hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

QL: update the readme

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-12-14 17:39:52 +01:00
parent dc9187778b
commit d89c41bae4
1 changed files with 10 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
ql/README.md
View File

@@ -1,19 +1,10 @@
# QL analysis support for CodeQL # CodeQL for CodeQL
- *Part of the May 2021 [code scanning hackathon](https://github.com/github/code-scanning-hackathon/issues/3).* CodeQL for CodeQL analyses QL code to find some common bug patterns.
- *Part of the October 2021 [code scanning hackathon](https://github.com/github/code-scanning-hackathon/issues/61).* This analysis is mostly used as a PR check in [`github/codeql`](https://github.com/github/codeql).
CodeQL for CodeQL is experimental technology and not a supported product
Under development. Some setup is required to use CodeQL for CodeQL (see the below sections).
## Viewing the alerts from github/codeql and github/codeql-go
**TLDR: View https://github.com/github/codeql-ql/security/code-scanning?query=branch%3Anightly-changes-alerts periodically.**
The [`nightly-changes-alerts` branch](https://github.com/github/codeql-ql/tree/nightly-changes-alerts) contains nightly snapshots of QL related code from [github/codeql](https://github.com/github/codeql) and [github/codeql-go](https://github.com/github/codeql-go). The corresponding [code-scanning alerts](https://github.com/github/codeql-ql/security/code-scanning?query=branch%3Anightly-changes-alerts) are from the [default query suite](https://github.com/github/codeql-ql/blob/main/ql/src/codeql-suites/ql-code-scanning.qls).
The branch and alerts are updated every night by the [`nightly-changes.yml` workflow](https://github.com/github/codeql-ql/actions/workflows/nightly-changes.yml).
Ideally, the scans would happen automatically as part of the PRs. That requires more coordination, and is tracked here: https://github.com/github/codeql-coreql-team/issues/1669.
## Building the tools from source ## Building the tools from source
@@ -43,6 +34,11 @@ Then run
codeql database create <database-path> -l ql -s <project-source-path> --search-path <extractor-pack-path> codeql database create <database-path> -l ql -s <project-source-path> --search-path <extractor-pack-path>
``` ```
CodeQL can be configured to remember the extractor by setting the config file `~/.config/codeql/config` to:
```bash
--search-path /full/path/to/extractor-pack
```
## Running qltests ## Running qltests
Run Run
@@ -50,15 +46,3 @@ Run
```bash ```bash
codeql test run <test-path> --search-path <repository-root-path> codeql test run <test-path> --search-path <repository-root-path>
``` ```
## GitHub Actions
In addition to the above nightly scans of the known CodeQL repositories, the following Actions are of particular interest:
- [`bleeding-codeql-analysis.yml`](https://github.com/github/codeql-ql/actions/workflows/bleeding-codeql-analysis.yml)
- runs on all PRs, displays how alerts for the known CodeQL repositories change as consequence of the PR
- the code from the known CodeQL repositories should be updated occasionally by running [`repo-tests/import-repositories.sh`](https://github.com/github/codeql-ql/blob/main/repo-tests/import-repositories.sh) locally, and creating a PR.
- produces an artifact built `ql` database in
- [`build.yml`](https://github.com/github/codeql-ql/actions/workflows/build.yml)
- produces an artifact with the `ql` extractor and the `ql` query pack in