|
1 | | -# QL analysis support for CodeQL |
| 1 | +# CodeQL for CodeQL |
2 | 2 |
|
3 | | -- *Part of the May 2021 [code scanning hackathon](https://github.com/github/code-scanning-hackathon/issues/3).* |
4 | | -- *Part of the October 2021 [code scanning hackathon](https://github.com/github/code-scanning-hackathon/issues/61).* |
| 3 | +CodeQL for CodeQL analyses QL code to find some common bug patterns. |
| 4 | +This analysis is mostly used as a PR check in [`github/codeql`](https://github.com/github/codeql). |
| 5 | +CodeQL for CodeQL is experimental technology and not a supported product |
5 | 6 |
|
6 | | -Under development. |
7 | | - |
8 | | -## Viewing the alerts from github/codeql and github/codeql-go |
9 | | - |
10 | | -**TLDR: View https://github.com/github/codeql-ql/security/code-scanning?query=branch%3Anightly-changes-alerts periodically.** |
11 | | - |
12 | | -The [`nightly-changes-alerts` branch](https://github.com/github/codeql-ql/tree/nightly-changes-alerts) contains nightly snapshots of QL related code from [github/codeql](https://github.com/github/codeql) and [github/codeql-go](https://github.com/github/codeql-go). The corresponding [code-scanning alerts](https://github.com/github/codeql-ql/security/code-scanning?query=branch%3Anightly-changes-alerts) are from the [default query suite](https://github.com/github/codeql-ql/blob/main/ql/src/codeql-suites/ql-code-scanning.qls). |
13 | | - |
14 | | -The branch and alerts are updated every night by the [`nightly-changes.yml` workflow](https://github.com/github/codeql-ql/actions/workflows/nightly-changes.yml). |
15 | | - |
16 | | -Ideally, the scans would happen automatically as part of the PRs. That requires more coordination, and is tracked here: https://github.com/github/codeql-coreql-team/issues/1669. |
| 7 | +Some setup is required to use CodeQL for CodeQL (see the below sections). |
17 | 8 |
|
18 | 9 | ## Building the tools from source |
19 | 10 |
|
@@ -43,22 +34,15 @@ Then run |
43 | 34 | codeql database create <database-path> -l ql -s <project-source-path> --search-path <extractor-pack-path> |
44 | 35 | ``` |
45 | 36 |
|
| 37 | +CodeQL can be configured to remember the extractor by setting the config file `~/.config/codeql/config` to: |
| 38 | +```bash |
| 39 | +--search-path /full/path/to/extractor-pack |
| 40 | +``` |
| 41 | + |
46 | 42 | ## Running qltests |
47 | 43 |
|
48 | 44 | Run |
49 | 45 |
|
50 | 46 | ```bash |
51 | 47 | codeql test run <test-path> --search-path <repository-root-path> |
52 | 48 | ``` |
53 | | - |
54 | | -## GitHub Actions |
55 | | - |
56 | | -In addition to the above nightly scans of the known CodeQL repositories, the following Actions are of particular interest: |
57 | | - |
58 | | -- [`bleeding-codeql-analysis.yml`](https://github.com/github/codeql-ql/actions/workflows/bleeding-codeql-analysis.yml) |
59 | | - - runs on all PRs, displays how alerts for the known CodeQL repositories change as consequence of the PR |
60 | | - - the code from the known CodeQL repositories should be updated occasionally by running [`repo-tests/import-repositories.sh`](https://github.com/github/codeql-ql/blob/main/repo-tests/import-repositories.sh) locally, and creating a PR. |
61 | | - - produces an artifact built `ql` database in |
62 | | -- [`build.yml`](https://github.com/github/codeql-ql/actions/workflows/build.yml) |
63 | | - - produces an artifact with the `ql` extractor and the `ql` query pack in |
64 | | - |
0 commit comments