* SQL injection example This directory contains the codeql session snapshots as well as the full query [[./full-query-old-style.ql]] The rest of this README contains a description of the query's development. ** Develop the query bottom-up 1. Identify the /source/ part of the : System.console().readLine(); expression, the =buf= argument. Start from a =from..where..select=, then convert to a predicate. 2. Identify the /sink/ part of the : conn.createStatement().executeUpdate(query); expression, the =query= argument. Again start from =from..where..select=, then convert to a predicate. 3. Fill in the /taintflow configuration/ boilerplate. The final query is in [[./full-query.ql]] ** (optional) Review of the results via SARIF file Query results are available in several output formats using the cli. The following produces the sarif format, a json-based result description. Requires [[file:~/local/codeql-workshop-sql-injection-java/src/README.org::*Build the codeql database][Build the codeql database]] #+BEGIN_SRC sh # The setup information from before SRCDIR=$HOME/local/codeql-workshop-sql-injection-java DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD) # The directory containing the query SESSIONDIR=$(pwd -P) # Check paths echo $DB echo $SRCDIR # To see the help codeql database analyze -h # Run a query \ codeql database analyze \ -v \ --ram=14000 \ -j12 \ --rerun \ --format=sarif-latest \ --output java-sqli.sarif \ --sarif-include-query-help=always \ -- \ $DB \ $SESSIONDIR/full-query.ql # Examine the file in an editor edit java-sqli.sarif #+END_SRC An example of using the sarif data is in the the jq script [[./sarif-summary.jq]]. When run against the sarif input via #+BEGIN_SRC sh jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt #+END_SRC it produces output in a form close to that of compiler error messages: #+BEGIN_SRC text query-id: message line Path ... Path ... #+END_SRC