hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-01 07:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10105 from github/aeisenberg/about-codeql-packs

Browse Source 
Merge and update `about-ql-packs` with `about-codeql-packs`
This commit is contained in:
Andrew Eisenberg
2022-09-07 08:05:09 -07:00
committed by GitHub
parent e174123c43 9e6e37a223
commit bc17d061e7
19 changed files with 531 additions and 522 deletions
Download Patch File Download Diff File Expand all files Collapse all files

310
docs/codeql/codeql-cli/about-codeql-packs.rst
View File

@@ -14,11 +14,18 @@ There are two types of CodeQL packs: query packs and library packs.
You can use the package management commands in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. For more information, see ":ref:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`." You can also publish and download CodeQL packs using the CodeQL CLI. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
The standard CodeQL packages for all supported languages are published in the `GitHub Container registry <https://github.com/orgs/codeql/packages>`__.
The `CodeQL repository <https://github.com/github/codeql>`__ contains source files for the standard CodeQL packs for all supported languages.
.. _codeql-pack-structure:
CodeQL pack structure
---------------------
A CodeQL pack must contain a file called ``qlpack.yml`` in its root directory. In the ``qlpack.yml`` file, the ``name:`` field must have a value that follows the format of ``<scope>/<pack>``, where ``<scope>`` is the GitHub organization or user account that the pack will be published to and ``<pack>`` is the name of the pack. The other
files and directories within the pack should be logically organized. For example, typically:
A CodeQL pack must contain a file called ``qlpack.yml`` in its root directory. In the ``qlpack.yml`` file, the ``name:`` field must have a value that follows the format of ``<scope>/<pack>``, where ``<scope>`` is the GitHub organization or user account that the pack will be published to and ``<pack>`` is the name of the pack. Additionally, query packs and library packs with CodeQL tests contain a ``codeql-pack.lock.yml`` file that contains the resolved dependencies of the pack. This file is generated during a call to the ``codeql pack install`` command, is not meant to be edited by hand, and should be added to your version control system.
The other files and directories within the pack should be logically organized. For example, typically:
- Queries are organized into directories for specific categories.
- Queries for specific products, libraries, and frameworks are organized into
@@ -27,21 +34,17 @@ files and directories within the pack should be logically organized. For example
About ``qlpack.yml`` files
--------------------------
When executing query-related commands, CodeQL first looks in siblings of the installation directory (and their subdirectories) for ``qlpack.yml`` files.
Then it checks the package cache for CodeQL packs which have been downloaded. This means that when you are developing queries locally, the local packages
When executing query-related commands, CodeQL first looks in siblings of the installation directory (and their subdirectories) for ``qlpack.yml`` files.
Then it checks the package cache for CodeQL packs which have been downloaded. This means that when you are developing queries locally, the local packages
in the installation directory override packages of the same name in the package cache, so that you can test your local changes.
The metadata in each `qlpack.yml`` file tells
The metadata in each ``qlpack.yml`` file tells
CodeQL how to compile any queries in the pack, what libraries the pack depends on, and where to
find query suite definitions.
The contents of the CodeQL pack (queries or libraries used in CodeQL analysis) is
included in the same directory as ``qlpack.yml``, or its subdirectories.
The contents of the CodeQL pack (queries or libraries used in CodeQL analysis) is included in the same directory as ``qlpack.yml``, or its subdirectories.
The location of ``qlpack.yml`` defines the library path for the content
of the CodeQL pack. That is, for all ``.ql`` and ``.qll`` files in the pack,
CodeQL will resolve all import statements relative to the ``qlpack.yml`` at the
pack's root.
The directory containing the ``qlpack.yml`` file serves as the root directory for the content of the CodeQL pack. That is, for all ``.ql`` and ``.qll`` files in the pack, CodeQL will resolve all import statements relative to the directory containing the ``qlpack.yml`` file at the pack's root.
.. _codeqlpack-yml-properties:
@@ -56,49 +59,286 @@ The following properties are supported in ``qlpack.yml`` files.
* - Property
- Example
- Required
- Required by
- Purpose
* - ``name``
- ``octo-org/security-queries``
- .. code-block:: yaml
name: octo-org/security-queries
- All packs
- The scope, where the CodeQL pack is published, and the name of the pack defined using alphanumeric characters and hyphens. It must be unique as CodeQL cannot differentiate between CodeQL packs with identical names. Name components cannot start or end with a hyphen. Additionally, a period is not allowed in pack names at all. Use the pack name to specify queries to run using ``database analyze`` and to define dependencies between QL packs (see examples below).
- The scope, where the CodeQL pack is published, and the name of the pack defined using alphanumeric characters and hyphens. It must be unique as CodeQL cannot differentiate between CodeQL packs with identical names. Use the pack name to specify queries to run using ``database analyze`` and to define dependencies between CodeQL packs (see examples below).
* - ``version``
- ``0.0.0``
- .. code-block:: yaml
version: 0.0.0
- All packs
- A version range for this CodeQL pack. This must be a valid semantic version that meets the `SemVer v2.0.0 specification <https://semver.org/spec/v2.0.0.html>`__.
- A semantic version for this CodeQL pack that must adhere to the `SemVer v2.0.0 specification <https://semver.org/spec/v2.0.0.html>`__.
* - ``dependencies``
- ``codeql/javascript-all: ^1.2.3``
- Optional
- The names and version ranges of any CodeQL packs that this pack depends on, as a mapping. This gives the pack access to any libraries, database schema, and query suites defined in the dependency. For more information, see `SemVer ranges <https://docs.npmjs.com/cli/v6/using-npm/semver#ranges>`__ in the NPM documentation.
- .. code-block:: yaml
dependencies:
codeql/cpp-all: ^0.0.2
- Packs that define CodeQL package dependencies on other packs
- A map from pack references to the semantic version range that is compatible with this pack. Supported for CLI versions v2.6.0 and later.
* - ``defaultSuiteFile``
- .. code-block:: yaml
defaultSuiteFile: cpp-code-scanning.qls
- Packs that export a set of default queries to run
- The path to a query suite file relative to the package root, containing all of the queries that are run by default when this pack is passed to the ``codeql database analyze`` command. Supported from CLI version v2.6.0 and onwards. Only one of ``defaultSuiteFile`` or ``defaultSuite`` can be defined.
* - ``defaultSuite``
- .. code-block:: yaml
defaultSuite:
queries: .
exclude:
precision: medium
- Packs that export a set of default queries to run
- An inlined query suite containing all of the queries that are run by default when this pack is passed to the ``codeql database analyze`` command. Supported from CLI version v2.6.0 and onwards. Only one of ``defaultSuiteFile`` or ``defaultSuite`` can be defined.
* - ``library``
- .. code-block:: yaml
library: true
- Library packs
- A boolean value that indicates whether this pack is a library pack. Library packs do not contain queries and are not compiled. Query packs can ignore this field or explicitly set it to ``false``.
* - ``suites``
- ``octo-org-query-suites``
- .. code-block:: yaml
suites: octo-org-query-suites
- Optional
- The path to a directory in the pack that contains the query suites you want to make known to the CLI, defined relative to the pack directory. QL pack users can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. This is not supported for CodeQL packs downloaded from a package registry. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
- The path to a directory in the pack that contains the query suites you want to make known to the CLI, defined relative to the pack directory. CodeQL pack users can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. This is not supported for CodeQL packs downloaded from the Container registry. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
* - ``extractor``
- ``javascript``
- All test packs
- The CodeQL language extractor to use when the CLI creates a database in the pack. For more information about testing queries, see ":doc:`Testing custom queries <testing-custom-queries>`."
- .. code-block:: yaml
extractor: javascript
- All packs containing CodeQL tests
- The CodeQL language extractor to use when running the CodeQL tests in the pack. For more information about testing queries, see ":doc:`Testing custom queries <testing-custom-queries>`."
* - ``tests``
- ``.``
- Optional for test packs
- The path to a directory within the pack that contains tests, defined relative to the pack directory. Use ``.`` to specify the whole pack. Any queries in this directory are run as tests when ``test run`` is run with the ``--strict-test-discovery`` option. These queries are ignored by query suite definitions that use ``queries`` or ``qlpack`` instructions to ask for all queries in a particular pack.
- .. code-block:: yaml
tests: .
- Optional for packs containing CodeQL tests. Ignored for packs without tests.
- The path to a directory within the pack that contains tests, defined relative to the pack directory. Use ``.`` to specify the whole pack. Any queries in this directory are run as tests when ``test run`` is run with the ``--strict-test-discovery`` option. These queries are ignored by query suite definitions that use ``queries`` or ``qlpack`` instructions to ask for all queries in a particular pack. If this property is missing, then ``.`` is assumed.
* - ``dbscheme``
- ``semmlecode.python.dbscheme``
- .. code-block:: yaml
dbscheme: semmlecode.python.dbscheme
- Core language packs only
- The path to the :ref:`database schema <codeql-database-schema>` for all libraries and queries written for this CodeQL language (see example below).
* - ``upgrades``
- ``.``
- .. code-block:: yaml
upgrades: .
- Core language packs only
- The path to a directory within the pack that contains upgrade scripts, defined relative to the pack directory. The ``database upgrade`` action uses these scripts to update databases that were created by an older version of an extractor so they're compatible with the current extractor (see `Upgrade scripts for a language <#upgrade-scripts-for-a-language>`__ below.)
- The path to a directory within the pack that contains database upgrade scripts, defined relative to the pack directory. Database upgrades are used internally to ensure that a database created with a different version of the CodeQL CLI is compatible with the current version of the CLI.
* - ``authors``
- ``example@github.com``
- .. code-block:: yaml
authors: author1@github.com,author2@github.com
- All packs
- Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to.
* - ``licenses``
- ``(LGPL-2.1 AND MIT)``
* - ``license``
- .. code-block:: yaml
license: MIT
- All packs
- Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to. For a list of allowed licenses, see `SPDX License List <https://spdx.org/licenses/>`__ in the SPDX Specification.
- Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to. For a list of allowed licenses, see `SPDX License List <https://spdx.org/licenses/>`__ in the SPDX Specification.
* - ``description``
- ``Human-readable description of the contents of the CodeQL pack.``
- .. code-block:: yaml
description: Human-readable description of the contents of the CodeQL pack.
- All packs
- Metadata that will be displayed on the packaging search page in the packages section of the account that the CodeQL pack is published to.
* - ``libraryPathDependencies``
- .. code-block:: yaml
libraryPathDependencies: codeql/javascript-all
- Optional, deprecated
- Use the ``dependencies`` property instead. The names of any CodeQL packs that this CodeQL pack depends on, as an array. This gives the pack access to any libraries, database schema, and query suites defined in the dependency.
.. _about-codeql-pack-lock:
About ``codeql-pack.lock.yml`` files
------------------------------------
``codeql-pack.lock.yml`` files store the versions of the resolved transitive dependencies of a CodeQL pack. This file is created by the ``codeql pack install`` command if it does not already exist and should be added to your version control system. The ``dependencies`` section of the ``qlpack.yml`` file contains version ranges that are compatible with the pack. The ``codeql-pack.lock.yml`` file locks the versions to precise dependencies. This ensures that running ``codeql pack install`` on this the pack will always retrieve the same versions of dependencies even if newer compatible versions exist.
For example, if a ``qlpack.yml`` file contains the following dependencies:
.. code-block:: yaml
dependencies:
codeql/cpp-all: ^0.1.2
my-user/my-lib: ^0.2.3
other-dependency/from-source: "*"
The ``codeql-pack.lock.yml`` file will contain something like the following:
.. code-block:: yaml
dependencies:
codeql/cpp-all:
version: 0.1.4
my-user/my-lib:
version: 0.2.4
my-user/transitive-dependency:
version: 1.2.4
..
TODO: Add a link to the CodeQL CLI documentation for query resolution, specifically in regards to resolving from source
The ``codeql/cpp-all`` dependency is locked to version 0.1.4. The ``my-user/my-lib`` dependency is locked to version 0.2.4. The ``my-user/transitive-dependency``, which is a transitive dependency and is not specified in the ``qlpack.yml`` file, is locked to version 1.2.4. The ``other-dependency/from-source`` is absent from the lock file since it is resolved from source. This dependency must be available in the same CodeQL workspace as the pack.
In most cases, the ``codeql-pack.lock.yml`` file is only relevant for query packs since library packs are non-executable and usually do not need their transitive dependencies to be fixed. The exception to this is for library packs that contain tests. In this case, the ``codeql-pack.lock.yml`` file is used to ensure that the tests are always run with the same versions of dependencies to avoid spurious failures when there are mismatched dependencies.
.. _custom-codeql-packs:
Examples of custom CodeQL packs
-------------------------------
When you write custom queries or tests, you should save them in custom CodeQL packs. For simplicity, try to organize each pack logically. For more information, see "`CodeQL pack structure <#codeql-pack-structure>`__." Save files for queries and tests in separate packs and, where possible, organize custom packs into specific folders for each target language. This is particuarly useful if you intend to publish your CodeQL packs so they can be shared with others or used in GitHub `Code scanning <https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning>`__.
CodeQL packs for custom libraries
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A custom CodeQL pack containing custom C++ libraries, with no queries or tests, may have a ``qlpack.yml`` file containing:
.. code-block:: yaml
name: my-github-user/my-custom-libraries
version: 1.2.3
library: true
dependencies:
codeql/cpp-all: ^0.1.2
where ``codeql/cpp-all`` is the name of the CodeQL pack for C/C++ analysis included in the CodeQL repository. The version range ``^0.1.2`` indicates that this pack is compatible with all versions of ``codeql/cpp-all`` that are greater than or equal to ``0.1.2`` and less than ``0.2.0``. Any CodeQL library file (a file with a ``.qll`` extension) defined in this pack will be available to queries defined in any query pack that includes this pack in its dependencies block.
The ``library`` property indicates that this pack is a library pack and does not contain any queries.
CodeQL packs for custom queries
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A custom CodeQL pack containing custom C++ queries and libraries may have a ``qlpack.yml`` file containing:
.. code-block:: yaml
name: my-github-user/my-custom-queries
version: 1.2.3
dependencies:
codeql/cpp-all: ^0.1.2
my-github-user/my-custom-libraries: ^1.2.3
suites: my-custom-suites
where ``codeql/cpp-all`` is the name of the CodeQL pack for C/C++ analysis included in the CodeQL repository. The version range ``^0.1.2`` indicates that this pack is compatible with all versions of ``codeql/cpp-all`` that are greater than or equal to ``0.1.2`` and less than ``0.2.0``. ``my-github-user/my-custom-libraries`` is the name of a CodeQL pack containing custom CodeQL libraries for C++. Any CodeQL library file (a file with a ``.qll`` extension) defined in this pack will be available to queries in the ``my-github-user/my-custom-queries`` pack.
The ``suites`` property indicates a directory where "well-known" query suites can be found. These suites can be used on the command line by referring to their name only, rather than their full path. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
CodeQL packs for custom tests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For custom CodeQL packs containing test files, you also need to include an
``extractor`` property so that the ``test run`` command knows how to create test
databases. You may also wish to specify the ``tests`` property.
.. include:: ../reusables/test-qlpack.rst
For more information about running tests, see ":doc:`Testing custom queries
<testing-custom-queries>`."
.. _standard-codeql-packs:
Examples of CodeQL packs in the CodeQL repository
-------------------------------------------------
Each of the languages in the CodeQL repository has four main CodeQL packs:
- Core library pack for the language, with the :ref:`database schema <codeql-database-schema>`
used by the language, and CodeQL libraries, and queries at ``<language>/ql/lib``
- Core query pack for the language that includes the default queries for the language, along
with their query suites at ``<language>/ql/src``
- Tests for the core language libraries and queries at ``<language>/ql/test``
- Example queries for the language at ``<language>/ql/examples``
Core library pack
~~~~~~~~~~~~~~~~~
Here is an example ``qlpack.yml`` file for the `C/C++ analysis libraries
<https://github.com/github/codeql/blob/main/cpp/ql/lib/qlpack.yml>`__
core language pack:
.. code-block:: yaml
name: codeql/cpp-all
version: x.y.z-dev
dbscheme: semmlecode.cpp.dbscheme
library: true
upgrades: upgrades
Some extra notes on the following properties:
- ``library``: Indicates that this is a library pack with no executable queries. It is only meant to be used as a dependency for other packs.
- ``dbscheme`` and ``upgrades``: These properties are internal to the CodeQL CLI and should only be defined in the core QL pack for a language.
.. _standard-codeql-query-packs:
Core query pack
~~~~~~~~~~~~~~~
Here is an example ``qlpack.yml`` file for `C/C++ analysis queries
<https://github.com/github/codeql/blob/main/cpp/ql/src/qlpack.yml>`__
core query pack:
.. code-block:: yaml
name: codeql/cpp-queries
version: x.y.z-dev
dependencies:
codeql/cpp-all: "*"
codeql/suite-helpers: "*"
suites: codeql-suites
defaultSuiteFile: codeql-suites/cpp-code-scanning.qls
Some extra notes on the following properties:
- ``dependencies``: This query pack depends on ``codeql/cpp-all`` and ``codeql/suite-helpers``. Since these dependencies are resolved from source, it does not matter what version of the CodeQL pack they are compatible with.
- ``suites``: Indicates the directory containing "well-known" query suites.
- ``defaultSuiteFile``: The name of the default query suite file that is used when no query suite is specified.
Tests for the core CodeQL pack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is an example ``qlpack.yml`` file for `C/C++ analysis tests
<https://github.com/github/codeql/blob/main/cpp/ql/src/qlpack.yml>`__
core test pack:
.. code-block:: yaml
name: codeql/cpp-tests
dependencies:
codeql/cpp-all: "*"
codeql/cpp-queries: "*"
extractor: cpp
tests: .
Some extra notes on the following properties:
- ``dependencies``: This pack depends on the core CodeQL query and library packs for C++.
- ``extractor``: This specifies that all the tests will use the same C++ extractor to create the database for the tests.
- ``tests``: This specifies the location of the tests. In this case, the tests are in the root folder (and all sub-folders) of the pack.
- ``version``: There is no ``version`` property for the tests pack. This prevents test packs from accidentally being published.

245
docs/codeql/codeql-cli/about-ql-packs.rst
View File

@@ -1,245 +0,0 @@
.. _about-ql-packs:
About QL packs
==============
QL packs are used to organize the files used in CodeQL analysis. They
contain queries, library files, query suites, and important metadata.
The `CodeQL repository <https://github.com/github/codeql>`__ contains standard QL packs for all supported languages.
You can also make custom QL packs to contain your own queries and libraries.
QL pack structure
-----------------
A QL pack must contain a file called ``qlpack.yml`` in its root directory. The other
files and directories within the pack should be logically organized. For example, typically:
- Queries are organized into directories for specific categories.
- Queries for specific products, libraries, and frameworks are organized into
their own top-level directories.
- There is a top-level directory named ``<owner>/<language>`` for query library
(``.qll``) files. Within this directory, ``.qll`` files should be organized into
subdirectories for specific categories.
About ``qlpack.yml`` files
--------------------------
When executing commands, CodeQL scans siblings of the installation directory (and
their subdirectories) for ``qlpack.yml`` files. The metadata in the file tells
CodeQL how to compile queries, what libraries the pack depends on, and where to
find query suite definitions.
The content of the QL pack (queries and libraries used in CodeQL analysis) is
included in the same directory as ``qlpack.yml``, or its subdirectories.
The location of ``qlpack.yml`` defines the library path for the content
of the QL pack. That is, for all ``.ql`` and ``.qll`` files in the QL pack,
CodeQL will resolve all import statements relative to the ``qlpack.yml`` at the
pack's root.
For example, in a QL pack with the following contents, you can import ``CustomSinks.qll``
from any location in the pack by declaring ``import mycompany.java.CustomSinks``.
.. code-block:: none
qlpack.yml
mycompany/
java/
security/
CustomSinks.qll
Security/
CustomQuery.ql
For more information, see ":ref:`Importing modules <importing-modules>`"
in the QL language reference.
.. _qlpack-yml-properties:
``qlpack.yml`` properties
~~~~~~~~~~~~~~~~~~~~~~~~~
The following properties are supported in ``qlpack.yml`` files.
.. list-table::
:header-rows: 1
:widths: auto
* - Property
- Example
- Required
- Purpose
* - ``name``
- ``org-queries``
- All packs
- The name of the QL pack defined using alphanumeric characters, hyphens, and periods. It must be unique as CodeQL cannot differentiate between QL packs with identical names. If you intend to distribute the pack, prefix the name with your (or your organization's) name followed by a hyphen. Use the pack name to specify queries to run using ``database analyze`` and to define dependencies between QL packs (see examples below).
* - ``version``
- ``0.0.0``
- All packs
- A version number for this QL pack. This must be a valid semantic version that meets the `SemVer v2.0.0 specification <https://semver.org/spec/v2.0.0.html>`__.
* - ``libraryPathDependencies``
- ``codeql/javascript-all``
- Optional
- The names of any QL packs that this QL pack depends on, as a sequence. This gives the pack access to any libraries, database schema, and query suites defined in the dependency.
* - ``suites``
- ``suites``
- Optional
- The path to a directory in the pack that contains the query suites you want to make known to the CLI, defined relative to the pack directory. QL pack users can run "well-known" suites stored in this directory by specifying the pack name, without providing their full path. For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
* - ``extractor``
- ``javascript``
- All test packs
- The CodeQL language extractor to use when the CLI creates a database from test files in the pack. For more information about testing queries, see ":doc:`Testing custom queries <testing-custom-queries>`."
* - ``tests``
- ``.``
- Optional for test packs
- Supported from release 2.1.0 onwards. The path to a directory within the pack that contains tests, defined relative to the pack directory. Use ``.`` to specify the whole pack. Any queries in this directory are run as tests when ``test run`` is run with the ``--strict-test-discovery`` option. These queries are ignored by query suite definitions that use ``queries`` or ``qlpack`` instructions to ask for all queries in a particular pack.
* - ``dbscheme``
- ``semmlecode.python.dbscheme``
- Core language pack only
- The path to the :ref:`database schema <codeql-database-schema>` for all libraries and queries written for this CodeQL language (see example below).
* - ``upgrades``
- ``.``
- Packs with upgrades
- The path to a directory within the pack that contains upgrade scripts, defined relative to the pack directory. The ``database upgrade`` action uses these scripts to update databases that were created by an older version of an extractor so they're compatible with the current extractor (see `Upgrade scripts for a language <#upgrade-scripts-for-a-language>`__ below.)
* - ``dependencies``
- .. code-block:: yaml
dependencies:
codeql/cpp-all: ^0.0.2
- Packs that define CodeQL package dependencies on other packs
- A map from pack references to the semantic version range that is compatible with this pack. Supported from CLI version v2.6.0 and onwards.
* - ``defaultSuiteFile``
- ``defaultSuiteFile: cpp-code-scanning.qls``
- Packs that export a set of default queries to run
- The path to a query suite file containing all of the queries that are run by default when this pack is passed to the ``codeql database analyze`` command. Supported from CLI version v2.6.0 and onwards.
.. _custom-ql-packs:
Examples of custom QL packs
---------------------------
When you write custom queries or tests, you should save them in
custom QL packs. For simplicity, try to organize each pack logically. For more
information, see `QL pack structure <#ql-pack-structure>`__. Save files for queries
and tests in separate packs and, where possible, organize custom packs into specific
folders for each target language.
QL packs for custom queries
~~~~~~~~~~~~~~~~~~~~~~~~~~~
A custom QL pack for queries must include a ``qlpack.yml`` file at
the pack root, containing ``name``, ``version``,
and ``libraryPathDependencies`` properties. If the pack contains query suites, you can
use the ``suites`` property to define their location. Query suites defined
here are called "well-known" suites, and can be used on the command line by referring to
their name only, rather than their full path.
For more information about query suites, see ":doc:`Creating CodeQL query suites <creating-codeql-query-suites>`."
For example, a ``qlpack.yml`` file for a QL pack featuring custom C++ queries
and libraries may contain:
.. code-block:: yaml
name: my-custom-queries
version: 0.0.0
libraryPathDependencies: codeql/cpp-all
suites: my-custom-suites
where ``codeql/cpp-all`` is the name of the QL pack for C/C++ analysis included in
the CodeQL repository.
.. pull-quote::
Note
When you create a custom QL pack, it's usually a good idea to add it to the search path in your CodeQL configuration.
This will ensure that any libraries the pack contains are available to the CodeQL CLI.
For more information, see ":ref:`Specifying command options in a CodeQL configuration file <specifying-command-options-in-a-codeql-configuration-file>`."
QL packs for custom test files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For custom QL packs containing test files, you also need to include an
``extractor`` property so that the ``test run`` command knows how to create test
databases. You may also wish to specify the ``tests`` property.
.. include:: ../reusables/test-qlpack.rst
For more information about running tests, see ":doc:`Testing custom queries
<testing-custom-queries>`."
.. _standard-ql-packs:
Examples of QL packs in the CodeQL repository
---------------------------------------------
Each of the languages in the CodeQL repository has four main QL packs:
- Core library pack for the language, with the :ref:`database schema <codeql-database-schema>`
used by the language, and CodeQL libraries, and queries at ``ql/<language>/ql/lib``
- Core query pack for the language that includes the default queries for the language, along
with their query suites at ``ql/<language>/ql/src``
- Tests for the core language libraries and queries at ``ql/<language>/ql/test``
- Upgrade scripts for the language at ``ql/<language>/upgrades``
Core library pack
~~~~~~~~~~~~~~~~~
The ``qlpack.yml`` file for a core library pack uses the following properties:
``name``, ``version``, ``dbscheme``.
The ``dbscheme`` property should only be defined in the core QL
pack for a language.
For example, the ``qlpack.yml`` file for `C/C++ analysis libraries
<https://github.com/github/codeql/blob/main/cpp/ql/lib/qlpack.yml>`__
contains:
.. code-block:: yaml
name: codeql/cpp-all
version: 0.0.0
dbscheme: semmlecode.cpp.dbscheme
upgrades: upgrades
Core query pack
~~~~~~~~~~~~~~~
The ``qlpack.yml`` file for a core query pack uses the following properties:
``name``, ``version``, ``suites``, ``defaultSuiteFile``, ``dependencies`` .
For example, the ``qlpack.yml`` file for `C/C++ analysis queries
<https://github.com/github/codeql/blob/main/cpp/ql/lib/qlpack.yml>`__
contains:
.. code-block:: yaml
name: codeql/cpp-queries
version: 0.0.0
suites: codeql-suites
defaultSuiteFile: codeql-suites/cpp-code-scanning.qls
dependencies:
codeql/cpp-all: "*"
codeql/suite-helpers: "*"
Tests for the core QL pack
~~~~~~~~~~~~~~~~~~~~~~~~~~
The ``qlpack.yml`` file for the tests for the core QL packs use the following
properties: ``name``, ``version``, and ``dependencies``.
The ``dependencies`` always specifies the core QL pack.
For example, the ``qlpack.yml`` file for `C/C++ analysis tests
<https://github.com/github/codeql/blob/main/cpp/ql/test/qlpack.yml>`__
contains:
.. code-block:: yaml
name: codeql/cpp-tests
version: 0.0.0
dependencies:
codeql/cpp-all: "*"
codeql/cpp-queries: "*"
.. _upgrade-ql-packs:

76
docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
View File

@@ -58,9 +58,10 @@ You can also specify:
- a path to a directory containing query files
- a path to a query suite file
- the name of a CodeQL query pack
If omitted, the default query suite for the language
of the database being analyzed will be used. For more information, see the
:ref:`examples <database-analyze-examples>` below.
- with an optional version range
- with an optional path to a query, directory, or query suite inside the pack
If omitted, the default query suite for the language of the database being analyzed will be used. For more information, see the :ref:`examples <database-analyze-examples>` below.
- ``--sarif-category``: an identifying category for the results. Used when
you want to upload more than one set of results for a commit.
@@ -122,6 +123,14 @@ You can also run your own custom queries with the ``database analyze`` command.
For more information about preparing your queries to use with the CodeQL CLI,
see ":doc:`Using custom queries with the CodeQL CLI <using-custom-queries-with-the-codeql-cli>`."
If you do not have the CodeQL repository checked out, you can execute the same queries by specifying the query pack name and the path to the queries::
codeql database analyze --download <javascript-database> codeql/javascript-queries:Declarations/UnusedVariable.ql --format=csv --output=js-analysis/js-results.csv
Use the ``--download`` flag to download the query pack if it isn't yet available locally.
.. _run-query-pack:
Running a CodeQL pack
~~~~~~~~~~~~~~~~~~~~~
@@ -135,6 +144,34 @@ pack names and use the ``--download`` flag::
The ``analyze`` command above runs the default suite from ``microsoft/coding-standards v1.0.0`` and the latest version of ``github/security-queries`` on the specified database.
For further information about default suites, see ":ref:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`".
Running all queries in a directory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can run all the queries located in a directory by providing the directory
path, rather than listing all the individual query files. Paths are searched
recursively, so any queries contained in subfolders will also be executed.
.. pull-quote::
Important
You should avoid specifying the root of a :ref:`core CodeQL query pack
<standard-codeql-query-packs>` when executing ``database analyze``
as it might contain some special queries that aren't designed to be used with
the command. Rather, :ref:`run the query pack <run-query-pack>` to include the
pack's default queries in the analysis, or run one of the
code scanning query suites.
For example, to execute all Python queries contained in the ``Functions`` directory you would run::
codeql database analyze <python-database> ../ql/python/ql/src/Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif
When the analysis has finished, a SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures
that the results are formatted according to the most recent SARIF specification
supported by CodeQL.
.. _including-query-help-for-custom-codeql-queries-in-sarif-files:
Running a subset of queries in a CodeQL pack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -192,10 +229,10 @@ For more information, see `Analyzing a CodeQL database <https://docs.github.com/
or `Code scanning API <https://docs.github.com/en/rest/reference/code-scanning>`__ in the GitHub documentation.
CodeQL query suites are ``.qls`` files that use directives to select queries to run
based on certain metadata properties. The standard QL packs have metadata that specify
based on certain metadata properties. The standard CodeQL packs have metadata that specify
the location of the query suites used by code scanning, so the CodeQL CLI knows where to find these
suite files automatically, and you don't have to specify the full path on the command line.
For more information, see ":ref:`About QL packs <standard-ql-packs>`."
For more information, see ":ref:`About CodeQL packs <standard-codeql-packs>`."
The standard query suites are stored at the following paths in
the CodeQL repository::
@@ -227,35 +264,6 @@ Integrating a CodeQL pack into a code scanning workflow in GitHub
You can use CodeQL query packs in your code scanning setup. This allows you to select query packs published by various sources and use them to analyze your code.
For more information, see "`Using CodeQL query packs in the CodeQL action <https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-codeql-query-packs/>`_" or "`Downloading and using CodeQL query packs in your CI system <https://docs.github.com/en/code-security/secure-coding/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#downloading-and-using-codeql-query-packs>`_."
Running all queries in a directory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can run all the queries located in a directory by providing the directory
path, rather than listing all the individual query files. Paths are searched
recursively, so any queries contained in subfolders will also be executed.
.. pull-quote::
Important
You shouldn't specify the root of a :doc:`QL pack
<about-ql-packs>` when executing ``database analyze``
as it contains some special queries that aren't designed to be used with
the command. Rather, to run a wide range of useful queries, run one of the
LGTM.com query suites.
For example, to execute all Python queries contained in the ``Functions``
directory you would run::
codeql database analyze <python-database> ../ql/python/ql/src/Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif
A SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures
that the results are formatted according to the most recent SARIF specification
supported by CodeQL.
.. _including-query-help-for-custom-codeql-queries-in-sarif-files:
Including query help for custom CodeQL queries in SARIF files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

7
docs/codeql/codeql-cli/codeql-cli-reference.rst
View File

@@ -3,22 +3,19 @@
CodeQL CLI reference
====================
Learn more about the files you can use when running CodeQL processes and the results format and exit codes that CodeQL generates.
Learn more about the files you can use when running CodeQL processes and the results format and exit codes that CodeQL generates.
.. toctree::
:titlesonly:
:hidden:
about-codeql-packs
about-ql-packs
query-reference-files
sarif-output
exit-codes
extractor-options
- :doc:`About CodeQL packs <about-codeql-packs>`: CodeQL packs are created with the CodeQL CLI and are used to create, depend on, publish, and run CodeQL queries and libraries.
- :doc:`About QL packs <about-ql-packs>`: QL packs are used to organize the files used in CodeQL analysis. They
contain queries, library files, query suites, and important metadata.
- :doc:`About CodeQL packs <about-codeql-packs>`: CodeQL packs are created with the CodeQL CLI and are used to create, depend on, publish, and run CodeQL queries, libraries, and query suites.
- :doc:`Query reference files <query-reference-files>`: A query reference file is text file that defines the location of one query to test.
- :doc:`SARIF output <sarif-output>`: CodeQL supports SARIF as an output format for sharing static analysis results.
- :doc:`Exit codes <exit-codes>`: The CodeQL CLI reports the status of each command it runs as an exit code.

13
docs/codeql/codeql-cli/creating-and-working-with-codeql-packs.rst
View File

@@ -34,24 +34,26 @@ You must specify:
The ``codeql pack init`` command creates the directory structure and configuration files for a CodeQL pack. By default, the command creates a query pack. If you want to create a library pack, you must edit the ``qlpack.yml`` file to explicitly declare the file as a library pack by including the ``library:true`` property.
Modifying an existing QL pack to create a CodeQL pack
-----------------------------------------------------
Modifying an existing legacy QL pack to create a CodeQL pack
------------------------------------------------------------
If you already have a ``qlpack.yml`` file, you can edit it manually to convert it into a CodeQL pack.
#. Edit the ``name`` property so that it matches the format ``<scope>/<name>``, where ``<scope>`` is the name of the GitHub organization or user account that you will publish to.
#. In the ``qlpack.yml`` file, include a ``version`` property with a semver identifier, as well as an optional ``dependencies`` block.
#. Migrate the list of dependencies in ``libraryPathDependencies`` to the ``dependencies`` block. Specify the version range for each dependency. If the range is unimportant, or you are unsure of compatibility, you can specify ``"*"``, which indicates that any version is acceptable and will default to the latest version when you run ``codeql pack install``.
For more information about the properties, see ":ref:`About CodeQL packs <about-codeql-packs>`."
Adding and installing dependencies to a CodeQL pack
---------------------------------------------------
You can add dependencies on CodeQL packs using the command ``codeql pack add``. You must specify the scope, name, and version range.
You can add dependencies on CodeQL packs using the command ``codeql pack add``. You must specify the scope, name, and (optionally) a compatible version range.
::
codeql pack add <scope>/<name>@x.x.x <scope>/<other-name>
The version range is optional. If you leave off the version range, the latest version will be added. Otherwise, the latest version that satisfies the requested range will be added.
If you don't specify a version range, the latest version will be added. Otherwise, the latest version that satisfies the requested range will be added.
This command updates the ``qlpack.yml`` file with the requested dependencies and downloads them into the package cache. Please note that this command will reformat the file and remove all comments.
@@ -67,7 +69,8 @@ This command downloads all dependencies to the shared cache on the local disk.
Note
Running the ``codeql pack add`` and ``codeql pack install`` commands will generate or update the ``qlpack.lock.yml`` file. This file should be checked-in to version control. The ``qlpack.lock.yml`` file contains the precise version numbers used by the pack.
Running the ``codeql pack add`` and ``codeql pack install`` commands will generate or update the ``codeql-pack.lock.yml`` file. This file should be checked-in to version control. The ``codeql-pack.lock.yml`` file contains the precise version numbers used by the pack.
For more information, see ":ref:`About codeql-pack.lock.yml files <about-codeql-pack-lock>`."
.. pull-quote::

77
docs/codeql/codeql-cli/creating-codeql-query-suites.rst
View File

@@ -4,7 +4,7 @@ Creating CodeQL query suites
============================
CodeQL query suites provide a way of selecting queries, based on their
filename, location on disk or in a QL pack, or metadata properties.
filename, location on disk or in a CodeQL pack, or metadata properties.
Create query suites for the queries that you want to frequently use in
your CodeQL analyses.
@@ -18,8 +18,8 @@ suite definition have been executed, the result is a set of selected queries.
.. pull-quote:: Note
Any custom queries that you want to add to a query suite must be in a :doc:`QL
pack <about-ql-packs>` and contain the correct query metadata.
Any custom queries that you want to add to a query suite must be in a :doc:`CodeQL
pack <about-codeql-packs>` and contain the correct query metadata.
For more information, see
":doc:`Using custom queries with the CodeQL CLI <using-custom-queries-with-the-codeql-cli>`."
@@ -35,7 +35,7 @@ queries using:
- query: <path-to-query>
The argument must be one or more file paths, relative to the QL pack containing
The argument must be one or more file paths, relative to the CodeQL pack containing
the suite definition.
- A ``queries`` instruction---tells CodeQL to recursively scan a directory
@@ -43,22 +43,30 @@ queries using:
- queries: <path-to-subdirectory>
The path of the directory must be relative to the root of the QL pack that
The path of the directory must be relative to the root of the CodeQL pack that
contains the suite definition file. To find the queries relative to a
different QL pack, add a ``from`` field::
different CodeQL pack, add a ``from`` field::
- queries: <path-to-subdirectory>
from: <ql-pack-name>
version: ^x.y.z
The ``version`` field is optional and specifies a range of compatible versions of this CodeQL pack.
If you don't specify a version, then the most recent version of the pack is used.
- A ``qlpack`` instruction---tells CodeQL to resolve queries in the default suite of the
named QL pack::
named CodeQL pack::
- qlpack: <qlpack-name>
version: ^x.y.z
The default suite of a query pack includes a recommended set of queries
inside of that query pack. Not all query packs have a default suite. If the given query pack does not
define a default suite, the `qlpack` instruction will resolve to all of the queries within the pack.
The ``version`` field is optional and specifies a range of compatible versions of this CodeQL pack.
If you don't specify a version, then the most recent version of the pack is used.
.. pull-quote:: Note
When pathnames appear in query suite definitions, they must always
@@ -68,7 +76,7 @@ queries using:
You must add at least one ``query``, ``queries``, or ``qlpack`` instruction to
your suite definition, otherwise no queries will be selected. If the suite
contains no further instructions, all the queries found from the list of files,
in the given directory, or in the named QL pack are selected. If there are further
in the given directory, or in the named CodeQL pack are selected. If there are further
filtering instructions, only queries that match the constraints imposed by those
instructions will be selected.
@@ -117,7 +125,7 @@ In addition to metadata tags, the keys in the constraint block can also be:
- ``query filename``---matches on the last path component of the query file name.
- ``query path``---matches on the path to the query file relative to its
enclosing QL pack.
enclosing CodeQL pack.
- ``tags contain``---one of the given match strings must match
one of the space-separated components of the value of the ``@tags`` metadata property.
- ``tags contain all``---each of the given match strings must match one of the
@@ -127,7 +135,7 @@ Examples
~~~~~~~~
To define a suite that selects all queries in the default suite of the
``codeql/cpp-queries`` QL pack, and then refines them to only include
``codeql/cpp-queries`` CodeQL pack, and then refines them to only include
security queries, use::
- qlpack: codeql/cpp-queries
@@ -153,7 +161,7 @@ recommendation``, use::
problem.severity: recommendation
To create a suite that selects all queries with ``@tag security`` and
``@problem.severity high`` or ``very-high`` from the ``codeql/cpp-queries`` QL pack,
``@problem.severity high`` or ``very-high`` from the ``codeql/cpp-queries`` CodeQL pack,
use::
- queries: .
@@ -174,12 +182,16 @@ Existing query suite definitions can be reused by specifying:
- import: <path-to-query-suite>
The path to the imported suite must be relative to the QL pack containing the
The path to the imported suite must be relative to the CodeQL pack containing the
current suite definition. If the imported query suite is in a different QL
pack you can use::
- import: <path-to-query-suite>
from: <ql-pack>
version: ^x.y.z
The ``version`` field is optional and specifies a range of compatible versions of this CodeQL pack.
If you don't specify a version, then the most recent version of the pack is used.
Queries added using an ``import`` instruction can be filtered using subsequent
``exclude`` instructions.
@@ -200,6 +212,8 @@ Existing query suite definitions can be reused by specifying:
instruction, but takes a full suite definition as the argument, rather than the
path to a ``.qls`` file on disk.
To see what queries are included in a query suite, you can run the ``codeql resolve queries my-suite.qls`` command.
Example
~~~~~~~
@@ -216,28 +230,27 @@ following in a file called ``reusable-instructions.yml``::
- high
- very-high
Add ``reusable-instructions.yml`` to the same QL pack as your current query
suite (for example, ``my-custom-queries``). Apply the reusable instructions
to the queries in your current suite using::
- qlpack: my-custom-queries
- apply: reusable-instructions.yml
To apply the same conditions to a different suite or directory within the same
QL pack, create a new definition and change (or replace) the ``qlpack``
instruction. For example::
Add ``reusable-instructions.yml`` to the same CodeQL pack as your current query
suite. Then, in one or more query suites, use the ``apply`` instruction to apply
the reusable instructions to the current suite. For example::
- queries: queries/cpp/custom
- apply: reusable-instructions.yml
This will filter the queries in ``queries/cpp/custom`` to only include those that match the reusable conditions.
You can also create a suite definition using ``reusable-instructions.yml`` on
queries in a different QL pack. If the ``.qls`` file is in the same QL pack as
queries in a different CodeQL pack. If the ``.qls`` file is in the same CodeQL pack as
the queries, you can add a ``from`` field immediately after the ``apply``
instruction::
- qlpack: my-other-custom-queries
# load queries from the default suite of my-org/my-other-custom-queries
- qlpack: my-org/my-other-custom-queries
# apply the reusable instructions from the my-org/my-custom-instructions CodeQL pack
- apply: reusable-instructions.yml
from: <name-of-ql-pack>
from: my-org/my-custom-instructions
version: ^1.2.3 # optional
Naming a query suite
--------------------
@@ -255,20 +268,20 @@ directory. For more information, see "`Specifying well-known query suites
Saving a query suite
--------------------
Save your query suite in a file with a ``.qls`` extension and add it to a QL
pack. For more information, see ":ref:`About QL packs <custom-ql-packs>`."
Save your query suite in a file with a ``.qls`` extension and add it to a CodeQL
pack. For more information, see ":ref:`About CodeQL packs <custom-codeql-packs>`."
Specifying well-known query suites
----------------------------------
You can use QL packs to declare directories that contain "well-known" query
You can use CodeQL packs to declare directories that contain "well-known" query
suites. You can use "well-known" query suites on the command line by referring
to their file name,
without providing their full path. This gives you a simple way of specifying a
set of queries, without needing to search inside QL packs and distributions.
set of queries, without needing to search inside CodeQL packs and distributions.
To declare a directory that contains "well-known" query suites, add the directory
to the ``suites`` property in the ``qlpack.yml`` file at the root of your QL pack.
For more information, see ":ref:`About QL packs <qlpack-yml-properties>`."
to the ``suites`` property in the ``qlpack.yml`` file at the root of your CodeQL pack.
For more information, see ":ref:`About CodeQL packs <codeqlpack-yml-properties>`."
Using query suites with CodeQL
------------------------------
@@ -288,7 +301,7 @@ JavaScript, visit
https://github.com/github/codeql/tree/main/javascript/ql/src/codeql-suites.
These suite definitions apply reusable filter patterns to the queries
located in the standard QL packs for each supported language. For more
located in the standard CodeQL packs for each supported language. For more
information, see the `suite-helpers
<https://github.com/github/codeql/tree/main/misc/suite-helpers>`__ in the CodeQL
repository.

18
docs/codeql/codeql-cli/getting-started-with-the-codeql-cli.rst
View File

@@ -23,11 +23,11 @@ and 4 are slightly different---for further details, see the sections labeled
**Information for macOS "Catalina" (or newer) users**. If you are using macOS
on Apple Silicon (e.g. Apple M1), ensure that the `Xcode command-line developer
tools <https://developer.apple.com/downloads/index.action>`__ and `Rosetta 2
<https://support.apple.com/en-us/HT211861>`__ are installed.
<https://support.apple.com/en-us/HT211861>`__ are installed.
.. pull-quote:: Note
The CodeQL CLI is currently not compatible with non-glibc Linux
The CodeQL CLI is currently not compatible with non-glibc Linux
distributions such as (muslc-based) Alpine Linux.
For information about installing the CodeQL CLI in a CI system to create results
@@ -47,7 +47,7 @@ Conditions <https://securitylab.github.com/tools/codeql/license>`__.
.. pull-quote:: Important
There are several different versions of the CLI available to download, depending
There are different versions of the CLI available to download, depending
on your use case:
- If you want to use the most up to date CodeQL tools and features, download the
@@ -202,8 +202,6 @@ CLI that you will extract in step 4. If you use git on the command line, you can
clone and rename the repository in a single step by running
``git clone git@github.com:github/codeql.git codeql-repo`` in the ``codeql-home`` folder.
For Go analysis, run ``codeql-repo/go/scripts/install-deps.sh`` to install its dependencies.
.. pull-quote:: Note
The CodeQL libraries and queries for Go analysis used to live in a
@@ -213,10 +211,10 @@ For Go analysis, run ``codeql-repo/go/scripts/install-deps.sh`` to install its d
For more information, see the `Relocation announcement <https://github.com/github/codeql-go/issues/741>`__.
Within this repository, the queries and libraries are organized into QL
packs. Along with the queries themselves, QL packs contain important metadata
Within this repository, the queries and libraries are organized into CodeQL
packs. Along with the queries themselves, CodeQL packs contain important metadata
that tells the CodeQL CLI how to process the query files. For more information,
see ":doc:`About QL packs <about-ql-packs>`."
see ":doc:`About CodeQL packs <about-codeql-packs>`."
.. pull-quote:: Important
@@ -271,8 +269,8 @@ up to create and analyze databases:
- Run ``codeql resolve languages`` to show which languages are
available for database creation. This will list the languages supported by
default in your CodeQL CLI package.
- Run ``codeql resolve qlpacks`` to show which QL packs the CLI can find. This
will display the names of all the QL packs directly available to the CodeQL CLI.
- Run ``codeql resolve qlpacks`` to show which CodeQL packs the CLI can find. This
will display the names of all the CodeQL packs directly available to the CodeQL CLI.
This should include:
- Query packs for each supported language, for example, ``codeql/{language}-queries``.

3
docs/codeql/codeql-cli/publishing-and-using-codeql-packs.rst
View File

@@ -60,12 +60,13 @@ To analyze a CodeQL database with a CodeQL pack, run the following command:
::
codeql database analyze <database> <scope>/<pack>@x.x.x
codeql database analyze <database> <scope>/<pack>@x.x.x:<path>
- ``<database>``: the CodeQL database to be analyzed.
- ``<scope>``: the name of the GitHub organization that the pack is published to.
- ``<pack>``: the name for the pack that you are using.
- ``@x.x.x``: an optional version number. If omitted, the latest version will be used.
- ``:<path>``: an optional path to a query, directory, or query suite. If omitted, the pack's default query suite will be used.
The ``analyze`` command will run the default suite of any specified CodeQL packs. You can specify multiple CodeQL packs to be used for analyzing a CodeQL database. For example:

22
docs/codeql/codeql-cli/query-reference-files.rst
View File

@@ -10,10 +10,10 @@ to run a query that's not part of a test directory.
There are two ways to specify queries that you want to run as tests:
#. Use a query reference file to specify the location of a query to test.
This is useful when you create tests for alert and path queries that
are intended to identify problems in real codebases. You might create
This is useful when you create tests for alert and path queries that
are intended to identify problems in real codebases. You might create
several directories of test code, each focusing on different
aspects of the query. Then you would add a query reference file to
aspects of the query. Then you would add a query reference file to
each directory of test code, to specify the query to test.
#. Add the query directly to a directory of tests.
These is typically useful when you're writing queries explicitly to test the behavior
@@ -25,22 +25,24 @@ Defining a query reference file
Each query reference file, ``.qlref``, contains a single line that defines
where to find one query. The location must be defined relative
to the root of the QL pack that contains the query.
Usually, this is a QL pack specified by the ``libraryPathDependencies`` for the test pack.
to the root of the CodeQL pack that contains the query.
Usually, this is either the CodeQL pack that contains the ``.qlref``, a CodeQL pack
specified in the ``dependencies`` block for the test pack, or a transitive dependency of
the CodeQL pack.
You should use forward slashes in the path on all operating
systems to ensure compatibility between systems.
systems to ensure compatibility between systems.
Example
^^^^^^^^
^^^^^^^
A query reference file to test a JavaScript alert query:
`DeadAngularJSEventListener.qlref <https://github.com/github/codeql/blob/main/javascript/ql/test/query-tests/AngularJS/DeadAngularJSEventListener/DeadAngularJSEventListener.qlref>`__
The `QL pack <https://github.com/github/codeql/blob/main/javascript/ql/test/qlpack.yml>`__
for the ``javascript/ql/test`` directory defines the ``codeql-javascript`` queries as
The ```qlpack.yml`` file <https://github.com/github/codeql/blob/main/javascript/ql/test/qlpack.yml>`__
for the CodeQL pack at ``javascript/ql/test`` defines ``codeql/javascript-queries`` as
a dependency. So the query reference file defines the location of the query relative
to the ``codeql-javascript`` QL pack::
to the ``codeql/javascript-queries`` CodeQL pack::
AngularJS/DeadAngularJSEventListener.ql

10
docs/codeql/codeql-cli/specifying-command-options-in-a-codeql-configuration-file.rst
View File

@@ -8,15 +8,15 @@ configuration file.
You can specify CodeQL CLI command options in two ways:
- Directly in the command line, using the appropriate flag.
- Directly in the command line, using the appropriate flag.
- In a configuration (or ``config``) file that CodeQL scans for relevant
options each time a command is executed.
For options that are likely to change each time you execute a command,
specifying the value on the command line is the most convenient way of passing
the information to CodeQL. Saving options in a ``config`` file is a good way to
specify options you use frequently.
It's also a good way to add custom QL packs that you use regularly to your search path.
specify options you use frequently.
It's also a good way to add custom CodeQL packs that you use regularly to your search path.
Using a CodeQL configuration file
---------------------------------
@@ -39,7 +39,7 @@ To apply the same options to more than one command you can:
.. pull-quote::
Note
- ``config`` files only accept spaces between between option flags and
values---CodeQL will throw an error if you use ``=`` to specify an option value.
- If you specify an option in the command line, this overrides the ``config``
@@ -66,7 +66,7 @@ Examples
--ram 4096
--threads 4
- To globally specify a directory for CodeQL to scan for QL packs (which is not a
- To globally specify a directory for CodeQL to scan for CodeQL packs (which is not a
sibling of the installation directory), use::
--search-path <path-to-directory>

111
docs/codeql/codeql-cli/testing-custom-queries.rst
View File

@@ -13,10 +13,10 @@ on the query and the expected results until the actual results and the expected
results exactly match. This topic shows you how to create test files and execute
tests on them using the ``test run`` subcommand.
Setting up a test QL pack for custom queries
--------------------------------------------
Setting up a test CodeQL pack for custom queries
------------------------------------------------
All CodeQL tests must be stored in a special "test" QL pack.
All CodeQL tests must be stored in a special "test" CodeQL pack.
That is, a directory for test files with a ``qlpack.yml``
file that defines:
@@ -24,22 +24,25 @@ file that defines:
name: <name-of-test-pack>
version: 0.0.0
libraryPathDependencies: <codeql-libraries-and-queries-to-test>
dependencies:
<codeql-libraries-and-queries-to-test>: "*"
extractor: <language-of-code-to-test>
The ``libraryPathDependencies`` value specifies the CodeQL queries to test.
The ``extractor`` defines which language the CLI will use
to create test databases from the code files stored in this QL pack.
For more information, see ":doc:`About QL packs <about-ql-packs>`."
The ``dependencies`` value specifies the CodeQL packs containing queries to test.
Typically, these packs will be resolved from source, and so it is not necessary
to specify a fixed version of the pack.
The ``extractor`` defines which language the CLI will use
to create test databases from the code files stored in this CodeQL pack.
For more information, see ":doc:`About CodeQL packs <about-codeql-packs>`."
You may find it useful to look at the way query tests are organized in the
`CodeQL repository <https://github.com/github/codeql>`__.
Each language has a ``src`` directory, ``ql/<language>/ql/src``,
that contains libraries and queries for analyzing codebases.
Alongside the ``src`` directory,
there's a ``test`` directory with tests for these libraries and queries.
You may find it useful to look at the way query tests are organized in the
`CodeQL repository <https://github.com/github/codeql>`__.
Each language has a ``src`` directory, ``ql/<language>/ql/src``,
that contains libraries and queries for analyzing codebases.
Alongside the ``src`` directory, there is a ``test`` directory with tests for
these libraries and queries.
Each ``test`` directory is configured as a test QL pack with two subdirectories:
Each ``test`` directory is configured as a test CodeQL pack with two subdirectories:
- ``query-tests`` a series of subdirectories with tests for queries stored in the ``src`` directory.
Each subdirectory contains test code and a QL reference file that specifies the query to test.
@@ -49,18 +52,18 @@ Each ``test`` directory is configured as a test QL pack with two subdirectories:
Setting up the test files for a query
-------------------------------------
For each query you want to test, you should create a sub-directory in the test QL pack.
For each query you want to test, you should create a sub-directory in the test CodeQL pack.
Then add the following files to the subdirectory before you run the test command:
- A query reference file (``.qlref`` file) defining the location of the query to test.
The location is defined relative to the root of the QL pack that contains the
query. Usually, this is a QL pack specified by the
``libraryPathDependencies`` for the test pack.
The location is defined relative to the root of the CodeQL pack that contains the
query. Usually, this is a CodeQL pack specified in the
``dependencies`` block of the test pack.
For more information, see ":doc:`Query reference files <query-reference-files>`."
You don't need to add a query reference file if the query you want to
You do not need to add a query reference file if the query you want to
test is stored in the test directory,
but it's generally good practice to store queries separately from tests.
but it is generally good practice to store queries separately from tests.
The only exception is unit tests for QL libraries, which tend to be
stored in test packs, separate from queries that generate alerts or paths.
@@ -68,15 +71,13 @@ Then add the following files to the subdirectory before you run the test command
should consist of one or more files containing examples of the code the
query is designed to identify.
You can also define the results you expect to see when you run the query against
You can also define the results you expect to see when you run the query against
the example code, by creating a file with the extension ``.expected``.
Alternatively, you can leave the test command to create the ``.expected`` file
for you. (If you're using CodeQL CLI 2.0.2--2.0.6, you need to create an
``.expected`` file otherwise the command will fail to find your test query.
You can create an empty ``.expected`` file to workaround this limitation.)
for you.
For an example showing how to create and test a query, see the `example
<#example>`__ below.
<#example>`__ below.
.. pull-quote:: Important
@@ -86,14 +87,14 @@ For an example showing how to create and test a query, see the `example
it must have the same base name as the corresponding ``.expected`` file. For
example, if the query is ``MyJavaQuery.ql``, the expected results file must
be ``MyJavaQuery.expected``.
If you want to specify a ``.qlref`` file in the command, it must have the same base
name as the corresponding ``.expected`` file, but the query itself
may have a different name.
may have a different name.
The names of the example code files don't have to be consistent with the
other test files. All example code files found next to the ``.qlref`` (or ``.ql``)
file and in any subdirectories will be used to create a test database.
file and in any subdirectories will be used to create a test database.
Therefore, for simplicity, we recommend you don't save test files in
directories that are ancestors of each other.
@@ -108,10 +109,10 @@ The ``<test|dir>`` argument can be one or more of the following:
- Path to a ``.ql`` file.
- Path to a ``.qlref`` file that references a ``.ql`` file.
- Path to a directory that will be searched recursively for ``.ql`` and
- Path to a directory that will be searched recursively for ``.ql`` and
``.qlref`` files.
You can also specify:
You can also specify:
- .. include:: ../reusables/threads-query-execution.rst
@@ -123,7 +124,7 @@ Example
The following example shows you how to set up a test for a query that searches
Java code for ``if`` statements that have empty ``then`` blocks. It includes
steps to add the custom query and corresponding test files to separate QL packs
steps to add the custom query and corresponding test files to separate CodeQL packs
outside your checkout of the CodeQL repository. This ensures when you update the
CodeQL libraries, or check out a different branch, you won't overwrite your
custom queries and tests.
@@ -144,36 +145,36 @@ Prepare a query and test files
#. Save the query to a file named ``EmptyThen.ql`` in a directory with your
other custom queries. For example,
``custom-queries/java/queries/EmptyThen.ql``.
#. If you haven't already added your custom queries to a QL pack,
create a QL pack now. For example, if your custom Java queries
``custom-queries/java/queries/EmptyThen.ql``.
#. If you haven't already added your custom queries to a CodeQL pack,
create a CodeQL pack now. For example, if your custom Java queries
are stored in ``custom-queries/java/queries``, add a ``qlpack.yml`` file with the
following contents to ``custom-queries/java/queries``:
.. code-block:: yaml
name: my-custom-queries
version: 0.0.0
libraryPathDependencies: codeql-java
dependencies:
codeql/java-queries: "*"
For more information about QL packs, see ":doc:`About QL packs
<about-ql-packs>`."
For more information about CodeQL packs, see ":doc:`About CodeQL packs
<about-codeql-packs>`."
#. Create a QL pack for your Java tests by adding a ``qlpack.yml`` file
#. Create a CodeQL pack for your Java tests by adding a ``qlpack.yml`` file
with the following contents to ``custom-queries/java/tests``,
updating ``libraryPathDependencies`` to match the name of your QL pack of custom queries:
updating the ``dependencies`` to match the name of your CodeQL pack of custom queries:
.. include:: ../reusables/test-qlpack.rst
#. Within the Java test pack, create a directory to contain the test files
associated with ``EmptyThen.ql``.
For example, ``custom-queries/java/tests/EmptyThen``.
For example, ``custom-queries/java/tests/EmptyThen``.
#. In the new directory, create ``EmptyThen.qlref`` to define the location of ``EmptyThen.ql``.
#. In the new directory, create ``EmptyThen.qlref`` to define the location of ``EmptyThen.ql``.
The path to the query must be specified relative to the root of
the QL pack that contains the query. In this case, the query is in the
top level directory of the QL pack named ``my-custom-queries``,
the CodeQL pack that contains the query. In this case, the query is in the
top level directory of the CodeQL pack named ``my-custom-queries``,
which is declared as a dependency for ``my-query-tests``.
Therefore, ``EmptyThen.qlref`` should simply contain ``EmptyThen.ql``.
@@ -191,7 +192,7 @@ Prepare a query and test files
System.out.println("Empty argument");
}
}
public void good(String arg) {
if (arg.isEmpty()) {
System.out.println("Empty argument");
@@ -211,8 +212,8 @@ When the test runs it:
#. Extracts a CodeQL database from the ``.java`` files stored in the ``EmptyThen`` directory.
#. Compiles the query referenced by the ``EmptyThen.qlref`` file.
If this step fails, it's because the CLI can't find your custom QL pack.
Re-run the command and specify the location of your custom QL pack, for example:
If this step fails, it's because the CLI can't find your custom CodeQL pack.
Re-run the command and specify the location of your custom CodeQL pack, for example:
``codeql test run --search-path=java java/tests/EmptyThen``
@@ -234,14 +235,14 @@ CodeQL generates the following files in the ``EmptyThen`` directory:
When tests complete successfully, this database is deleted in a housekeeping step.
You can override this step by running ``test run`` with the ``--keep-databases`` option.
In this case, the failure was expected and is easy to fix.
In this case, the failure was expected and is easy to fix.
If you open the ``EmptyThen.actual`` file, you can see the results of the test:
.. code-block:: none
| Test.java:3:5:3:22 | stmt | This if statement has an empty then. |
This file contains a table, with a column for the location of the result,
This file contains a table, with a column for the location of the result,
along with separate columns for each part of the ``select`` clause the query outputs.
Since the results are what we expected, we can update the file extension to define
this as the expected result for this test (``EmptyThen.expected``).
@@ -252,17 +253,17 @@ If you rerun the test now, the output will be similar but it will finish by repo
If the results of the query change, for example, if you revise the ``select`` statement for the query,
the test will fail. For failed results, the CLI output includes a unified diff of the
``EmptyThen.expected`` and ``EmptyThen.actual`` files.
This information may be sufficient to debug trivial test failures.
This information may be sufficient to debug trivial test failures.
For failures that are harder to debug, you can import ``EmptyThen.testproj``
into CodeQL for VS Code, execute ``EmptyThen.ql``, and view the results in the
``Test.java`` example code. For more information, see ":ref:`Analyzing your projects
<analyzing-your-projects>`" in the CodeQL for VS Code
help.
help.
Further reading
---------------
- ":ref:`CodeQL queries
<codeql-queries>`"
- ":ref:`Testing CodeQL queries in Visual Studio Code <testing-codeql-queries-in-visual-studio-code>`"
- ":ref:`Testing CodeQL queries in Visual Studio Code <testing-codeql-queries-in-visual-studio-code>`"

42
docs/codeql/codeql-cli/testing-query-help-files.rst
View File

@@ -3,7 +3,7 @@
Testing query help files
========================
Test query help files by rendering them as markdown to ensure they are valid
Test query help files by rendering them as markdown to ensure they are valid
before uploading them to the CodeQL repository or using them in code scanning.
Query help is documentation that accompanies a query to explain how the query works,
@@ -12,46 +12,46 @@ It is good practice to write query help for all new queries. For more informatio
see `Contributing to CodeQL <https://github.com/github/codeql/blob/main/CONTRIBUTING.md>`__
in the CodeQL repository.
The CodeQL CLI includes a command to test query help and render the content as
markdown, so that you can easily preview the content in your IDE. Use the command to validate
query help files before uploading them to the CodeQL repository or sharing them with other users.
From CodeQL CLI 2.7.1 onwards, you can also include the markdown-rendered query help in SARIF files
generated during CodeQL analyses so that the query help can be displayed in the code scanning UI.
For more information, see
The CodeQL CLI includes a command to test query help and render the content as
markdown, so that you can easily preview the content in your IDE. Use the command to validate
query help files before uploading them to the CodeQL repository or sharing them with other users.
From CodeQL CLI 2.7.1 onwards, you can also include the markdown-rendered query help in SARIF files
generated during CodeQL analyses so that the query help can be displayed in the code scanning UI.
For more information, see
":ref:`Analyzing databases with the CodeQL CLI <including-query-help-for-custom-codeql-queries-in-sarif-files>`."
Prerequisites
-------------
- The query help (``.qhelp``) file must have an accompanying query (``.ql``) file with
- The query help (``.qhelp``) file must have an accompanying query (``.ql``) file with
an identical base name.
- The query help file should follow the standard structure and style for query help documentation.
For more information, see the `Query help style guide <https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md>`__
in the CodeQL repository.
For more information, see the `Query help style guide <https://github.com/github/codeql/blob/main/docs/query-help-style-guide.md>`__
in the CodeQL repository.
Running ``codeql generate query-help``
--------------------------------------
You can test query help files by running the following command::
codeql generate query-help <qhelp|query|dir|suite> --format=<format> [--output=<dir|file>]
codeql generate query-help <qhelp|query|dir|suite> --format=<format> [--output=<dir|file>]
where ``<qhelp|query|dir|suite>`` is one of:
- the path to a ``.qhelp`` file.
- the path to a ``.ql`` file.
- the path to a directory containing queries and query help files.
- the path to a query suite, or the name of a well-known query suite for a QL pack.
- the path to a query suite, or the name of a well-known query suite for a CodeQL pack.
For more information, see "`Creating CodeQL query suites <https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites#specifying-well-known-query-suites>`__."
You must specify a ``--format`` option, which defines how the query help is rendered.
Currently, you must specify ``markdown`` to render the query help as markdown.
You must specify a ``--format`` option, which defines how the query help is rendered.
Currently, you must specify ``markdown`` to render the query help as markdown.
The ``--output`` option defines a file path where the rendered query help will be saved.
- For directories containing ``.qhelp`` files or a query suites
defining one or more ``.qhelp`` files, you must specify an ``--output`` directory.
Filenames within the output directory will be derived from the ``.qhelp`` file names.
- For directories containing ``.qhelp`` files or a query suites
defining one or more ``.qhelp`` files, you must specify an ``--output`` directory.
Filenames within the output directory will be derived from the ``.qhelp`` file names.
- For single ``.qhelp`` or ``.ql`` files, you may specify an ``--output`` option.
If you don't specify an output path, the rendered query help is written to ``stdout``.
@@ -63,15 +63,15 @@ see the `generate query-help reference documentation
Results
-------
When you run the command, CodeQL attempts to render
When you run the command, CodeQL attempts to render
each ``.qhelp`` file that has an accompanying ``.ql`` file. For single files, the rendered
content will be printed to ``stdout`` if you don't specify an ``--output`` option. For all other
use cases, the rendered content is saved to the specified output path.
content will be printed to ``stdout`` if you don't specify an ``--output`` option. For all other
use cases, the rendered content is saved to the specified output path.
By default, the CodeQL CLI will print a warning message if:
- Any of the query help is invalid, along with a description of the invalid query help elements
- Any ``.qhelp`` files specified in the command don't have the same base name
- Any ``.qhelp`` files specified in the command don't have the same base name
as an accompanying ``.ql`` file
- Any ``.ql`` files specified in the command don't have the same base name
as an accompanying ``.qhelp`` file

19
docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
View File

@@ -54,23 +54,20 @@ Packaging custom QL queries
.. include:: ../reusables/beta-note-package-management.rst
When you write your own queries, you should save them in a custom QL pack
directory. When you are ready to share your queries with other users, you can publish the pack as a CodeQL pack to GitHub Packages - the GitHub Container registry.
When you write your own queries with the intention to share them with others, you should
save them in a custom CodeQL pack. You can publish the pack as a CodeQL pack to GitHub
Packages - the GitHub Container registry. For further information see
":ref:`About CodeQL packs <about-codeql-packs>`."
QL packs organize the files used in CodeQL analysis and can store queries,
CodeQL packs organize the files used in CodeQL analysis and can store queries,
library files, query suites, and important metadata. Their root directory must
contain a file named ``qlpack.yml``. Your custom queries should be saved in the
QL pack root, or its subdirectories.
CodeQL pack root, or its subdirectories.
For each QL pack, the ``qlpack.yml`` file includes information that tells CodeQL
For each CodeQL pack, the ``qlpack.yml`` file includes information that tells the CodeQL CLI
how to compile the queries, which other CodeQL packs and libraries the pack
depends on, and where to find query suite definitions. For more information
about what to include in this file, see ":ref:`About QL packs <about-ql-packs>`."
CodeQL packages are used to create, share, depend on, and run CodeQL queries and
libraries. You can publish your own CodeQL packages and download ones created by
others via the the Container registry. For further information see
":ref:`About CodeQL packs <about-codeql-packs>`."
about what to include in this file, see ":ref:`About CodeQL packs <codeqlpack-yml-properties>`."
Contributing to the CodeQL repository
-------------------------------------