wip: set up codeql-sqlite/ sample

2025-12-16 01:53:03 +01:00 · 2025-07-09 14:00:54 -07:00
parent 0e06b153cc
commit e2e555c44c
8 changed files with 1 additions and 2 deletions
--- a/codeql-jedis/README.org
+++ b/codeql-jedis/README.org
@@ -252,7 +252,6 @@
    | 14 | "return {}"                      | code-injection |

 * Identify usage of injection-related models in existing queries
-
  To verify whether existing CodeQL queries make use of the injection-related
  models, we can search for files in the =ql/java= and =ql/cpp= directories that
  contain the string =-injection=. This string often appears in taint-tracking
@@ -290,7 +289,6 @@
   These files include both top-level queries (under =src/Security/...=) and reusable model libraries (under =lib/semmle/...=). Experimental and framework-specific queries are also included.

 ** C++ Queries
-
   Likewise, to check for C++ queries that reference =-injection=, use:

   #+BEGIN_SRC sh
@@ -309,6 +307,7 @@
   These files indicate active use of injection-related taint tracking in the C++ suite as well.

 * TODO for java, the sqltainted query will find the sink, not the source yet.
+  [[../ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql]]
 * TODO vulnerable sample, jedis
  Running the model editor a jedis db models jedis dependencies; we need jedis
  /as/ dependency to model it.
--- a/codeql-jedis/src-sqlite/AddUser.java
+++ b/codeql-jedis/src-sqlite/AddUser.java
--- a/codeql-jedis/src-sqlite/README.org
+++ b/codeql-jedis/src-sqlite/README.org
--- a/codeql-jedis/src-sqlite/add-user
+++ b/codeql-jedis/src-sqlite/add-user
--- a/codeql-jedis/src-sqlite/admin
+++ b/codeql-jedis/src-sqlite/admin
--- a/codeql-jedis/src-sqlite/build.sh
+++ b/codeql-jedis/src-sqlite/build.sh
--- a/codeql-jedis/src-sqlite/sarif-summary.jq
+++ b/codeql-jedis/src-sqlite/sarif-summary.jq
--- a/codeql-jedis/src-sqlite/sqlite-jdbc-3.36.0.1.jar
+++ b/codeql-jedis/src-sqlite/sqlite-jdbc-3.36.0.1.jar