hohn/codeql-cli-end-to-end
1
0
Fork 0
mirror of https://github.com/hohn/codeql-cli-end-to-end.git synced 2025-12-16 13:13:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

readme.org is now generated from readme.in

Browse Source
This commit is contained in:
Michael Hohn
2023-06-21 09:59:48 -07:00
committed by =Michael Hohn
parent 082b86cea9
commit ae29b58d6c
1 changed files with 562 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

196
readme.org
View File

@@ -1,6 +1,8 @@
# -*- mode: org; org-confirm-babel-evaluate: nil; coding: utf-8 -*-
#+OPTIONS: H:3 num:t \n:nil @:t ::t |:t ^:{} f:t *:t TeX:t LaTeX:t skip:nil p:nil
#+OPTIONS: org-confirm-babel-evaluate:nil
# Created 2023-06-21 Wed 09:58
#+options: H:3 num:t \n:nil @:t ::t |:t ^:{} f:t *:t TeX:t LaTeX:t skip:nil p:nil
#+options: org-confirm-babel-evaluate:nil
#+title:
#+author: Michael Hohn
* End-to-end demo of CodeQL command line usage
@@ -161,8 +163,9 @@
#+end_src
For example:
: cat codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml
shows
#+BEGIN_SRC yaml
#+begin_src yaml
---
library: false
name: queries
@@ -170,26 +173,27 @@
dependencies:
codeql/cpp-all: ^0.7.0
common: "*"
#+END_SRC
#+end_src
So the queries directory does not contain a library, but it depends on one,
: cat codeql-workshop-vulnerable-linux-driver/common/qlpack.yml
#+BEGIN_SRC yaml
#+begin_src yaml
---
library: true
name: common
version: 0.0.1
dependencies:
codeql/cpp-all: 0.7.0
#+END_SRC
#+end_src
****** Install each pack's dependencies
The first time you install dependencies, it's a good idea to do this
menually, per =qlpack.yml= file, and deal with any errors that may occur.
#+BEGIN_SRC sh
#+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
codeql pack install --no-strict-mode queries/
#+END_SRC
#+end_src
After the initial setup and for automation, install each pack's
dependencies via a loop: =codeql pack install=
@@ -214,7 +218,7 @@
#+end_src
*** Run queries
**** Individual: 1 database -> N sarif files
#+BEGIN_SRC sh
#+begin_src sh
#* Set environment
PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
DB=$PROJ/vulnerable-linux-driver-db
@@ -237,17 +241,17 @@
# the IMB can access a cache directory at a time. The lock file is located at
# /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable-linux-driver-db/db-cpp/default/cache/.lock
# exit vs code and try again
#+END_SRC
#+end_src
And after some time:
#+BEGIN_SRC text
#+begin_src text
BufferOverflow.ql: [1/1 eval 1.8s] Results written to solutions/BufferOverfl
Shutting down query evaluator.
Interpreting results.
#+END_SRC
#+end_src
#+BEGIN_SRC sh
#+begin_src sh
echo The query $QLQUERY
echo run on $DB
echo produced output in $QUERY_RES_SARIF:
@@ -258,12 +262,12 @@
# "runs" : [ {
# "tool" : {
# ...
#+END_SRC
#+end_src
And run another, get another sarif file. Bad idea in general, but good for
debugging timing etc.
#+BEGIN_SRC sh
#+begin_src sh
#* Use prior variable settings
#* Run query
@@ -287,10 +291,10 @@
# "version" : "2.1.0",
# "runs" : [ {
# "tool" : {
#+END_SRC
#+end_src
**** Use directory of queries: 1 database -> 1 sarif file (least effort)
#+BEGIN_SRC sh
#+begin_src sh
#* Set environment
P1_PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
P1_DB=$PROJ/vulnerable-linux-driver-db
@@ -310,19 +314,19 @@
$P1_DB \
$P1_PROJ/solutions/
popd
#+END_SRC
#+end_src
We can compare SARIF result sizes:
#+BEGIN_SRC sh
#+begin_src sh
ls -la "$qo" $P1_QUERY_RES_SARIF $QUERY_RES_SARIF
#+END_SRC
#+end_src
And for these tiny results, it's mostly metadata:
#+BEGIN_SRC text
#+begin_src text
-rw-r--r-- 1 hohn staff 29K Jun 20 10:06 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189-BufferOverflow.sarif
-rw-r--r-- 1 hohn staff 33K Jun 20 10:02 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189.sarif
-rw-r--r-- 1 hohn staff 28K Jun 20 09:51 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif
#+END_SRC
#+end_src
**** Use suite: 1 database -> 1 sarif file (more flexible, more effort)
A useful, general purpose template is at
@@ -342,7 +346,7 @@
Also, a suite definition must be /in/ a codeql pack.
***** In short
#+BEGIN_SRC sh
#+begin_src sh
codeql resolve qlpacks | grep cpp
# Copy query suite into the pack
@@ -350,12 +354,42 @@
cp custom-suite-1.qls codeql-workshop-vulnerable-linux-driver/solutions/
codeql resolve queries \
codeql-workshop-vulnerable-linux-driver/solutions/custom-suite-1.qls
#+END_SRC
#+end_src
#+RESULTS:
: /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/solutions/UseAfterFree.ql
#+begin_src yaml
#
# Taken from
# codeql-v2.12.3/codeql/qlpacks/codeql/suite-helpers/0.4.3/code-scanning-selectors.yml
# and modified
#
- description: Security sample queries
- queries: .
# - qlpack: some-pack-cpp
- include:
kind:
# UseAfterFree
- problem
# # BufferOverflow
# - path-problem
# precision:
# - high
# - very-high
# problem.severity:
# - error
# tags contain:
# - security
#+INCLUDE: "./custom-suite-1.qls" src yaml
# - exclude:
# deprecated: //
# - exclude:
# query path:
# - /^experimental\/.*/
# - Metrics/Summaries/FrameworkCoverage.ql
# - /Diagnostics/Internal/.*/
# - exclude:
# tags contain:
# - modelgenerator
#+end_src
**** TODO Include versioning:
***** TODO codeql cli
@@ -379,92 +413,85 @@
(1)
**** Review
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
find . -maxdepth 2 -name "*.sarif"
#+END_SRC
#+end_src
Pick one in VS Code. Either
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
cd codeql-workshop-vulnerable-linux-driver/
code d548189.sarif
#+END_SRC
#+end_src
or manually.
We need the source.
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
git submodule init
git submodule update
#+END_SRC
#+end_src
When we review, VS Code will ask for the path.
#+BEGIN_SRC sh
#+begin_src sh
cd /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable_linux_driver
ls src/vuln_driver.c
#+END_SRC
#+RESULTS:
: src/vuln_driver.c
#+end_src
Reviewing looks as follows.
#+ATTR_HTML: :alt sarif viewer :width 90%
[[./img/sarif-view-1.png]]
[[file:./img/sarif-view-1.png]]
*** View raw sarif with =jq=
List the SARIF files again
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
find . -maxdepth 2 -name "*.sarif"
#+END_SRC
#+RESULTS:
| ./codeql-workshop-vulnerable-linux-driver/e402cf5.sarif |
| ./codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif |
| ./codeql-workshop-vulnerable-linux-driver/e402cf5-BufferOverflow.sarif |
#+end_src
The CodeQL version
#+BEGIN_SRC sh :exports both
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
jq '.runs | .[0] | .tool.driver.semanticVersion ' < ./codeql-workshop-vulnerable-linux-driver/e402cf5.sarif
#+END_SRC
#+end_src
#+RESULTS:
#+results:
: 2.13.4
The names of rules processed
#+BEGIN_SRC sh :exports both
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
jq '.runs | .[] | .tool.driver.rules | .[] | .name ' < ./codeql-workshop-vulnerable-linux-driver/d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
#+results:
| cpp/buffer_overflow |
| cpp/use_after_free |
*** View raw sarif with =jq= and fzf
Install the fuzzy finder
: brew install fzf
or =apt-get=/=yum= on linux
Try working to =.runs[0].tool.driver.rules= and follow the output in real
time.
#+BEGIN_SRC sh
#+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
res=e402cf5-UseAfterFree.sarif
echo '' | fzf --print-query --preview="jq {q} < $res"
popd
#+END_SRC
#+end_src
*** sarif-cli
**** Setup / local install
Clone https://github.com/hohn/sarif-cli or
https://github.com/knewbury01/sarif-cli
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
git clone git@github.com:hohn/sarif-cli.git
@@ -476,16 +503,16 @@
# Put bin/ contents into venv PATH
pip install -e .
#+END_SRC
#+end_src
**** Compiler-style textual output from SARIF
The sarif-cli has several script to use from the shell level:
#+BEGIN_SRC sh :exports both :results output
#+begin_src sh
cd ~/local/codeql-cli-end-to-end/sarif-cli
ls -1 bin/
#+END_SRC
#+end_src
#+RESULTS:
#+results:
#+begin_example
json-to-yaml
sarif-aggregate-scans
@@ -504,27 +531,44 @@
The simplest one just list the source files found during analysis:
#+BEGIN_SRC sh :exports both :results output
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-list-files d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
#+results:
: src/buffer_overflow.h
: src/use_after_free.h
: src/vuln_driver.c
Much more useful is a compiler-style summary of all results found:
#+BEGIN_SRC sh :exports both :results output
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary d548189.sarif
#+END_SRC
#+end_src
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
PATH 0
FLOW STEP 0: src/vuln_driver.c:17:73:17:77: args
FLOW STEP 1: src/vuln_driver.c:28:20:28:33: args
FLOW STEP 2: src/buffer_overflow.h:6:42:6:46: buff
FLOW STEP 3: src/buffer_overflow.h:20:43:20:47: size
RESULT: src/use_after_free.h:28:11:28:25: The dangling pointer is used here: [fn](1)
The dangling pointer is used here: [fn](2)
The dangling pointer is used here: [arg](3)
The dangling pointer is used here: [fn](4)
The dangling pointer is used here: [arg](5)
#+end_example
This sarif file has only two results, so the output is short:
#+RESULTS:
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
PATH 0
@@ -548,12 +592,12 @@
Most of these scripts take options that significantly change their output; to
see them, use the =-h= or =--help= flags. E.g.,
#+BEGIN_SRC sh :exports both :results output
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
sarif-results-summary -h
#+END_SRC
#+end_src
#+RESULTS:
#+results:
#+begin_example
usage: sarif-results-summary [-h] [-s srcroot] [-r] [-e] [-c] sarif-file
@@ -577,13 +621,13 @@
With =-r=:
#+BEGIN_SRC sh :exports both :results output
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary -r d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
REFERENCE: src/buffer_overflow.h:20:17:20:23: memcpy
@@ -609,13 +653,13 @@
If the source code is available, we can use =-s= to include snippets in the
output. This effectively converts sarif to the format used by gcc and clang
to report warnings and errors.
#+BEGIN_SRC sh :exports both :results output
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary -s vulnerable_linux_driver/ d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
memcpy(kernel_buff, buff, size);