DB
|
||||
2. select query
|
||||
3. run query
|
||||
4. view results
|
||||
|
||||
3. [ ] Install codeql
|
||||
- Full docs:
|
||||
#+end_src
|
||||
**** DONE Quick check using VS Code. Same steps will repeat:
|
||||
***** select DB
|
||||
***** select query
|
||||
***** run query
|
||||
***** view results
|
||||
**** DONE Install codeql
|
||||
***** Full docs:
|
||||
https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli#getting-started-with-the-codeql-cli
|
||||
https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system#setting-up-the-codeql-cli-in-your-ci-system
|
||||
In short:
|
||||
#+BEGIN_SRC sh
|
||||
***** In short:
|
||||
#+begin_src sh
|
||||
cd ~/local/codeql-cli-end-to-endw
|
||||
# Decide on version / os via browser, then:
|
||||
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.4/codeql-bundle-osx64.tar.gz
|
||||
@@ -46,7 +45,6 @@
|
||||
# Check binary
|
||||
pwd
|
||||
# /Users/hohn/local/codeql-cli-end-to-end
|
||||
|
||||
./codeql/codeql --version
|
||||
# CodeQL command-line toolchain release 2.13.4.
|
||||
# Copyright (C) 2019-2023 GitHub, Inc.
|
||||
@@ -73,11 +71,9 @@
|
||||
# java (/Users/hohn/local/codeql-cli-end-to-end/codeql/java)
|
||||
# html (/Users/hohn/local/codeql-cli-end-to-end/codeql/html)
|
||||
# xml (/Users/hohn/local/codeql-cli-end-to-end/codeql/xml)
|
||||
|
||||
#+END_SRC
|
||||
|
||||
A more fancy version:
|
||||
#+BEGIN_SRC sh
|
||||
#+end_src
|
||||
***** A more fancy version
|
||||
#+begin_src sh
|
||||
# Reference urls:
|
||||
# https://github.com/github/codeql-cli-binaries/releases/download/v2.8.0/codeql-linux64.zip
|
||||
# https://github.com/github/codeql/archive/refs/tags/codeql-cli/v2.8.0.zip
|
||||
@@ -117,44 +113,74 @@
|
||||
|
||||
grab v2.6.3 osx64 $HOME/local
|
||||
grab v2.4.6 osx64 $HOME/local
|
||||
#+END_SRC
|
||||
|
||||
- Most flexible in use, but more initial setup: gh, the GitHub
|
||||
#+end_src
|
||||
***** Most flexible in use, but more initial setup: gh, the GitHub
|
||||
command-line tool from https://github.com/cli/cli
|
||||
|
||||
gh api repos/{owner}/{repo}/releases
|
||||
****** gh api repos/{owner}/{repo}/releases
|
||||
https://cli.github.com/manual/gh_api
|
||||
|
||||
gh extension create
|
||||
****** gh extension create
|
||||
https://cli.github.com/manual/gh_extension
|
||||
|
||||
gh codeql extension
|
||||
****** gh codeql extension
|
||||
https://github.com/github/gh-codeql
|
||||
install codeql cli and library?
|
||||
|
||||
gh gist list
|
||||
****** gh gist list
|
||||
https://cli.github.com/manual/gh_gist_list
|
||||
|
||||
#+BEGIN_SRC text
|
||||
#+begin_src text
|
||||
0:$ gh codeql
|
||||
GitHub command-line wrapper for the CodeQL CLI.
|
||||
#+END_SRC
|
||||
|
||||
4. [ ] Install pack dependencies
|
||||
- Full docs
|
||||
#+end_src
|
||||
**** TODO Install pack dependencies
|
||||
***** Full docs
|
||||
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#about-qlpackyml-files
|
||||
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/pack-install
|
||||
***** View installed docs via =-h= flag, highly recommended
|
||||
#+begin_src sh
|
||||
# Overview
|
||||
codeql -h
|
||||
|
||||
# Sub 1
|
||||
codeql pack -h
|
||||
|
||||
2. Run queries
|
||||
1. Individual: 1 database -> N sarif files
|
||||
2. Use directory of queries: 1 database -> 1 sarif file (least effort)
|
||||
3. Use suite: 1 database -> 1 sarif file (more flexible, more effort)
|
||||
4. Include versioning:
|
||||
1. codeql cli
|
||||
2. query set version
|
||||
# Sub 2
|
||||
codeql pack install -h
|
||||
#+end_src
|
||||
***** In short
|
||||
****** create the qlpack files if not there
|
||||
#+begin_src sh
|
||||
|
||||
#+end_src
|
||||
****** install each pack's dependencies via
|
||||
=codeql pack install=
|
||||
#+begin_src sh
|
||||
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
|
||||
find . -name "qlpack.yml"
|
||||
# ./queries/qlpack.yml
|
||||
# ./solutions/qlpack.yml
|
||||
# ./common/qlpack.yml
|
||||
|
||||
codeql pack install --no-strict-mode queries/
|
||||
# Dependencies resolved. Installing packages...
|
||||
# Install location: /Users/hohn/.codeql/packages
|
||||
# Nothing to install.
|
||||
# Package install location: /Users/hohn/.codeql/packages
|
||||
# Nothing downloaded.
|
||||
|
||||
for sub in `find . -name "qlpack.yml" | sed s@qlpack.yml@@g;`
|
||||
do
|
||||
codeql pack install --no-strict-mode $sub
|
||||
done
|
||||
#+end_src
|
||||
*** Run queries
|
||||
**** Individual: 1 database -> N sarif files
|
||||
**** Use directory of queries: 1 database -> 1 sarif file (least effort)
|
||||
**** Use suite: 1 database -> 1 sarif file (more flexible, more effort)
|
||||
**** Include versioning:
|
||||
***** codeql cli
|
||||
***** query set version
|
||||
Checks:
|
||||
1. Will include e.g.,
|
||||
#+BEGIN_SRC text
|
||||
**** Will include e.g.,
|
||||
#+begin_src text
|
||||
codeql database analyze --format=sarif-latest --rerun \
|
||||
--output $QUERY_RES_SARIF \
|
||||
--search-path $QLGIT \
|
||||
@@ -163,29 +189,26 @@
|
||||
-- \
|
||||
$DB \
|
||||
$QLQUERY
|
||||
#+END_SRC
|
||||
2. Will include recommendations, e.g., 32 G ram, 4-6 cores.
|
||||
3. For building DBs: Common case: 15 minutes for || cpp compilation, can
|
||||
#+end_src
|
||||
**** Will include recommendations, e.g., 32 G ram, 4-6 cores.
|
||||
**** For building DBs: Common case: 15 minutes for || cpp compilation, can
|
||||
be 2 h with codeql.
|
||||
|
||||
2. Want to review results
|
||||
1. sarif viewer plugin
|
||||
2. raw sarif with =jq=
|
||||
3. sarif-cli
|
||||
1. dump
|
||||
2. sql conversion
|
||||
|
||||
3. Running sequence
|
||||
1. Smallest query suite (security suite).
|
||||
2. Check results.
|
||||
1. Lots of result (> 5000) -> cli review via compiler-style dump.
|
||||
2. Medium result sets (~ 2000) (sarif review plugin, can only load 5000
|
||||
** Review results
|
||||
*** sarif viewer plugin
|
||||
*** raw sarif with =jq=
|
||||
*** sarif-cli
|
||||
**** dump
|
||||
**** sql conversion
|
||||
** Running sequence
|
||||
*** Smallest query suite (security suite).
|
||||
*** Check results.
|
||||
**** Lots of result (> 5000) -> cli review via compiler-style dump.
|
||||
**** Medium result sets (~ 2000) (sarif review plugin, can only load 5000
|
||||
results)
|
||||
3. Few results (sarif review plugin, can only load 5000 results)
|
||||
3. Expand query
|
||||
|
||||
4. Compare results.
|
||||
1. sarif-cli using compiler-style dump.
|
||||
**** Few results (sarif review plugin, can only load 5000 results)
|
||||
*** Expand query
|
||||
** Compare results.
|
||||
*** sarif-cli using compiler-style dump.
|
||||
|
||||
* Short end-to-end illustration
|
||||
1. Overall procedure
|
||||
|
||||
Reference in New Issue
Block a user