From d82a957df0927e3e239e43e3c4d6290013d96b73 Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Wed, 6 Aug 2025 18:11:44 -0700 Subject: [PATCH] wip: many revisions --- README.org | 49 ++----------------- ...incoming.codeql-customizations-workshop.md | 0 2 files changed, 4 insertions(+), 45 deletions(-) rename {codeql-dataflow-sql-injection-c => codeql-sqlite-java}/incoming.codeql-customizations-workshop.md (100%) diff --git a/README.org b/README.org index fb8b2ff..ca1e2e1 100644 --- a/README.org +++ b/README.org @@ -219,50 +219,13 @@ To customize CodeQL for Java, we identify and extend base classes to add custom flow sources and sinks. A general explanation of this approach is available in the file [[./codeql-dataflow-sql-injection-c/README.org][README.org]], particularly - the section [[file:codeql-dataflow-sql-injection-c/README.org::*supplement codeql: Add to FlowSource or a subclass][supplement codeql: Add to FlowSource or a subclass]]. For Java, - [[./ql/java/ql/lib/java.qll][java.qll]] includes [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which provides extension points for + the section + [[file:codeql-sqlite-java/README.org::*Supplement CodeQL: Add to FlowSource or a Subclass][Supplement CodeQL: Add to FlowSource or a Subclass]] + . For Java, [[./ql/java/ql/lib/java.qll][java.qll]] includes [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which provides extension points for custom flow modeling -- this structure is common across most CodeQL-supported languages, with the notable exception of C. Further details on this customization process can be found in - [[./codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md][incoming.codeql-customizations-workshop.md]]. - - - illustrate what source, sink find using QueryInjectionFlowConfig in - SqlInjectionQuery.qll - - sink ok - - no source - - - find the base class of source, so we know what to extend - - - import gotcha - I used - - import semmle.code.java.dataflow.FlowSources as Sources - - class ReadLine extends Sources::RemoteFlowSource { - - Does this work too or is private better? - - - Q: how to run all the CWE* queries against some file? - - - packs at https://github.com/advanced-security/codeql-bundle - - - how to run all the CWE* queries against some file? - -- the codeql database analyze command can take several arguments, including a directory or query spec - To get the full options, run - 0:$ codeql database analyze -vvvv -h - Usage: codeql database analyze [OPTIONS] -- [...] - Analyze a database, producing meaningful results in the context of the source code. - - Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as - alerts or paths, in SARIF or another interpreted format. - - This command combines the effect of the codeql database run-queries and codeql database interpret-result - - - How do you install/include the CodeQL bundles with the modified Customizations.qll? - - That part we have not deciphered in detail. the CLI tool at - https://github.com/advanced-security/codeql-bundle does this -- but it's a - black box + [[./codeql-sqlite-java/incoming.codeql-customizations-workshop.md][incoming.codeql-customizations-workshop.md]]. *** Customizations via Model Editor: Jedis Example (Java Redis client) The Jedis example is a straightforward case with no unexpected @@ -270,12 +233,9 @@ and repetitive pattern, making it ideal for large-scale modeling. The CodeQL model editor can be used to efficiently define sources and sinks for such cases. A detailed explanation is provided - OK in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Modeling Jedis as a Dependency in Model Editor][Modeling Jedis as a Dependency in Model Editor]], while validation of - OK the modeled sink is discussed in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Verifying the Modeled Sink][Verifying the Modeled Sink]]. Finally, the query-level usage of these models can be seen - OK in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]]. *** Customizations via Model Editor: Single-function case (Java SQLite sample) @@ -288,7 +248,6 @@ [[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]], and the extension data is provided in [[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]]. A detailed - *OK* explanation is available in [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]]. To support this, we explain how the "models-as-data" system works diff --git a/codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md b/codeql-sqlite-java/incoming.codeql-customizations-workshop.md similarity index 100% rename from codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md rename to codeql-sqlite-java/incoming.codeql-customizations-workshop.md