hohn/codeql-cli-end-to-end
1
0
Fork 0
mirror of https://github.com/hohn/codeql-cli-end-to-end.git synced 2025-12-16 13:13:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

readme.org is now generated from readme.in

Browse Source
This commit is contained in:
Michael Hohn
2023-06-21 09:59:48 -07:00
committed by =Michael Hohn
parent 082b86cea9
commit ae29b58d6c
1 changed files with 562 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

400
readme.org
View File

@@ -1,13 +1,15 @@
# -*- mode: org; org-confirm-babel-evaluate: nil; coding: utf-8 -*-
#+OPTIONS: H:3 num:t \n:nil @:t ::t |:t ^:{} f:t *:t TeX:t LaTeX:t skip:nil p:nil
#+OPTIONS: org-confirm-babel-evaluate:nil
# Created 2023-06-21 Wed 09:58
#+options: H:3 num:t \n:nil @:t ::t |:t ^:{} f:t *:t TeX:t LaTeX:t skip:nil p:nil
#+options: org-confirm-babel-evaluate:nil
#+title:
#+author: Michael Hohn
* End-to-end demo of CodeQL command line usage
** Run analyses
*** Get collection of databases (already handy)
**** DONE Get https://github.com/hohn/codeql-workshop-vulnerable-linux-driver
#+begin_src text
#+begin_src text
cd ~/local
git clone git@github.com:hohn/codeql-workshop-vulnerable-linux-driver.git
cd codeql-workshop-vulnerable-linux-driver/
@@ -22,7 +24,7 @@
└── src.zip
3 directories, 4 files
#+end_src
#+end_src
**** DONE Quick check using VS Code. Same steps will repeat:
***** select DB
***** select query
@@ -30,10 +32,10 @@
***** view results
**** DONE Install codeql
***** Full docs:
https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli#getting-started-with-the-codeql-cli
https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system#setting-up-the-codeql-cli-in-your-ci-system
https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/getting-started-with-the-codeql-cli#getting-started-with-the-codeql-cli
https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/installing-codeql-cli-in-your-ci-system#setting-up-the-codeql-cli-in-your-ci-system
***** In short:
#+begin_src sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-endw
# Decide on version / os via browser, then:
wget https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.4/codeql-bundle-osx64.tar.gz
@@ -75,9 +77,9 @@
# java (/Users/hohn/local/codeql-cli-end-to-end/codeql/java)
# html (/Users/hohn/local/codeql-cli-end-to-end/codeql/html)
# xml (/Users/hohn/local/codeql-cli-end-to-end/codeql/xml)
#+end_src
#+end_src
***** A more fancy version
#+begin_src sh
#+begin_src sh
# Reference urls:
# https://github.com/github/codeql-cli-binaries/releases/download/v2.8.0/codeql-linux64.zip
# https://github.com/github/codeql/archive/refs/tags/codeql-cli/v2.8.0.zip
@@ -117,29 +119,29 @@
grab v2.6.3 osx64 $HOME/local
grab v2.4.6 osx64 $HOME/local
#+end_src
#+end_src
***** Most flexible in use, but more initial setup
=gh=, the GitHub command-line tool from https://github.com/cli/cli
=gh=, the GitHub command-line tool from https://github.com/cli/cli
****** gh api repos/{owner}/{repo}/releases
https://cli.github.com/manual/gh_api
https://cli.github.com/manual/gh_api
****** gh extension create
https://cli.github.com/manual/gh_extension
https://cli.github.com/manual/gh_extension
****** gh codeql extension
https://github.com/github/gh-codeql
https://github.com/github/gh-codeql
****** gh gist list
https://cli.github.com/manual/gh_gist_list
https://cli.github.com/manual/gh_gist_list
#+begin_src text
#+begin_src text
0:$ gh codeql
GitHub command-line wrapper for the CodeQL CLI.
#+end_src
#+end_src
**** Install pack dependencies
***** Full docs
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#about-qlpackyml-files
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/pack-install
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs#about-qlpackyml-files
https://docs.github.com/en/code-security/codeql-cli/codeql-cli-manual/pack-install
***** View installed docs via =-h= flag, highly recommended
#+begin_src sh
#+begin_src sh
# Overview
codeql -h
@@ -148,21 +150,22 @@
# Sub 2
codeql pack install -h
#+end_src
#+end_src
***** In short
****** Create the qlpack
Create the qlpack files if not there, one per directory. In this project,
that's already done:
#+begin_src sh
Create the qlpack files if not there, one per directory. In this project,
that's already done:
#+begin_src sh
0:$ find codeql-workshop-vulnerable-linux-driver -name "qlpack.yml"
codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml
codeql-workshop-vulnerable-linux-driver/solutions/qlpack.yml
codeql-workshop-vulnerable-linux-driver/common/qlpack.yml
#+end_src
For example:
: cat codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml
shows
#+BEGIN_SRC yaml
#+end_src
For example:
: cat codeql-workshop-vulnerable-linux-driver/queries/qlpack.yml
shows
#+begin_src yaml
---
library: false
name: queries
@@ -170,30 +173,31 @@
dependencies:
codeql/cpp-all: ^0.7.0
common: "*"
#+END_SRC
So the queries directory does not contain a library, but it depends on one,
: cat codeql-workshop-vulnerable-linux-driver/common/qlpack.yml
#+BEGIN_SRC yaml
#+end_src
So the queries directory does not contain a library, but it depends on one,
: cat codeql-workshop-vulnerable-linux-driver/common/qlpack.yml
#+begin_src yaml
---
library: true
name: common
version: 0.0.1
dependencies:
codeql/cpp-all: 0.7.0
#+END_SRC
#+end_src
****** Install each pack's dependencies
The first time you install dependencies, it's a good idea to do this
menually, per =qlpack.yml= file, and deal with any errors that may occur.
The first time you install dependencies, it's a good idea to do this
menually, per =qlpack.yml= file, and deal with any errors that may occur.
#+BEGIN_SRC sh
#+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
codeql pack install --no-strict-mode queries/
#+END_SRC
#+end_src
After the initial setup and for automation, install each pack's
dependencies via a loop: =codeql pack install=
#+begin_src sh
After the initial setup and for automation, install each pack's
dependencies via a loop: =codeql pack install=
#+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
find . -name "qlpack.yml"
# ./queries/qlpack.yml
@@ -211,10 +215,10 @@
do
codeql pack install --no-strict-mode $sub
done
#+end_src
#+end_src
*** Run queries
**** Individual: 1 database -> N sarif files
#+BEGIN_SRC sh
#+begin_src sh
#* Set environment
PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
DB=$PROJ/vulnerable-linux-driver-db
@@ -237,17 +241,17 @@
# the IMB can access a cache directory at a time. The lock file is located at
# /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable-linux-driver-db/db-cpp/default/cache/.lock
# exit vs code and try again
#+END_SRC
#+end_src
And after some time:
And after some time:
#+BEGIN_SRC text
#+begin_src text
BufferOverflow.ql: [1/1 eval 1.8s] Results written to solutions/BufferOverfl
Shutting down query evaluator.
Interpreting results.
#+END_SRC
#+end_src
#+BEGIN_SRC sh
#+begin_src sh
echo The query $QLQUERY
echo run on $DB
echo produced output in $QUERY_RES_SARIF:
@@ -258,12 +262,12 @@
# "runs" : [ {
# "tool" : {
# ...
#+END_SRC
#+end_src
And run another, get another sarif file. Bad idea in general, but good for
debugging timing etc.
And run another, get another sarif file. Bad idea in general, but good for
debugging timing etc.
#+BEGIN_SRC sh
#+begin_src sh
#* Use prior variable settings
#* Run query
@@ -287,10 +291,10 @@
# "version" : "2.1.0",
# "runs" : [ {
# "tool" : {
#+END_SRC
#+end_src
**** Use directory of queries: 1 database -> 1 sarif file (least effort)
#+BEGIN_SRC sh
#+begin_src sh
#* Set environment
P1_PROJ=$HOME/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
P1_DB=$PROJ/vulnerable-linux-driver-db
@@ -310,27 +314,27 @@
$P1_DB \
$P1_PROJ/solutions/
popd
#+END_SRC
#+end_src
We can compare SARIF result sizes:
#+BEGIN_SRC sh
We can compare SARIF result sizes:
#+begin_src sh
ls -la "$qo" $P1_QUERY_RES_SARIF $QUERY_RES_SARIF
#+END_SRC
#+end_src
And for these tiny results, it's mostly metadata:
#+BEGIN_SRC text
And for these tiny results, it's mostly metadata:
#+begin_src text
-rw-r--r-- 1 hohn staff 29K Jun 20 10:06 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189-BufferOverflow.sarif
-rw-r--r-- 1 hohn staff 33K Jun 20 10:02 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/d548189.sarif
-rw-r--r-- 1 hohn staff 28K Jun 20 09:51 /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif
#+END_SRC
#+end_src
**** Use suite: 1 database -> 1 sarif file (more flexible, more effort)
A useful, general purpose template is at
https://github.com/rvermeulen/codeql-example-project-layout.
A useful, general purpose template is at
https://github.com/rvermeulen/codeql-example-project-layout.
***** Documentation
- [[https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites][built-in-codeql-query-suites]]
- [[https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-query-suites][creating-codeql-query-suites]]
- [[https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/built-in-codeql-query-suites][built-in-codeql-query-suites]]
- [[https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-codeql-query-suites][creating-codeql-query-suites]]
Important:
You must add at least one query, queries, or qlpack instruction to your
@@ -342,7 +346,7 @@
Also, a suite definition must be /in/ a codeql pack.
***** In short
#+BEGIN_SRC sh
#+begin_src sh
codeql resolve qlpacks | grep cpp
# Copy query suite into the pack
@@ -350,121 +354,144 @@
cp custom-suite-1.qls codeql-workshop-vulnerable-linux-driver/solutions/
codeql resolve queries \
codeql-workshop-vulnerable-linux-driver/solutions/custom-suite-1.qls
#+END_SRC
#+end_src
#+RESULTS:
: /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/solutions/UseAfterFree.ql
#+begin_src yaml
#
# Taken from
# codeql-v2.12.3/codeql/qlpacks/codeql/suite-helpers/0.4.3/code-scanning-selectors.yml
# and modified
#
- description: Security sample queries
- queries: .
# - qlpack: some-pack-cpp
- include:
kind:
# UseAfterFree
- problem
# # BufferOverflow
# - path-problem
# precision:
# - high
# - very-high
# problem.severity:
# - error
# tags contain:
# - security
#+INCLUDE: "./custom-suite-1.qls" src yaml
# - exclude:
# deprecated: //
# - exclude:
# query path:
# - /^experimental\/.*/
# - Metrics/Summaries/FrameworkCoverage.ql
# - /Diagnostics/Internal/.*/
# - exclude:
# tags contain:
# - modelgenerator
#+end_src
**** TODO Include versioning:
***** TODO codeql cli
***** TODO query set version
Checks:
Checks:
**** For building DBs: Common case: 15 minutes for || cpp compilation, can
be 2 h with codeql.
be 2 h with codeql.
** Review results
*** SARIF Documentation
The standard is defined at
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html
The standard is defined at
https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html
*** SARIF viewer plugin
**** Install plugin in VS Code
https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
Sarif Viewer
v3.3.7
Microsoft DevLabs
microsoft.com
53,335
(1)
Sarif Viewer
v3.3.7
Microsoft DevLabs
microsoft.com
53,335
(1)
**** Review
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
find . -maxdepth 2 -name "*.sarif"
#+END_SRC
Pick one in VS Code. Either
#+BEGIN_SRC sh
#+end_src
Pick one in VS Code. Either
#+begin_src sh
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
cd codeql-workshop-vulnerable-linux-driver/
code d548189.sarif
#+END_SRC
or manually.
#+end_src
or manually.
We need the source.
We need the source.
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
git submodule init
git submodule update
#+END_SRC
#+end_src
When we review, VS Code will ask for the path.
When we review, VS Code will ask for the path.
#+BEGIN_SRC sh
#+begin_src sh
cd /Users/hohn/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver/vulnerable_linux_driver
ls src/vuln_driver.c
#+END_SRC
#+end_src
#+RESULTS:
: src/vuln_driver.c
Reviewing looks as follows.
#+ATTR_HTML: :alt sarif viewer :width 90%
[[./img/sarif-view-1.png]]
Reviewing looks as follows.
[[file:./img/sarif-view-1.png]]
*** View raw sarif with =jq=
List the SARIF files again
#+BEGIN_SRC sh
List the SARIF files again
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
find . -maxdepth 2 -name "*.sarif"
#+END_SRC
#+end_src
#+RESULTS:
| ./codeql-workshop-vulnerable-linux-driver/e402cf5.sarif |
| ./codeql-workshop-vulnerable-linux-driver/e402cf5-UseAfterFree.sarif |
| ./codeql-workshop-vulnerable-linux-driver/e402cf5-BufferOverflow.sarif |
The CodeQL version
#+BEGIN_SRC sh :exports both
The CodeQL version
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
jq '.runs | .[0] | .tool.driver.semanticVersion ' < ./codeql-workshop-vulnerable-linux-driver/e402cf5.sarif
#+END_SRC
#+end_src
#+RESULTS:
: 2.13.4
#+results:
: 2.13.4
The names of rules processed
#+BEGIN_SRC sh :exports both
The names of rules processed
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
jq '.runs | .[] | .tool.driver.rules | .[] | .name ' < ./codeql-workshop-vulnerable-linux-driver/d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
| cpp/buffer_overflow |
| cpp/use_after_free |
#+results:
| cpp/buffer_overflow |
| cpp/use_after_free |
*** View raw sarif with =jq= and fzf
Install the fuzzy finder
: brew install fzf
or =apt-get=/=yum= on linux
Install the fuzzy finder
: brew install fzf
Try working to =.runs[0].tool.driver.rules= and follow the output in real
time.
or =apt-get=/=yum= on linux
#+BEGIN_SRC sh
Try working to =.runs[0].tool.driver.rules= and follow the output in real
time.
#+begin_src sh
pushd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
res=e402cf5-UseAfterFree.sarif
echo '' | fzf --print-query --preview="jq {q} < $res"
popd
#+END_SRC
#+end_src
*** sarif-cli
**** Setup / local install
Clone https://github.com/hohn/sarif-cli or
https://github.com/knewbury01/sarif-cli
Clone https://github.com/hohn/sarif-cli or
https://github.com/knewbury01/sarif-cli
#+BEGIN_SRC sh
#+begin_src sh
cd ~/local/codeql-cli-end-to-end
git clone git@github.com:hohn/sarif-cli.git
@@ -476,17 +503,17 @@
# Put bin/ contents into venv PATH
pip install -e .
#+END_SRC
#+end_src
**** Compiler-style textual output from SARIF
The sarif-cli has several script to use from the shell level:
#+BEGIN_SRC sh :exports both :results output
The sarif-cli has several script to use from the shell level:
#+begin_src sh
cd ~/local/codeql-cli-end-to-end/sarif-cli
ls -1 bin/
#+END_SRC
#+end_src
#+RESULTS:
#+begin_example
#+results:
#+begin_example
json-to-yaml
sarif-aggregate-scans
sarif-create-aggregate-report
@@ -500,32 +527,31 @@
sarif-pad-aggregate
sarif-results-summary
sarif-to-dot
#+end_example
#+end_example
The simplest one just list the source files found during analysis:
#+BEGIN_SRC sh :exports both :results output
The simplest one just list the source files found during analysis:
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-list-files d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
: src/buffer_overflow.h
: src/use_after_free.h
: src/vuln_driver.c
#+results:
: src/buffer_overflow.h
: src/use_after_free.h
: src/vuln_driver.c
Much more useful is a compiler-style summary of all results found:
#+BEGIN_SRC sh :exports both :results output
Much more useful is a compiler-style summary of all results found:
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary d548189.sarif
#+END_SRC
#+end_src
This sarif file has only two results, so the output is short:
#+RESULTS:
#+begin_example
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
PATH 0
FLOW STEP 0: src/vuln_driver.c:17:73:17:77: args
@@ -538,23 +564,41 @@
The dangling pointer is used here: [arg](3)
The dangling pointer is used here: [fn](4)
The dangling pointer is used here: [arg](5)
#+end_example
#+end_example
This illustrates the differences in the output between the two result =@kind=
s:
- =@kind problem= is a single list of results found
- =@kind path-problem= is a list of flow paths. Each path in turn is a list
This sarif file has only two results, so the output is short:
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
PATH 0
FLOW STEP 0: src/vuln_driver.c:17:73:17:77: args
FLOW STEP 1: src/vuln_driver.c:28:20:28:33: args
FLOW STEP 2: src/buffer_overflow.h:6:42:6:46: buff
FLOW STEP 3: src/buffer_overflow.h:20:43:20:47: size
RESULT: src/use_after_free.h:28:11:28:25: The dangling pointer is used here: [fn](1)
The dangling pointer is used here: [fn](2)
The dangling pointer is used here: [arg](3)
The dangling pointer is used here: [fn](4)
The dangling pointer is used here: [arg](5)
#+end_example
This illustrates the differences in the output between the two result =@kind=
s:
- =@kind problem= is a single list of results found
- =@kind path-problem= is a list of flow paths. Each path in turn is a list
of locations.
Most of these scripts take options that significantly change their output; to
see them, use the =-h= or =--help= flags. E.g.,
#+BEGIN_SRC sh :exports both :results output
Most of these scripts take options that significantly change their output; to
see them, use the =-h= or =--help= flags. E.g.,
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
sarif-results-summary -h
#+END_SRC
#+end_src
#+RESULTS:
#+begin_example
#+results:
#+begin_example
usage: sarif-results-summary [-h] [-s srcroot] [-r] [-e] [-c] sarif-file
summary of results
@@ -571,20 +615,20 @@
-e, --endpoints-only only list source and sink, dropping the path.
Identical, successive source/sink pairs are combined
-c, --csv output csv instead of human-readable summary
#+end_example
#+end_example
Some of these make output much more informative, like =-r= and =-s=:
Some of these make output much more informative, like =-r= and =-s=:
With =-r=:
With =-r=:
#+BEGIN_SRC sh :exports both :results output
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary -r d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
#+begin_example
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
REFERENCE: src/buffer_overflow.h:20:17:20:23: memcpy
REFERENCE: src/buffer_overflow.h:8:22:8:33: stack buffer
@@ -604,19 +648,19 @@
REFERENCE: src/use_after_free.h:87:90:87:93: arg
REFERENCE: src/use_after_free.h:89:20:89:22: fn
REFERENCE: src/use_after_free.h:89:39:89:42: arg
#+end_example
#+end_example
If the source code is available, we can use =-s= to include snippets in the
output. This effectively converts sarif to the format used by gcc and clang
to report warnings and errors.
#+BEGIN_SRC sh :exports both :results output
If the source code is available, we can use =-s= to include snippets in the
output. This effectively converts sarif to the format used by gcc and clang
to report warnings and errors.
#+begin_src sh
. ~/local/codeql-cli-end-to-end/sarif-cli/.venv/bin/activate
cd ~/local/codeql-cli-end-to-end/codeql-workshop-vulnerable-linux-driver
sarif-results-summary -s vulnerable_linux_driver/ d548189.sarif
#+END_SRC
#+end_src
#+RESULTS:
#+begin_example
#+results:
#+begin_example
RESULT: src/buffer_overflow.h:20:43:20:47: User-controlled size argument in call to [memcpy](1) copying to a [stack buffer](2)
memcpy(kernel_buff, buff, size);
^^^^
@@ -641,7 +685,7 @@
The dangling pointer is used here: [arg](5)
uaf_obj *global_uaf_obj = NULL;
^^^^^^^^^^^^^^
#+end_example
#+end_example
**** TODO SQL conversion
** Running sequence
@@ -649,7 +693,7 @@
*** Check results.
**** Lots of result (> 5000) -> cli review via compiler-style dump.
**** Medium result sets (~ 2000) (sarif review plugin, can only load 5000
results)
results)
**** Few results (sarif review plugin, can only load 5000 results)
*** Expand query
** Compare results.