11 KiB
11 KiB
Using MRVA
This repository has several additions to illustrate a full MRVA workflow.
Set up controller repo
Following the instructions, start with manually creating the controller repository
gh repo create mirva-controller --public -d 'Controller for MRVA'This avoids
An error occurred while setting up the controller repository: Controller
repository "hohn/mirva-controller" not found.Populate the controller repository
mkdir -p ~/local/mirva-controller && cd ~/local/mirva-controller
echo "* mirva-controller" >> README.org
git init
git add README.org
git commit -m "first commit"
git branch -M master
git remote add origin git@github.com:hohn/mirva-controller.git
git push -u origin masterThis avoids
Variant analysis failed because the controller repository hohn/mirva-controller
does not have a branch 'master'. Please create a 'master' branch by clicking here
and re-run the variant analysis query.Use the codeql extension to run MRVA
Following the instructions and running ./FlatBuffersFunc.ql, the entries
- google/flatbuffers
- psycopg/psycopg2
each have one. Others have none.
Use custom list with target repos in VS Code
The json file is here:
/Users/hohn/Library/Application Support/Code/User/workspaceStorage/bced2e4aa1a5f78ca07cf9e09151b1af/GitHub.vscode-codeql/databases.json
It can be edited in VS Code using the {} button.
It's saved in the workspace, but not in the current git repository.
Here are two snapshots for reference and copy/paste:
{
"version": 1,
"databases": {
"variantAnalysis": {
"repositoryLists": [
{
"name": "mirva-list",
"repositories": [
"google/flatbuffers",
"psycopg/psycopg2"
]
}
],
"owners": [],
"repositories": []
}
},
"selected": {
"kind": "variantAnalysisUserDefinedList",
"listName": "mirva-list"
}
}or
{
"version": 1,
"databases": {
"variantAnalysis": {
"repositoryLists": [
{
"name": "mirva-list",
"repositories": [
"google/flatbuffers"
]
}
],
"owners": [],
"repositories": []
}
},
"selected": {
"kind": "variantAnalysisUserDefinedList",
"listName": "mirva-list"
}
}
Select the custom list in the
variant analysis repositories tab, then in FlatBuffersFunc.ql, right click >
run variant analysis
Run MRVA from command line
-
Install mrva cli
cd ~/local/gh-mrva # Build it go mod edit -replace="github.com/GitHubSecurityLab/gh-mrva=/Users/hohn/local/gh-mrva" go build . # Install gh extension remove mrva gh extension install . # Sanity check gh mrva -h -
Set up the configuration
cd ~/local/gh-mrva cat > ~/.config/gh-mrva/config.yml <<eof # The following options are supported # codeql_path: Path to CodeQL distribution (checkout of codeql repo) # controller: NWO of the MRVA controller to use # list_file: Path to the JSON file containing the target repos # git checkout codeql-cli/v2.15.5 codeql_path: /Users/hohn/local/codeql-lib controller: hohn/mirva-controller list_file: /Users/hohn/work-gh/mrva/gh-mrva/mirva-list-databases.json eof -
Submit the mrva job
cd ~/work-gh/mrva/gh-mrva/ ./gh-mrva submit --language cpp --session mirva-session-200 \ --list mirva-list \ --query ~/work-gh/mrva/gh-mrva/FlatBuffersFunc.ql -
Check the status and download the sarif files
cd ~/local/gh-mrva # Check the status ./gh-mrva status --session mirva-session-73 # Download the sarif files when finished ./gh-mrva download --session mirva-session-73 \ --output-dir mirva-session-73 # Download the sarif files and CodeQL dbs when finished ./gh-mrva download --session mirva-session-73 \ --download-dbs \ --output-dir mirva-session-73
curl checks for mrva server
Miscellaneous Notes
Action logs on Controller Repository
The action logs are on the controller repository at https://github.com/hohn/mirva-controller/actions.
The action>google flatbuffers log references
github/codeql-variant-analysis-action
Run actions/checkout@v4
with:
repository: github/codeql-variant-analysis-action
ref: main
token: ***
ssh-strict: true
persist-credentials: true
clean: true
sparse-checkout-cone-mode: true
fetch-depth: 1
fetch-tags: false
show-progress: true
lfs: false
submodules: false
set-safe-directory: true
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: trueThis is https://github.com/github/codeql-variant-analysis-action
The workflow producing the logs: https://github.com/github/codeql-variant-analysis-action/blob/main/variant-analysis-workflow.yml
Compacted Edit-Run-Debug Cycle
With a full Using MRVA cycle done, only these steps are needed in a edit-run-debug cycle. Note that paths must be updated for your system.
# Build the client
cd ~/work-gh/mrva/gh-mrva
go clean
go build . # go build -gcflags="all=-N -l" .
./gh-mrva -h
# Set up the configuration -- check your paths
cat > ~/.config/gh-mrva/config.yml <<eof
# The following options are supported
# codeql_path: Path to CodeQL distribution (checkout of codeql repo)
# controller: NWO of the MRVA controller to use
# list_file: Path to the JSON file containing the target repos
# git checkout codeql-cli/v2.15.5
codeql_path: /Users/hohn/local/codeql-lib
controller: hohn/mirva-controller
list_file: /Users/hohn/work-gh/mrva/gh-mrva/mirva-list-databases.json
eof
# Define utility functions
submit (){
SN=$1
cd ~/work-gh/mrva/gh-mrva
./gh-mrva submit --language cpp --session mirva-session-$SN \
--list mirva-list \
--query /Users/hohn/work-gh/mrva/gh-mrva/FlatBuffersFunc.ql >& log-submit-$SN.log &
sleep 1 && em log-submit-$SN.log
}
sessstatus (){
SN=$1
cd ~/work-gh/mrva/gh-mrva
./gh-mrva status --session mirva-session-$SN >& log-$SN-status.log &
sleep 1 && em log-$SN-status.log
}
# Download the sarif files and CodeQL dbs when finished
dl (){
SN=$1
cd ~/work-gh/mrva/gh-mrva
./gh-mrva download --session mirva-session-$SN \
--download-dbs \
--output-dir mirva-session-$SN-sarif \
>& log-download-$SN.log &
sleep 1 && em log-download-$SN.log
}
# Just download sarif / bqrs zip file
dl (){
SN=$1
cd ~/work-gh/mrva/gh-mrva
./gh-mrva download --session mirva-session-$SN \
--output-dir mirva-session-$SN-sarif \
>& log-download-$SN.log &
sleep 1 && em log-download-$SN.log
}
submit 211
sessstatus 211
dl 211Use the delve debugger to find sigsev
https://github.com/go-delve/delve/blob/master/Documentation/usage/dlv.md
# Use the delve debugger to find sigsev
# compile debugging binaries with -gcflags="all=-N -l" on Go 1.10 or later
go build -gcflags="all=-N -l" .
# Check the status
dlv debug -- status --session mirva-session-$SN
# Type 'help' for list of commands.
# (dlv) c
# dlv debug builds, so the above build may be redundant
dlv debug -- download --session mirva-session-$SN \
--download-dbs \
--output-dir mirva-session-$SN-sarif
# dlv may say 'no sources', but this works anyay
b main.main
l
# This inline use of dlv may fail; attaching to a process is more reliableVS Code Debugger Configuration
launch.json for download
{
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}",
"buildFlags": [],
"args": ["download", "--session", "mirva-session-11", "--download-dbs", "--output-dir","mirva-session-11-sarif"]
}
]
}launch.json for submission
Matching
./gh-mrva submit --language cpp --session mirva-session-$SN \
--list mirva-list \
--query /Users/hohn/local/gh-mrva/FlatBuffersFunc.ql >& log-$SN.out & {
"version": "0.2.0",
"configurations": [
{
"name": "Launch Package",
"type": "go",
"request": "launch",
"mode": "auto",
"program": "${workspaceFolder}",
"buildFlags": [],
"args": ["submit",
"--language", "cpp",
"--session", "mirva-session-29",
"--list", "mirva-list",
"--query", "/Users/hohn/local/gh-mrva/FlatBuffersFunc.ql"]
}
]
}