hohn/codeql-cli-end-to-end
1
0
Fork 0
mirror of https://github.com/hohn/codeql-cli-end-to-end.git synced 2025-12-17 05:23:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

readme.org is now generated from readme.in

Browse Source
This commit is contained in:
Michael Hohn
2023-06-21 09:59:48 -07:00
committed by =Michael Hohn
parent 082b86cea9
commit ae29b58d6c
1 changed files with 562 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

400
readme.org
View File

@@ -1,13 +1,15 @@
# -*- mode: org; org-confirm-babel-evaluate: nil; coding: utf-8 -*- # Created 2023-06-21 Wed 09:58
#+OPTIONS: H:3 num:t \n:nil @:t ::t |:t ^:{} f:t *:t TeX:t LaTeX:t skip:nil p:nil #+options: H:3 num:t \n:nil @:t ::t |:t ^:{} f:t *:t TeX:t LaTeX:t skip:nil p:nil
#+OPTIONS: org-confirm-babel-evaluate:nil #+options: org-confirm-babel-evaluate:nil
#+title:
#+author: Michael Hohn
* End-to-end demo of CodeQL command line usage * End-to-end demo of CodeQL command line usage
** Run analyses ** Run analyses
*** Get collection of databases (already handy) *** Get collection of databases (already handy)
**** DONE Get https://github.com/hohn/codeql-workshop-vulnerable-linux-driver **** DONE Get https://github.com/hohn/codeql-workshop-vulnerable-linux-driver
#+begin_src text #+begin_src text
cd ~/local cd ~/local
git clone git@github.com:hohn/codeql-workshop-vulnerable-linux-driver.git git clone git@github.com:hohn/codeql-workshop-vulnerable-linux-driver.git
cd codeql-workshop-vulnerable-linux-driver/ cd codeql-workshop-vulnerable-linux-driver/
@@ -22,7 +24,7 @@
└── src.zip └── src.zip
3 directories, 4 files 3 directories, 4 files
#+end_src #+end_src
**** DONE Quick check using VS Code. Same steps will repeat: **** DONE Quick check using VS Code. Same steps will repeat:
***** select DB ***** select DB
***** select query ***** select query
@@ -30,10 +32,10 @@
***** view results ***** view results
**** DONE Install codeql **** DONE Install codeql
***** Full docs: ***** Full docs:
https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli#getting-started-with-the-codeql-cli https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli#getting-started-with-the-codeql-cli
https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system#setting-up-the-codeql-cli-in-your-ci-system https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system#setting-up-the-codeql-cli-in-your-ci-system
***** In short: ***** In short:
#+begin_src sh #+begin_src sh
cd ~/local/codeql-cli-end-to-endw cd ~/local/codeql-cli-end-to-endw
# Decide on version / os via browser, then: # Decide on version / os via browser, then:
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.4/codeql-bundle-osx64.tar.gz wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.4/codeql-bundle-osx64.tar.gz
@@ -75,9 +77,9 @@
# java (/Users/hohn/local/codeql-cli-end-to-end/codeql/java) # java (/Users/hohn/local/codeql-cli-end-to-end/codeql/java)
# html (/Users/hohn/local/codeql-cli-end-to-end/codeql/html) # html (/Users/hohn/local/codeql-cli-end-to-end/codeql/html)
# xml (/Users/hohn/local/codeql-cli-end-to-end/codeql/xml) # xml (/Users/hohn/local/codeql-cli-end-to-end/codeql/xml)
#+end_src #+end_src
***** A more fancy version ***** A more fancy version
#+begin_src sh #+begin_src sh
# Reference urls: # Reference urls:
# https://github.com/github/codeql-cli-binaries/releases/download/v2.8.0/codeql-linux64.zip # https://github.com/github/codeql-cli-binaries/releases/download/v2.8.0/codeql-linux64.zip
# https://github.com/github/codeql/archive/refs/tags/codeql-cli/v2.8.0.zip # https://github.com/github/codeql/archive/refs/tags/codeql-cli/v2.8.0.zip
@@ -117,29 +119,29 @@
grab v2.6.3 osx64 $HOME/local grab v2.6.3 osx64 $HOME/local
grab v2.4.6 osx64 $HOME/local grab v2.4.6 osx64 $HOME/local
#+end_src #+end_src
***** Most flexible in use, but more initial setup ***** Most flexible in use, but more initial setup
=gh=, the GitHub command-line tool from https://github.com/cli/cli =gh=, the GitHub command-line tool from https://github.com/cli/cli
****** gh api repos/{owner}/{repo}/releases ****** gh api repos/{owner}/{repo}/releases
https://cli.github.com/manual/gh_api https://cli.github.com/manual/gh_api
****** gh extension create ****** gh extension create
https://cli.github.com/manual/gh_extension https://cli.github.com/manual/gh_extension
****** gh codeql extension ****** gh codeql extension
https://github.com/github/gh-codeql https://github.com/github/gh-codeql
****** gh gist list ****** gh gist list
https://cli.github.com/manual/gh_gist_list https://cli.github.com/manual/gh_gist_list
#+begin_src text #+begin_src text
0:$ gh codeql 0:$ gh codeql
GitHub command-line wrapper for the CodeQL CLI. GitHub command-line wrapper for the CodeQL CLI.
#+end_src #+end_src
**** Install pack dependencies **** Install pack dependencies
***** Full docs ***** Full docs
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#about-qlpackyml-files https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#about-qlpackyml-files
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/pack-install https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/pack-install
***** View installed docs via =-h= flag, highly recommended ***** View installed docs via =-h= flag, highly recommended
#+begin_src sh #+begin_src sh
# Overview # Overview
codeql -h codeql -h
@@ -148,21 +150,22 @@
# Sub 2 # Sub 2
codeql pack install -h codeql pack install -h
#+end_src #+end_src
***** In short ***** In short
****** Create the qlpack ****** Create the qlpack
Create the qlpack files if not there, one per directory. In this project, Create the qlpack files if not there, one per directory. In this project,
that's already done: that's already done:
#+begin_src sh #+begin_src sh
0:$ find codeql-workshop-vulnerable-linux-driver -name "qlpack.yml" 0:$ find codeql-workshop-vulnerable-linux-driver -name "qlpack.yml"
codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml
codeql-workshop-vulnerable-linux-driver/solutions/qlpack.yml codeql-workshop-vulnerable-linux-driver/solutions/qlpack.yml
codeql-workshop-vulnerable-linux-driver/common/qlpack.yml codeql-workshop-vulnerable-linux-driver/common/qlpack.yml
#+end_src #+end_src
For example: For example:
: cat codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml : cat codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml
shows
#+BEGIN_SRC yaml shows
#+begin_src yaml
--- ---
library: false library: false
name: queries name: queries
@@ -170,30 +173,31 @@
dependencies: dependencies:
codeql/cpp-all: ^0.7.0 codeql/cpp-all: ^0.7.0
common: "*" common: "*"
#+END_SRC #+end_src
So the queries directory does not contain a library, but it depends on one, So the queries directory does not contain a library, but it depends on one,
: cat codeql-workshop-vulnerable-linux-driver/common/qlpack.yml : cat codeql-workshop-vulnerable-linux-driver/common/qlpack.yml
#+BEGIN_SRC yaml
#+begin_src yaml
--- ---
library: true library: true
name: common name: common
version: 0.0.1 version: 0.0.1
dependencies: dependencies:
codeql/cpp-all: 0.7.0 codeql/cpp-all: 0.7.0
#+END_SRC #+end_src
****** Install each pack's dependencies ****** Install each pack's dependencies
The first time you install dependencies, it's a good idea to do this The first time you install dependencies, it's a good idea to do this
menually, per =qlpack.yml= file, and deal with any errors that may occur. menually, per =qlpack.yml= file, and deal with any errors that may occur.
#+BEGIN_SRC sh #+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
codeql pack install --no-strict-mode queries/ codeql pack install --no-strict-mode queries/
#+END_SRC #+end_src
After the initial setup and for automation, install each pack's After the initial setup and for automation, install each pack's
dependencies via a loop: =codeql pack install= dependencies via a loop: =codeql pack install=
#+begin_src sh #+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
find . -name "qlpack.yml" find . -name "qlpack.yml"
# ./queries/qlpack.yml # ./queries/qlpack.yml
@@ -211,10 +215,10 @@
do do
codeql pack install --no-strict-mode $sub codeql pack install --no-strict-mode $sub
done done
#+end_src #+end_src
*** Run queries *** Run queries
**** Individual: 1 database -> N sarif files **** Individual: 1 database -> N sarif files
#+BEGIN_SRC sh #+begin_src sh
#* Set environment #* Set environment
PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
DB=$PROJ/vulnerable-linux-driver-db DB=$PROJ/vulnerable-linux-driver-db
@@ -237,17 +241,17 @@
# the IMB can access a cache directory at a time. The lock file is located at # the IMB can access a cache directory at a time. The lock file is located at
# /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable-linux-driver-db/db-cpp/default/cache/.lock # /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable-linux-driver-db/db-cpp/default/cache/.lock
# exit vs code and try again # exit vs code and try again
#+END_SRC #+end_src
And after some time: And after some time:
#+BEGIN_SRC text #+begin_src text
BufferOverflow.ql: [1/1 eval 1.8s] Results written to solutions/BufferOverfl BufferOverflow.ql: [1/1 eval 1.8s] Results written to solutions/BufferOverfl
Shutting down query evaluator. Shutting down query evaluator.
Interpreting results. Interpreting results.
#+END_SRC #+end_src
#+BEGIN_SRC sh #+begin_src sh
echo The query $QLQUERY echo The query $QLQUERY
echo run on $DB echo run on $DB
echo produced output in $QUERY_RES_SARIF: echo produced output in $QUERY_RES_SARIF:
@@ -258,12 +262,12 @@
# "runs" : [ { # "runs" : [ {
# "tool" : { # "tool" : {
# ... # ...
#+END_SRC #+end_src
And run another, get another sarif file. Bad idea in general, but good for And run another, get another sarif file. Bad idea in general, but good for
debugging timing etc. debugging timing etc.
#+BEGIN_SRC sh #+begin_src sh
#* Use prior variable settings #* Use prior variable settings
#* Run query #* Run query
@@ -287,10 +291,10 @@
# "version" : "2.1.0", # "version" : "2.1.0",
# "runs" : [ { # "runs" : [ {
# "tool" : { # "tool" : {
#+END_SRC #+end_src
**** Use directory of queries: 1 database -> 1 sarif file (least effort) **** Use directory of queries: 1 database -> 1 sarif file (least effort)
#+BEGIN_SRC sh #+begin_src sh
#* Set environment #* Set environment
P1_PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver P1_PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
P1_DB=$PROJ/vulnerable-linux-driver-db P1_DB=$PROJ/vulnerable-linux-driver-db
@@ -310,27 +314,27 @@
$P1_DB \ $P1_DB \
$P1_PROJ/solutions/ $P1_PROJ/solutions/
popd popd
#+END_SRC #+end_src
We can compare SARIF result sizes: We can compare SARIF result sizes:
#+BEGIN_SRC sh #+begin_src sh
ls -la "$qo" $P1_QUERY_RES_SARIF $QUERY_RES_SARIF ls -la "$qo" $P1_QUERY_RES_SARIF $QUERY_RES_SARIF
#+END_SRC #+end_src
And for these tiny results, it's mostly metadata: And for these tiny results, it's mostly metadata:
#+BEGIN_SRC text #+begin_src text
-rw-r--r-- 1 hohn staff 29K Jun 20 10:06 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189-BufferOverflow.sarif -rw-r--r-- 1 hohn staff 29K Jun 20 10:06 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189-BufferOverflow.sarif
-rw-r--r-- 1 hohn staff 33K Jun 20 10:02 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189.sarif -rw-r--r-- 1 hohn staff 33K Jun 20 10:02 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189.sarif
-rw-r--r-- 1 hohn staff 28K Jun 20 09:51 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif -rw-r--r-- 1 hohn staff 28K Jun 20 09:51 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif
#+END_SRC #+end_src
**** Use suite: 1 database -> 1 sarif file (more flexible, more effort) **** Use suite: 1 database -> 1 sarif file (more flexible, more effort)
A useful, general purpose template is at A useful, general purpose template is at
https://github.com/rvermeulen/codeql-example-project-layout. https://github.com/rvermeulen/codeql-example-project-layout.
***** Documentation ***** Documentation
- [[https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites][built-in-codeql-query-suites]] - [[https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites][built-in-codeql-query-suites]]
- [[https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-query-suites][creating-codeql-query-suites]] - [[https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-query-suites][creating-codeql-query-suites]]
Important: Important:
You must add at least one query, queries, or qlpack instruction to your You must add at least one query, queries, or qlpack instruction to your
@@ -342,7 +346,7 @@
Also, a suite definition must be /in/ a codeql pack. Also, a suite definition must be /in/ a codeql pack.
***** In short ***** In short
#+BEGIN_SRC sh #+begin_src sh
codeql resolve qlpacks | grep cpp codeql resolve qlpacks | grep cpp
# Copy query suite into the pack # Copy query suite into the pack
@@ -350,121 +354,144 @@
cp custom-suite-1.qls codeql-workshop-vulnerable-linux-driver/solutions/ cp custom-suite-1.qls codeql-workshop-vulnerable-linux-driver/solutions/
codeql resolve queries \ codeql resolve queries \
codeql-workshop-vulnerable-linux-driver/solutions/custom-suite-1.qls codeql-workshop-vulnerable-linux-driver/solutions/custom-suite-1.qls
#+END_SRC #+end_src
#+RESULTS: #+begin_src yaml
: /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/solutions/UseAfterFree.ql #
# Taken from
# codeql-v2.12.3/codeql/qlpacks/codeql/suite-helpers/0.4.3/code-scanning-selectors.yml
# and modified
#
- description: Security sample queries
- queries: .
# - qlpack: some-pack-cpp
- include:
kind:
# UseAfterFree
- problem
# # BufferOverflow
# - path-problem
# precision:
# - high
# - very-high
# problem.severity:
# - error
# tags contain:
# - security
#+INCLUDE: "./custom-suite-1.qls" src yaml # - exclude:
# deprecated: //
# - exclude:
# query path:
# - /^experimental\/.*/
# - Metrics/Summaries/FrameworkCoverage.ql
# - /Diagnostics/Internal/.*/
# - exclude:
# tags contain:
# - modelgenerator
#+end_src
**** TODO Include versioning: **** TODO Include versioning:
***** TODO codeql cli ***** TODO codeql cli
***** TODO query set version ***** TODO query set version
Checks: Checks:
**** For building DBs: Common case: 15 minutes for || cpp compilation, can **** For building DBs: Common case: 15 minutes for || cpp compilation, can
be 2 h with codeql. be 2 h with codeql.
** Review results ** Review results
*** SARIF Documentation *** SARIF Documentation
The standard is defined at The standard is defined at
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html
*** SARIF viewer plugin *** SARIF viewer plugin
**** Install plugin in VS Code **** Install plugin in VS Code
https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
Sarif Viewer Sarif Viewer
v3.3.7 v3.3.7
Microsoft DevLabs Microsoft DevLabs
microsoft.com microsoft.com
53,335 53,335
(1) (1)
**** Review **** Review
#+BEGIN_SRC sh #+begin_src sh
cd ~/local/codeql-cli-end-to-end cd ~/local/codeql-cli-end-to-end
find . -maxdepth 2 -name "*.sarif" find . -maxdepth 2 -name "*.sarif"
#+END_SRC #+end_src
Pick one in VS Code. Either Pick one in VS Code. Either
#+BEGIN_SRC sh #+begin_src sh
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
cd codeql-workshop-vulnerable-linux-driver/ cd codeql-workshop-vulnerable-linux-driver/
code d548189.sarif code d548189.sarif
#+END_SRC #+end_src
or manually. or manually.
We need the source. We need the source.
#+BEGIN_SRC sh #+begin_src sh
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
git submodule init git submodule init
git submodule update git submodule update
#+END_SRC #+end_src
When we review, VS Code will ask for the path. When we review, VS Code will ask for the path.
#+BEGIN_SRC sh #+begin_src sh
cd /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable_linux_driver cd /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable_linux_driver
ls src/vuln_driver.c ls src/vuln_driver.c
#+END_SRC #+end_src
#+RESULTS: Reviewing looks as follows.
: src/vuln_driver.c [[file:./img/sarif-view-1.png]]
Reviewing looks as follows.
#+ATTR_HTML: :alt sarif viewer :width 90%
[[./img/sarif-view-1.png]]
*** View raw sarif with =jq= *** View raw sarif with =jq=
List the SARIF files again List the SARIF files again
#+BEGIN_SRC sh #+begin_src sh
cd ~/local/codeql-cli-end-to-end cd ~/local/codeql-cli-end-to-end
find . -maxdepth 2 -name "*.sarif" find . -maxdepth 2 -name "*.sarif"
#+END_SRC #+end_src
#+RESULTS: The CodeQL version
| ./codeql-workshop-vulnerable-linux-driver/e402cf5.sarif | #+begin_src sh
| ./codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif |
| ./codeql-workshop-vulnerable-linux-driver/e402cf5-BufferOverflow.sarif |
The CodeQL version
#+BEGIN_SRC sh :exports both
cd ~/local/codeql-cli-end-to-end cd ~/local/codeql-cli-end-to-end
jq '.runs | .[0] | .tool.driver.semanticVersion ' < ./codeql-workshop-vulnerable-linux-driver/e402cf5.sarif jq '.runs | .[0] | .tool.driver.semanticVersion ' < ./codeql-workshop-vulnerable-linux-driver/e402cf5.sarif
#+END_SRC #+end_src
#+RESULTS: #+results:
: 2.13.4 : 2.13.4
The names of rules processed
#+BEGIN_SRC sh :exports both The names of rules processed
#+begin_src sh
cd ~/local/codeql-cli-end-to-end cd ~/local/codeql-cli-end-to-end
jq '.runs | .[] | .tool.driver.rules | .[] | .name ' < ./codeql-workshop-vulnerable-linux-driver/d548189.sarif jq '.runs | .[] | .tool.driver.rules | .[] | .name ' < ./codeql-workshop-vulnerable-linux-driver/d548189.sarif
#+END_SRC #+end_src
#+RESULTS: #+results:
| cpp/buffer_overflow | | cpp/buffer_overflow |
| cpp/use_after_free | | cpp/use_after_free |
*** View raw sarif with =jq= and fzf *** View raw sarif with =jq= and fzf
Install the fuzzy finder Install the fuzzy finder
: brew install fzf : brew install fzf
or =apt-get=/=yum= on linux
Try working to =.runs[0].tool.driver.rules= and follow the output in real or =apt-get=/=yum= on linux
time.
#+BEGIN_SRC sh Try working to =.runs[0].tool.driver.rules= and follow the output in real
time.
#+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
res=e402cf5-UseAfterFree.sarif res=e402cf5-UseAfterFree.sarif
echo '' | fzf --print-query --preview="jq {q} < $res" echo '' | fzf --print-query --preview="jq {q} < $res"
popd popd
#+END_SRC #+end_src
*** sarif-cli *** sarif-cli
**** Setup / local install **** Setup / local install
Clone https://github.com/hohn/sarif-cli or Clone https://github.com/hohn/sarif-cli or
https://github.com/knewbury01/sarif-cli https://github.com/knewbury01/sarif-cli
#+BEGIN_SRC sh #+begin_src sh
cd ~/local/codeql-cli-end-to-end cd ~/local/codeql-cli-end-to-end
git clone git@github.com:hohn/sarif-cli.git git clone git@github.com:hohn/sarif-cli.git
@@ -476,17 +503,17 @@
# Put bin/ contents into venv PATH # Put bin/ contents into venv PATH
pip install -e . pip install -e .
#+END_SRC #+end_src
**** Compiler-style textual output from SARIF **** Compiler-style textual output from SARIF
The sarif-cli has several script to use from the shell level: The sarif-cli has several script to use from the shell level:
#+BEGIN_SRC sh :exports both :results output #+begin_src sh
cd ~/local/codeql-cli-end-to-end/sarif-cli cd ~/local/codeql-cli-end-to-end/sarif-cli
ls -1 bin/ ls -1 bin/
#+END_SRC #+end_src
#+RESULTS: #+results:
#+begin_example #+begin_example
json-to-yaml json-to-yaml
sarif-aggregate-scans sarif-aggregate-scans
sarif-create-aggregate-report sarif-create-aggregate-report
@@ -500,32 +527,31 @@
sarif-pad-aggregate sarif-pad-aggregate
sarif-results-summary sarif-results-summary
sarif-to-dot sarif-to-dot
#+end_example #+end_example
The simplest one just list the source files found during analysis: The simplest one just list the source files found during analysis:
#+BEGIN_SRC sh :exports both :results output #+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate . ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-list-files d548189.sarif sarif-list-files d548189.sarif
#+END_SRC #+end_src
#+RESULTS: #+results:
: src/buffer_overflow.h : src/buffer_overflow.h
: src/use_after_free.h : src/use_after_free.h
: src/vuln_driver.c : src/vuln_driver.c
Much more useful is a compiler-style summary of all results found:
#+BEGIN_SRC sh :exports both :results output Much more useful is a compiler-style summary of all results found:
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate . ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary d548189.sarif sarif-results-summary d548189.sarif
#+END_SRC #+end_src
This sarif file has only two results, so the output is short: #+results:
#+begin_example
#+RESULTS:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2) RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
PATH 0 PATH 0
FLOW STEP 0: src/vuln_driver.c:17:73:17:77: args FLOW STEP 0: src/vuln_driver.c:17:73:17:77: args
@@ -538,23 +564,41 @@
The dangling pointer is used here: [arg](3) The dangling pointer is used here: [arg](3)
The dangling pointer is used here: [fn](4) The dangling pointer is used here: [fn](4)
The dangling pointer is used here: [arg](5) The dangling pointer is used here: [arg](5)
#+end_example #+end_example
This illustrates the differences in the output between the two result =@kind= This sarif file has only two results, so the output is short:
s:
- =@kind problem= is a single list of results found #+results:
- =@kind path-problem= is a list of flow paths. Each path in turn is a list #+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
PATH 0
FLOW STEP 0: src/vuln_driver.c:17:73:17:77: args
FLOW STEP 1: src/vuln_driver.c:28:20:28:33: args
FLOW STEP 2: src/buffer_overflow.h:6:42:6:46: buff
FLOW STEP 3: src/buffer_overflow.h:20:43:20:47: size
RESULT: src/use_after_free.h:28:11:28:25: The dangling pointer is used here: [fn](1)
The dangling pointer is used here: [fn](2)
The dangling pointer is used here: [arg](3)
The dangling pointer is used here: [fn](4)
The dangling pointer is used here: [arg](5)
#+end_example
This illustrates the differences in the output between the two result =@kind=
s:
- =@kind problem= is a single list of results found
- =@kind path-problem= is a list of flow paths. Each path in turn is a list
of locations. of locations.
Most of these scripts take options that significantly change their output; to Most of these scripts take options that significantly change their output; to
see them, use the =-h= or =--help= flags. E.g., see them, use the =-h= or =--help= flags. E.g.,
#+BEGIN_SRC sh :exports both :results output #+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate . ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
sarif-results-summary -h sarif-results-summary -h
#+END_SRC #+end_src
#+RESULTS: #+results:
#+begin_example #+begin_example
usage: sarif-results-summary [-h] [-s srcroot] [-r] [-e] [-c] sarif-file usage: sarif-results-summary [-h] [-s srcroot] [-r] [-e] [-c] sarif-file
summary of results summary of results
@@ -571,20 +615,20 @@
-e, --endpoints-only only list source and sink, dropping the path. -e, --endpoints-only only list source and sink, dropping the path.
Identical, successive source/sink pairs are combined Identical, successive source/sink pairs are combined
-c, --csv output csv instead of human-readable summary -c, --csv output csv instead of human-readable summary
#+end_example #+end_example
Some of these make output much more informative, like =-r= and =-s=: Some of these make output much more informative, like =-r= and =-s=:
With =-r=: With =-r=:
#+BEGIN_SRC sh :exports both :results output #+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate . ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary -r d548189.sarif sarif-results-summary -r d548189.sarif
#+END_SRC #+end_src
#+RESULTS: #+results:
#+begin_example #+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2) RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
REFERENCE: src/buffer_overflow.h:20:17:20:23: memcpy REFERENCE: src/buffer_overflow.h:20:17:20:23: memcpy
REFERENCE: src/buffer_overflow.h:8:22:8:33: stack buffer REFERENCE: src/buffer_overflow.h:8:22:8:33: stack buffer
@@ -604,19 +648,19 @@
REFERENCE: src/use_after_free.h:87:90:87:93: arg REFERENCE: src/use_after_free.h:87:90:87:93: arg
REFERENCE: src/use_after_free.h:89:20:89:22: fn REFERENCE: src/use_after_free.h:89:20:89:22: fn
REFERENCE: src/use_after_free.h:89:39:89:42: arg REFERENCE: src/use_after_free.h:89:39:89:42: arg
#+end_example #+end_example
If the source code is available, we can use =-s= to include snippets in the If the source code is available, we can use =-s= to include snippets in the
output. This effectively converts sarif to the format used by gcc and clang output. This effectively converts sarif to the format used by gcc and clang
to report warnings and errors. to report warnings and errors.
#+BEGIN_SRC sh :exports both :results output #+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate . ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary -s vulnerable_linux_driver/ d548189.sarif sarif-results-summary -s vulnerable_linux_driver/ d548189.sarif
#+END_SRC #+end_src
#+RESULTS: #+results:
#+begin_example #+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2) RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
memcpy(kernel_buff, buff, size); memcpy(kernel_buff, buff, size);
^^^^ ^^^^
@@ -641,7 +685,7 @@
The dangling pointer is used here: [arg](5) The dangling pointer is used here: [arg](5)
uaf_obj *global_uaf_obj = NULL; uaf_obj *global_uaf_obj = NULL;
^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
#+end_example #+end_example
**** TODO SQL conversion **** TODO SQL conversion
** Running sequence ** Running sequence
@@ -649,7 +693,7 @@
*** Check results. *** Check results.
**** Lots of result (> 5000) -> cli review via compiler-style dump. **** Lots of result (> 5000) -> cli review via compiler-style dump.
**** Medium result sets (~ 2000) (sarif review plugin, can only load 5000 **** Medium result sets (~ 2000) (sarif review plugin, can only load 5000
results) results)
**** Few results (sarif review plugin, can only load 5000 results) **** Few results (sarif review plugin, can only load 5000 results)
*** Expand query *** Expand query
** Compare results. ** Compare results.