hohn/codeql-lab
1
0
Fork 0
mirror of https://github.com/hohn/codeql-lab.git synced 2025-12-16 09:53:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

wip: many revisions

Browse Source
This commit is contained in:
Michael Hohn
2025-08-06 18:11:44 -07:00
committed by =Michael Hohn
parent 269be51b58
commit d82a957df0
2 changed files with 4 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
README.org
View File

@@ -219,50 +219,13 @@
To customize CodeQL for Java, we identify and extend base classes to add To customize CodeQL for Java, we identify and extend base classes to add
custom flow sources and sinks. A general explanation of this approach is custom flow sources and sinks. A general explanation of this approach is
available in the file [[./codeql-dataflow-sql-injection-c/README.org][README.org]], particularly available in the file [[./codeql-dataflow-sql-injection-c/README.org][README.org]], particularly
the section [[file:codeql-dataflow-sql-injection-c/README.org::*supplement codeql: Add to FlowSource or a subclass][supplement codeql: Add to FlowSource or a subclass]]. For Java, the section
[[./ql/java/ql/lib/java.qll][java.qll]] includes [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which provides extension points for [[file:codeql-sqlite-java/README.org::*Supplement CodeQL: Add to FlowSource or a Subclass][Supplement CodeQL: Add to FlowSource or a Subclass]]
. For Java, [[./ql/java/ql/lib/java.qll][java.qll]] includes [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which provides extension points for
custom flow modeling -- this structure is common across most CodeQL-supported custom flow modeling -- this structure is common across most CodeQL-supported
languages, with the notable exception of C. Further details on this languages, with the notable exception of C. Further details on this
customization process can be found in customization process can be found in
[[./codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md][incoming.codeql-customizations-workshop.md]]. [[./codeql-sqlite-java/incoming.codeql-customizations-workshop.md][incoming.codeql-customizations-workshop.md]].
- illustrate what source, sink find using QueryInjectionFlowConfig in
SqlInjectionQuery.qll
- sink ok
- no source
- find the base class of source, so we know what to extend
- import gotcha
I used
import semmle.code.java.dataflow.FlowSources as Sources
class ReadLine extends Sources::RemoteFlowSource {
Does this work too or is private better?
- Q: how to run all the CWE* queries against some file?
- packs at https://github.com/advanced-security/codeql-bundle
- how to run all the CWE* queries against some file?
-- the codeql database analyze command can take several arguments, including a directory or query spec
To get the full options, run
0:$ codeql database analyze -vvvv -h
Usage: codeql database analyze [OPTIONS] -- <database> [<query|dir|suite|pack>...]
Analyze a database, producing meaningful results in the context of the source code.
Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as
alerts or paths, in SARIF or another interpreted format.
This command combines the effect of the codeql database run-queries and codeql database interpret-result
- How do you install/include the CodeQL bundles with the modified Customizations.qll?
That part we have not deciphered in detail. the CLI tool at
https://github.com/advanced-security/codeql-bundle does this -- but it's a
black box
*** Customizations via Model Editor: Jedis Example (Java Redis client) *** Customizations via Model Editor: Jedis Example (Java Redis client)
The Jedis example is a straightforward case with no unexpected The Jedis example is a straightforward case with no unexpected
@@ -270,12 +233,9 @@
and repetitive pattern, making it ideal for large-scale modeling. The CodeQL and repetitive pattern, making it ideal for large-scale modeling. The CodeQL
model editor can be used to efficiently define sources and sinks for such model editor can be used to efficiently define sources and sinks for such
cases. A detailed explanation is provided cases. A detailed explanation is provided
OK
in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Modeling Jedis as a Dependency in Model Editor][Modeling Jedis as a Dependency in Model Editor]], while validation of in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Modeling Jedis as a Dependency in Model Editor][Modeling Jedis as a Dependency in Model Editor]], while validation of
OK
the modeled sink is discussed in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Verifying the Modeled Sink][Verifying the Modeled Sink]]. the modeled sink is discussed in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Verifying the Modeled Sink][Verifying the Modeled Sink]].
Finally, the query-level usage of these models can be seen Finally, the query-level usage of these models can be seen
OK
in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]]. in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]].
*** Customizations via Model Editor: Single-function case (Java SQLite sample) *** Customizations via Model Editor: Single-function case (Java SQLite sample)
@@ -288,7 +248,6 @@
[[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]], and the extension data [[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]], and the extension data
is provided in is provided in
[[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]]. A detailed [[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]]. A detailed
*OK*
explanation is available in [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]]. explanation is available in [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]].
To support this, we explain how the "models-as-data" system works To support this, we explain how the "models-as-data" system works

0
codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md → codeql-sqlite-java/incoming.codeql-customizations-workshop.md
View File