mirror of
https://github.com/github/codeql.git
synced 2026-05-05 21:55:19 +02:00
038bc832a7
As part of adding support for threat-models to Python/JS (see https://github.com/github/codeql/pull/17203), we ran into some trouble with name clashes. Naming in existing languages supporting threat-models: - `SourceNode` (for QL only modeling) - `ThreatModelFlowSource` (for active sources from QL or data-extensions) However, since we use `LocalSourceNode` in Python, and `SourceNode` in JS (for local source nodes), it seems a bit confusing to follow the same naming convention as other languages, and we had to come up with new names. Initially I used `ThreatModelSource` for the "QL only modeling", but that meant that we needed a new name to represent the active sources coming from either QL or data-extensions... for this I came up with `ActiveThreatModelSource`, and I really liked it. To me, it's much clearer that this class only contains the currently active threat model sources. So to align languages, I got approval from @michaelnebel to rename the existing classes.
Go analysis support for CodeQL
This sub-folder contains the extractor, CodeQL libraries, and queries that power Go support for CodeQL.
It contains two major components:
- an extractor, itself written in Go, that parses Go source code and converts it into a database that can be queried using CodeQL.
- static analysis libraries and queries written in CodeQL that can be used to analyze such a database to find coding mistakes or security vulnerabilities.
Usage
To analyze a Go codebase, either use the CodeQL command-line interface to create a database yourself, or download a pre-built database from GitHub.com. You can then run any of the queries contained in this repository either on the command line or using the VS Code extension.
Contributions
Contributions are welcome! Please see our contribution guidelines and our code of conduct for details on how to participate in our community.
Licensing
The code in this repository is licensed under the MIT license.