Analysis on CodeQL
CodeQL basically an analysis engine used by developers to automate security checks and security researchers for various analysis on vulnerabilities. This tool is developed by GitHub to automate security checks.
Identify the tool capabilities in details and test these features with proper test codebases to validate these in a experimental approach. Observe is there any deviation from what documented with the test result. Identify other tools with similar features.
CodeQL treats code like data, allowing the security developer to find potential vulnerabilities in the code with greater confidence than traditional static analyzers.
CodeQL supports both compiled and interpreted languages, and can find vulnerabilities and errors in code that's written in the supported languages. C/C++ , C#, GO, Java, JavaScript/TypeScript, Python
Easy for a person with OOP ideas to implement searches/scanning with the application codebase.
CodeQL ships with extensive libraries to empower variant analysis
- Static analysis
- Data Flow Analysis
- Taint Analysis
- CFG Analysis with ample of supported languages, including C/C++, C#, Java, Javascript, Python
1. https://github.com/github/codeql-cli-binaries/releases/download/v2.7.1/codeql-linux64.zip
2. unzip codeql-linux64.zip
./codeql --version
git clone https://github.com/github/codeql
Note: rename the codeql repo as unzipped file also having the same name.
- CodeQL analysis relies on extracting relational data from code and using it to build a CodeQL database.
- CodeQL databases contain all of the important information about a codebase
- This can be analyzed by executing CodeQL queries against it.
syntax
codeql database create <path> --language=<select language>
currently available language includes,
C/C++
C#
Go
Java
JavaScript/TypeScript
Python
Ruby
../codeql/codeql database create /home/vagrant/js-db3 --language=javascript
in the above example, /home/vagrant/js-db3 is the database path and --language is language selection flag.
With help of the a query statement either from the query repo we cloned or with any custom query one can scan the code base.
codeql database analyze <db_path> <query_path> --format=<which format we needed> --output=<where to get the data>
default format will be csv
example
vagrant@node:~/codeql_home/codeql$ ./codeql database analyze /home/vagrant/js-db3 codeql-repo/javascript/ql/src/Declarations/UnusedVariable.ql --format=csv --output=/home/vagrant/codeql_home/codeql/js-csv-result
+ ./codeql database analyze /home/vagrant/js-db3 codeql-repo/javascript/ql/src/Declarations/UnusedVariable.ql --format=csv --output=/home/vagrant/codeql_home/codeql/js-csv-result
Running queries.
Compiling query plan for /home/vagrant/codeql_home/codeql/codeql-repo/javascript/ql/src/Declarations/UnusedVariable.ql.
Compiling upgrade for /home/vagrant/codeql_home/codeql/codeql-repo/javascript/ql/src/Declarations/UnusedVariable.ql
[1/1 comp 1m5s] Compiled /home/vagrant/codeql_home/codeql/codeql-repo/javascript/ql/src/Declarations/UnusedVariable.ql.
Starting evaluation of codeql/javascript-queries/Declarations/UnusedVariable.ql.
[1/1 eval 22.8s] Evaluation done; writing results to codeql/javascript-queries/Declarations/UnusedVariable.bqrs.
Shutting down query evaluator.
Result will be loaded under the file which we mentioned in output path while executing the command
eg. output=/home/vagrant/codeql_home/codeql/js-csv-result
vagrant@node:~/codeql_home/codeql$ cat js-csv-result.csv
"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","recommendation","Unused variable module.","/bes_theme/assets/javascripts/lunr/wordcut.js","1","370","1","375"
"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","recommendation","Unused variable exports.","/bes_theme/assets/javascripts/lunr/wordcut.js","1","377","1","383"
"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","recommendation","Unused variable glob.","/bes_theme/assets/javascripts/lunr/wordcut.js","64","5","64","8"
"Unused variable, import, function or class","Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully.","recommendation","Unused variable WordcutCore.","/bes_theme/assets/javascripts/lunr/wordcut.js","308","5","308","15"
Return the all code patterns based on analysis criteria.
eg.
import java (import javascript)
from IfStmt ifStmt, Block block
where
block = ifStmt.getThen() and
block.getNjumStmt() = 0
select ifStmt
above code is expected to pull out all the empty else block.
import python
from If ifstmt, Stmt pass
where pass = ifstmt.getStmt(0) and
pass instanceof Pass
select ifstmt, "This 'if' statement is redundant."
import ruby
from IfExpr ifexpr
where
not exists(ifexpr.getThen())
select ifexpr, "This 'if' expression is redundant."
above code is expected to pull out all the empty else block
import go
from Method m, Variable recv, Write w, Field f
where
recv = m.getReceiver() and
w.writesField(recv.getARead(), f, _) and
not recv.getType() instanceof PointerType
select w, "This update to " + f + " has no effect, because " + recv + " is not a pointer."
import cpp
from IfStmt ifstmt, Block block
where ifstmt.getThen() = block and
block.getNumStmt() = 0
select ifstmt, "This 'if' statement is redundant."
1. Use single block of code with complex data flow and test codeql against this script.
2. Use vulnerable set up code (eg. code with hardcoded password), check whether codeql able to detect it.
3. Prepare and test complex/nested queries and apply the same to test scripts.
4. Repeat the test against multiple languages.
Run codeql for multiple analysis with pre-defined data to ensure it is able to bring all the result.
this analysis includes, static, dataflow, taint and cfg analysis.
Used VScode-codeql-starter repository for getting multiple custom quires to be tested against vulnerable code.
Initial test codebase, https://github.com/jobyko/BesRepoViz/tree/main/mockscreens/js.
The query returning the matched pattern mentioned in the codeQL. Currently supported language include,
C/C++
C#
Go
Java
JavaScript/TypeScript
Python
Ruby
import javascript
import DataFlow
import DataFlow::PathGraph
class EvalTaint extends TaintTracking::Configuration {
EvalTaint() { this = "EvalTaint" }
override predicate isSource(Node node) { node instanceof RemoteFlowSource }
override predicate isSink(Node node) { node = globalVarRef("eval").getACall().getArgument(0) }
}
from EvalTaint cfg, PathNode source, PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Eval with user-controlled input from $@.", source.getNode(),
"here"
Combining the Be-Secure platform with CodeQL, the major benefits for the stakeholders within the open source supply chain are –
-
Visibility on the latest security stature of the open source project – both upstream and downstream
-
Access to customized playbooks to perform specific security assessment and verification activities at every stage of the supply chain. This helps to save time and effort to perform these activities
-
Access to a collaborative platform for engaging the security experts and community developers to work on addressing the security needs of open source projects
-
Leverage customized security environments from Be-Secure to enhance security competency among the community developers