hohn/codeql

mirror of https://github.com/github/codeql.git synced 2026-02-07 10:41:06 +01:00

Go to file

Erik Krogh Kristensen a0bf13007c remove codeql-ruby sources

2021-11-18 14:15:19 +01:00

More cleanup

2021-05-26 13:25:43 +02:00

.github/workflows

Update bleeding-codeql-analysis.yml

2021-10-18 21:51:56 +02:00

Initial commit

2021-05-26 11:32:30 +02:00

Upgrade the extractor generator

2021-10-15 09:16:34 +00:00

Upgrade the extractor generator

2021-10-15 09:16:34 +00:00

Upgrade the extractor generator

2021-10-15 09:16:34 +00:00

rename "use matches" query, and refactor into Query.qll

2021-11-18 13:05:41 +01:00

remove codeql-ruby sources

2021-11-18 14:15:19 +01:00

Initial commit

2021-05-26 11:32:30 +02:00

Also update qltest.cmd

2021-10-15 09:34:14 +00:00

.codeqlmanifest.json

Initial commit

2021-05-26 11:32:30 +02:00

.gitattributes

Initial commit

2021-05-26 11:32:30 +02:00

.gitignore

Add work folder to gitignore.

2021-10-13 08:28:27 +00:00

Cargo.lock

Upgrade the extractor generator

2021-10-15 09:16:34 +00:00

Cargo.toml

Initial commit

2021-05-26 11:32:30 +02:00

codeql-extractor.yml

fix qlpack version string

2021-10-12 11:01:18 +00:00

create-extractor-pack.ps1

Fix create-extractor-pack.ps1

2021-10-20 13:17:22 +01:00

create-extractor-pack.sh

Upgrade the extractor generator

2021-10-15 09:16:34 +00:00

README.md

Update readme with alerts and actions information

2021-10-19 07:58:22 +02:00

README.md

QL analysis support for CodeQL

Part of the May 2021 code scanning hackathon.
Part of the October 2021 code scanning hackathon.

Under development.

Viewing the alerts from github/codeql and github/codeql-go

TLDR: View https://github.com/github/codeql-ql/security/code-scanning?query=branch%3Anightly-changes-alerts periodically.

The nightly-changes-alerts branch contains nightly snapshots of QL related code from github/codeql and github/codeql-go. The corresponding code-scanning alerts are from the default query suite.

The branch and alerts are updated every night by the nightly-changes.yml workflow.

Ideally, the scans would happen automatically as part of the PRs. That requires more coordination, and is tracked here: https://github.com/github/codeql-coreql-team/issues/1669.

Building the tools from source

Install Rust (if using VSCode, you may also want the rust-analyzer extension), then run:

cargo build --release

Generating the database schema and QL library

The generated ql/src/ql.dbscheme and ql/src/codeql_ql/ast/internal/TreeSitter.qll files are included in the repository, but they can be re-generated as follows:

./create-extractor-pack.sh

Building a CodeQL database for a QL program

First, get an extractor pack:

Run ./create-extractor-pack.sh (Linux/Mac) or .\create-extractor-pack.ps1 (Windows PowerShell) and the pack will be created in the extractor-pack directory.

Then run

codeql database create <database-path> -l ql -s <project-source-path> --search-path <extractor-pack-path>

Running qltests

Run

codeql test run <test-path> --search-path <repository-root-path>

GitHub Actions

In addition to the above nightly scans of the known CodeQL repositories, the following Actions are of particular interest:

bleeding-codeql-analysis.yml
- runs on all PRs, displays how alerts for the known CodeQL repositories change as consequence of the PR
- the code from the known CodeQL repositories should be updated occasionally by running repo-tests/import-repositories.sh locally, and creating a PR.
- produces an artifact built ql database in
build.yml
- produces an artifact with the ql extractor and the ql query pack in

Languages

CodeQL 32.3%

Kotlin 27.5%

C# 17.1%

Java 7.7%

Python 4.6%

Other 10.6%