diff --git a/docs/codeql/_templates/layout.html b/docs/codeql/_templates/layout.html index 46ce61398f9..e9edb6a3164 100644 --- a/docs/codeql/_templates/layout.html +++ b/docs/codeql/_templates/layout.html @@ -38,7 +38,7 @@ {%- block content %}
- + - {{ project }} + CodeQL documentation
-
- - - - -
- - -
+
@@ -69,20 +61,30 @@
+
+
+ +

CodeQL documentation

+

Discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code + analysis + engine. CodeQL lets you query code as though it were data. Write a query to find all variants of a + vulnerability, eradicating it forever. Then share your query to help others do the same.

+
+
+
+ +
+

+ CodeQL overview +

+
+ +
+ Learn more about how CodeQL works, the languages and libraries supported by CodeQL analysis, and the tools you can use to run CodeQL on open source projects. +
+
+
+
+ +

+ CodeQL tools +

+ +
+
+ GitHub provides the CodeQL command-line interface and CodeQL for Visual Studio Code for performing + CodeQL analysis on open source codebases. +
+
+
+
+ +

+ Code scanning with CodeQL +

+ +
+
+ You can use code scanning with CodeQL to analyze the code in a GitHub repository to find security + vulnerabilities and coding errors. Any problems identified by the analysis are shown in GitHub +
+
+
+
+
+
+ +

+ CodeQL guides +

+ +
+
+ Learn more about CodeQL queries in Writing CodeQL queries and find information about writing queries to analyze specific languages in the CodeQL language guides. +
+
+
+
+

+ CodeQL reference documentation +

+
+ +
+ Finds details of the predicates, modules, and classes included with CodeQL in the CodeQL standard libraries and explore the documentation for the CodeQL queries in the CodeQL query help. +
+
+
+ +
+

+ QL language reference +

+
+ +
+ Learn all about QL, the powerful query language that underlies the code scanning tool CodeQL. +
+
+
+
+
+
+
+
+ + + +
+
+

Product

+ +
+
+

Platform

+ +
+
+

Support

+ +
+
+

Company

+ +
+
+
+
+
+ + +
+
+
+ + diff --git a/docs/codeql/ql-language-reference/expressions.rst b/docs/codeql/ql-language-reference/expressions.rst index 5b9e67f415f..2bd89d8ab8d 100644 --- a/docs/codeql/ql-language-reference/expressions.rst +++ b/docs/codeql/ql-language-reference/expressions.rst @@ -636,7 +636,7 @@ is exactly equivalent to ``((Foo)x)``. Casts are useful if you want to call a :ref:`member predicate ` that is only defined for a more specific type. For example, the following query selects Java -`classes `_ +`classes `_ that have a direct supertype called "List":: import java diff --git a/docs/codeql/ql-training/cpp/bad-overflow-guard.rst b/docs/codeql/ql-training/cpp/bad-overflow-guard.rst index 0630bdcb039..b0d892a3a48 100644 --- a/docs/codeql/ql-training/cpp/bad-overflow-guard.rst +++ b/docs/codeql/ql-training/cpp/bad-overflow-guard.rst @@ -149,7 +149,7 @@ Let’s look for overflow guards of the form ``v + b < v``, using the classes - a ``RelationalOperation``: the overflow comparison check. - a ``Variable``: used as an argument to both the addition and comparison. - - The ``where`` part of the query ties these three variables together using `predicates `__ defined in the `standard CodeQL for C/C++ library `__. + - The ``where`` part of the query ties these three variables together using `predicates `__ defined in the `standard CodeQL for C/C++ library `__. CodeQL query: bad overflow guards ================================= diff --git a/docs/codeql/ql-training/cpp/control-flow-cpp.rst b/docs/codeql/ql-training/cpp/control-flow-cpp.rst index 64c34b46328..fe478bd4edc 100644 --- a/docs/codeql/ql-training/cpp/control-flow-cpp.rst +++ b/docs/codeql/ql-training/cpp/control-flow-cpp.rst @@ -223,7 +223,7 @@ Further materials ================= - CodeQL for C/C++: https://help.semmle.com/QL/learn-ql/ql/cpp/ql-for-cpp.html -- API reference: https://help.semmle.com/qldoc/cpp +- API reference: https://codeql.github.com/codeql-standard-libraries/cpp .. rst-class:: end-slide diff --git a/docs/codeql/ql-training/cpp/data-flow-cpp.rst b/docs/codeql/ql-training/cpp/data-flow-cpp.rst index 9d2f29863c9..855ccb40ccb 100644 --- a/docs/codeql/ql-training/cpp/data-flow-cpp.rst +++ b/docs/codeql/ql-training/cpp/data-flow-cpp.rst @@ -84,7 +84,7 @@ Write a query that flags ``printf`` calls where the format argument is not a ``S This first query is about finding places where the format specifier is not a constant string. In the CodeQL libraries for C/C++, constant strings are modeled as ``StringLiteral`` nodes, so we are looking for calls to format functions where the format specifier argument is not a string literal. - The `C/C++ standard libraries `__ include many different formatting functions that may be vulnerable to this particular attack–including ``printf``, ``snprintf``, and others. Furthermore, each of these different formatting functions may include the format string in a different position in the argument list. Instead of laboriously listing all these different variants, we can make use of the standard CodeQL class ``FormattingFunction``, which provides an interface that models common formatting functions in C/C++. + The `C/C++ standard libraries `__ include many different formatting functions that may be vulnerable to this particular attack–including ``printf``, ``snprintf``, and others. Furthermore, each of these different formatting functions may include the format string in a different position in the argument list. Instead of laboriously listing all these different variants, we can make use of the standard CodeQL class ``FormattingFunction``, which provides an interface that models common formatting functions in C/C++. Meh... ====== diff --git a/docs/codeql/ql-training/cpp/intro-ql-cpp.rst b/docs/codeql/ql-training/cpp/intro-ql-cpp.rst index aa8e8cfa72b..4753aa4a493 100644 --- a/docs/codeql/ql-training/cpp/intro-ql-cpp.rst +++ b/docs/codeql/ql-training/cpp/intro-ql-cpp.rst @@ -70,7 +70,7 @@ A simple CodeQL query A `query `__ consists of a “select” clause that indicates what results should be returned. Typically it will also provide a “from” clause to declare some variables, and a “where” clause to state conditions over those variables. For more information on the structure of query files (including links to useful topics in the `QL language reference `__), see `About CodeQL queries `__. - In our example here, the first line of the query imports the `CodeQL library for C/C++ `__, which defines concepts like ``IfStmt`` and ``Block``. + In our example here, the first line of the query imports the `CodeQL library for C/C++ `__, which defines concepts like ``IfStmt`` and ``Block``. The query proper starts by declaring two variables–ifStmt and block. These variables represent sets of values in the database, according to the type of each of the variables. For example, ifStmt has the type IfStmt, which means it represents the set of all if statements in the program. If we simply selected these two variables:: diff --git a/docs/codeql/ql-training/java/intro-ql-java.rst b/docs/codeql/ql-training/java/intro-ql-java.rst index 0398ffe205d..fb415d078bc 100644 --- a/docs/codeql/ql-training/java/intro-ql-java.rst +++ b/docs/codeql/ql-training/java/intro-ql-java.rst @@ -70,7 +70,7 @@ A simple CodeQL query A `query `__ consists of a “select” clause that indicates what results should be returned. Typically it will also provide a “from” clause to declare some variables, and a “where” clause to state conditions over those variables. For more information on the structure of query files (including links to useful topics in the `QL language reference `__), see `About CodeQL queries `__. - In our example here, the first line of the query imports the `CodeQL library for Java `__, which defines concepts like ``IfStmt`` and ``Block``. + In our example here, the first line of the query imports the `CodeQL library for Java `__, which defines concepts like ``IfStmt`` and ``Block``. The query proper starts by declaring two variables–ifStmt and block. These variables represent sets of values in the database, according to the type of each of the variables. For example, ``ifStmt`` has the type ``IfStmt``, which means it represents the set of all if statements in the program. If we simply selected these two variables:: diff --git a/docs/codeql/ql-training/java/query-injection-java.rst b/docs/codeql/ql-training/java/query-injection-java.rst index ce215069b8d..92e0930d9bf 100644 --- a/docs/codeql/ql-training/java/query-injection-java.rst +++ b/docs/codeql/ql-training/java/query-injection-java.rst @@ -84,7 +84,7 @@ Let’s start by looking for calls to methods with names of the form ``sparql*Qu - a ``MethodAccess``: the call to a SPARQL query method - a ``Method``: the SPARQL query method. - - The ``where`` part of the query ties these variables together using `predicates `__ defined in the `standard CodeQL library for Java `__. + - The ``where`` part of the query ties these variables together using `predicates `__ defined in the `standard CodeQL library for Java `__. CodeQL query: find string concatenation ======================================= diff --git a/docs/codeql/ql-training/slide-snippets/local-data-flow.rst b/docs/codeql/ql-training/slide-snippets/local-data-flow.rst index c660d83d21a..f0d1dfa546f 100644 --- a/docs/codeql/ql-training/slide-snippets/local-data-flow.rst +++ b/docs/codeql/ql-training/slide-snippets/local-data-flow.rst @@ -105,9 +105,9 @@ So all references will need to be qualified (that is, ``DataFlow::Node``) A **query library** is file with the extension ``.qll``. Query libraries do not contain a query clause, but may contain modules, classes, and predicates. For further information on the data flow libraries, see the following links: - - `Java data flow library `__ - - `C/C++ data flow library `__ - - `C# data flow library `__ + - `Java data flow library `__ + - `C/C++ data flow library `__ + - `C# data flow library `__ A **module** is a way of organizing QL code by grouping together related predicates, classes, and (sub-)modules. They can be either explicitly declared or implicit. A query library implicitly declares a module with the same name as the QLL file. @@ -155,6 +155,6 @@ Taint tracking The taint-tracking API is almost identical to that of the local data flow. All we need to do to switch to taint tracking is ``import semmle.code..dataflow.TaintTracking`` instead of ``semmle.code..dataflow.DataFlow``, and instead of using ``localFlow``, we use ``localTaint``. - - `Java taint-tracking library `__ - - `C/C++ taint-tracking library `__ - - `C# taint-tracking library `__ + - `Java taint-tracking library `__ + - `C/C++ taint-tracking library `__ + - `C# taint-tracking library `__ diff --git a/docs/codeql/reusables/advanced-query-execution.rst b/docs/codeql/reusables/advanced-query-execution.rst index 0519939f0d9..7162b2042e6 100644 --- a/docs/codeql/reusables/advanced-query-execution.rst +++ b/docs/codeql/reusables/advanced-query-execution.rst @@ -4,15 +4,15 @@ `. You can also execute queries using the following plumbing-level subcommands: - - `database run-queries <../codeql-cli-manual/database-run-queries.html>`__, which + - `database run-queries <../manual/database-run-queries>`__, which outputs non-interpreted results in an intermediate binary format called :ref:`BQRS `. - - `query run <../codeql-cli-manual/query-run.html>`__, which will output BQRS files, or print + - `query run <../manual/query-run>`__, which will output BQRS files, or print results tables directly to the command line. Viewing results directly in the command line may be useful for iterative query development using the CLI. Queries run with these commands don't have the same metadata requirements. However, to save human-readable data you have to process each BQRS results - file using the `bqrs decode <../codeql-cli-manual/bqrs-decode.html>`__ plumbing + file using the `bqrs decode <../manual/bqrs-decode>`__ plumbing subcommand. Therefore, for most use cases it's easiest to use ``database analyze`` to directly generate interpreted results. \ No newline at end of file diff --git a/docs/codeql/reusables/cpp-further-reading.rst b/docs/codeql/reusables/cpp-further-reading.rst index 5cd69858578..a288bc710cf 100644 --- a/docs/codeql/reusables/cpp-further-reading.rst +++ b/docs/codeql/reusables/cpp-further-reading.rst @@ -1,4 +1,4 @@ - `CodeQL queries for C and C++ `__ - `Example queries for C and C++ `__ -- `CodeQL library reference for C and C++ `__ +- `CodeQL library reference for C and C++ `__ diff --git a/docs/codeql/reusables/csharp-further-reading.rst b/docs/codeql/reusables/csharp-further-reading.rst index 1b5cb7754c0..40c1bced4c7 100644 --- a/docs/codeql/reusables/csharp-further-reading.rst +++ b/docs/codeql/reusables/csharp-further-reading.rst @@ -1,4 +1,4 @@ - `CodeQL queries for C# `__ - `Example queries for C# `__ -- `CodeQL library reference for C# `__ +- `CodeQL library reference for C# `__ diff --git a/docs/codeql/reusables/go-further-reading.rst b/docs/codeql/reusables/go-further-reading.rst index 59f3625bc42..275d3c85c3e 100644 --- a/docs/codeql/reusables/go-further-reading.rst +++ b/docs/codeql/reusables/go-further-reading.rst @@ -1,3 +1,3 @@ - `CodeQL queries for Go `__ - `Example queries for Go `__ -- `CodeQL library reference for Go `__ +- `CodeQL library reference for Go `__ diff --git a/docs/codeql/reusables/java-further-reading.rst b/docs/codeql/reusables/java-further-reading.rst index 4f94a78099b..cde17dbfa1c 100644 --- a/docs/codeql/reusables/java-further-reading.rst +++ b/docs/codeql/reusables/java-further-reading.rst @@ -1,4 +1,4 @@ - `CodeQL queries for Java `__ - `Example queries for Java `__ -- `CodeQL library reference for Java `__ +- `CodeQL library reference for Java `__ diff --git a/docs/codeql/reusables/javascript-further-reading.rst b/docs/codeql/reusables/javascript-further-reading.rst index bda3e058a1b..1e09d193648 100644 --- a/docs/codeql/reusables/javascript-further-reading.rst +++ b/docs/codeql/reusables/javascript-further-reading.rst @@ -1,3 +1,3 @@ - `CodeQL queries for JavaScript `__ - `Example queries for JavaScript `__ -- `CodeQL library reference for JavaScript `__ +- `CodeQL library reference for JavaScript `__ diff --git a/docs/codeql/reusables/python-further-reading.rst b/docs/codeql/reusables/python-further-reading.rst index 7ff521c4abf..eab9644d555 100644 --- a/docs/codeql/reusables/python-further-reading.rst +++ b/docs/codeql/reusables/python-further-reading.rst @@ -1,4 +1,4 @@ - `CodeQL queries for Python `__ - `Example queries for Python `__ -- `CodeQL library reference for Python `__ +- `CodeQL library reference for Python `__ diff --git a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst index 2b349c9adf6..7bd3251dd06 100644 --- a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst +++ b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst @@ -67,7 +67,7 @@ To overcome these potential problems, two kinds of data flow are modeled in the - Global data flow, effectively considers the data flow within an entire program, by calculating data flow between functions and through object properties. Computing global data flow is typically more time and energy intensive than local data flow, therefore queries should be refined to look for more specific sources and sinks. -Many CodeQL queries contain examples of both local and global data flow analysis. See `the built-in queries `__ for details. +Many CodeQL queries contain examples of both local and global data flow analysis. For more information, see `CodeQL query help `__. Normal data flow vs taint tracking ********************************** diff --git a/docs/codeql/writing-codeql-queries/creating-path-queries.rst b/docs/codeql/writing-codeql-queries/creating-path-queries.rst index 74e512d43c1..943fd1275ba 100644 --- a/docs/codeql/writing-codeql-queries/creating-path-queries.rst +++ b/docs/codeql/writing-codeql-queries/creating-path-queries.rst @@ -34,13 +34,7 @@ For more language-specific information on analyzing data flow, see: Path query examples ******************* -The easiest way to get started writing your own path query is to modify one of the existing queries. Visit the links below to see all the built-in path queries: - -- `C/C++ path queries `__ -- `C# path queries `__ -- `Java path queries `__ -- `JavaScript path queries `__ -- `Python path queries `__ +The easiest way to get started writing your own path query is to modify one of the existing queries. For more information, see the `CodeQL query help `__. The Security Lab researchers have used path queries to find security vulnerabilities in various open source projects. To see articles describing how these queries were written, as well as other posts describing other aspects of security research such as exploiting vulnerabilities, see the `GitHub Security Lab website `__. @@ -120,7 +114,7 @@ For Python, the ``Paths`` module contains the ``edges`` predicate:: import semmle.python.security.Paths -You can also import libraries specifically designed to implement data flow analysis in various common frameworks and environments, and many additional libraries are included with CodeQL. To see examples of the different libraries used in data flow analysis, see the links to the built-in queries above or browse the `standard libraries `__. +You can also import libraries specifically designed to implement data flow analysis in various common frameworks and environments, and many additional libraries are included with CodeQL. To see examples of the different libraries used in data flow analysis, see the links to the built-in queries above or browse the `standard libraries `__. For all languages, you can also optionally define a ``nodes`` query predicate, which specifies the nodes of the path graph that you are interested in. If ``nodes`` is defined, only edges with endpoints defined by these nodes are selected. If ``nodes`` is not defined, you select all possible endpoints of ``edges``. @@ -133,7 +127,7 @@ You can also define your own ``edges`` predicate in the body of your query. It s /** Logical conditions which hold if `(a,b)` is an edge in the data flow graph */ } -For more examples of how to define an ``edges`` predicate, visit the `standard CodeQL libraries `__ and search for ``edges``. +For more examples of how to define an ``edges`` predicate, visit the `standard CodeQL libraries `__ and search for ``edges``. Declaring sources and sinks *************************** @@ -159,7 +153,7 @@ If you are querying Python code (and you have used ``import semmle.python.securi from TaintedPathSource source, TaintedPathSink sink -You can extend your query by adding different sources and sinks by either defining them in the query, or by importing predefined sources and sinks for specific frameworks and libraries. See the `Python path queries `__ for further details. +You can extend your query by adding different sources and sinks by either defining them in the query, or by importing predefined sources and sinks for specific frameworks and libraries. For more information, see the `CodeQL query help for Python `__. Defining flow conditions ************************ diff --git a/docs/codeql/writing-codeql-queries/query-help-files.rst b/docs/codeql/writing-codeql-queries/query-help-files.rst index fd0dd7bea4f..093915d050b 100644 --- a/docs/codeql/writing-codeql-queries/query-help-files.rst +++ b/docs/codeql/writing-codeql-queries/query-help-files.rst @@ -13,7 +13,7 @@ For more information about how to write useful query help in a style that is con Note - You can access the query help for CodeQL queries by visiting the `Built-in query pages `__. + You can access the query help for CodeQL queries by visiting `CodeQL query help `__. You can also access the raw query help files in the `GitHub repository `__. For example, see the `JavaScript security queries `__ and `C/C++ critical queries `__.