CodeQL for Golang Practise(1)

security

Today’s Menu

  • Set Up CodeQL for Golang on macOS 🍷
  • Run basic CodeQL query against the gojenkins project 🍖

CodeQL

From official website, codeQL is a semantic code analysis engine that can discover vulnerabilities across a codebase by querying code.

If you are new to CodeQL, let me help you with the setup 😆

Environment Setup - macOS

  1. Create a new CodeQL directory as $HOME/codeql-home/
  2. Set up the CodeQL CLI:
  • Download the zip archive
  • Move the zip archive into codeql-home and unzip it with name codeql
  • Steps for macOS ‘Catalina’:

$ mv ~/Downloads/codeql*.zip ${install_loc}
$ cd ${install_loc}
$ xattr -c codeql*.zip
$ unzip codeql*.zip

  1. Clone this repo - standard CodeQL libraries and queries into codeql-home and rename it as codeql-repo

  2. The CodeQL libraries and queries for Go analysis live in the repo, save it as codeql-go

  3. Finally, the structure of that CodeQL directory will be:


codeql-home/
 |
 |-- codeql-repo/      # the cloned repo, avoid to be `codeql`
 |-- codeql/           # the CodeQL CLI that will be extracted
 |-- codeql-go/        # cloned CodeQL for Go repository
  1. Add $HOME/codeql to the PATH to enable global codeql command:
  • sudo vim /etc/paths, and add <$HOME>/codeql-home/codeql to the file
  1. Try codeql command in commandline:

2020_12_14_1

  1. Check full list of CodeQL Command if you have time

Guidelines - Create the Database

Before you analyze your code using CodeQL, you need to create a CodeQL database containing all the data required to run queries on your code.

Steps:

  1. Clone a repo to analyze. Install all the dependencies.
  • Install Go toolchain(> 1.11 version)
  • If dependency exists, need to install dep or Glide.
  • No --command parameter is needed.
  1. Create CodeQL databases for Golang: codeql database create --language=go
  2. Any open source github project can also be retrieved from LGTM.

Run Query against Database

Experiment and learn how to write effective and efficient queries for CodeQL databases generated from Go codebases.

1. Clone the repo

$ git clone https://github.com/bndr/gojenkins.git
$ cd gojenkins

Gojenkins is a Jenkins API client for Go, allowing Go developers to programmatically interact with the popular continuous-integration system Jenkins.

2. Build the database

$ codeql database create codeql_database --language=go

2020_12_14_2

Notice that some sample query files are saved in $HOME/codeql-home/codeql-go/ql/src:

localReferences.ql
AlertSuppression.ql
printAst.ql
definitions.ql
localDefinitions.ql

For example, The definitions.ql source code:

/**
 * @name Jump-to-definition links
 * @description Generates use-definition pairs that provide the data
 *              for jump-to-definition in the code viewer.
 * @kind definitions
 * @id go/jump-to-definition
 */

import go

from Ident def, Ident use, Entity e
where
  use.uses(e) and
  def.declares(e)
select use, def, "V"

Therefore, we can try with the sample command to demonstrate the successful setup.

Steps:

a. Add CodeQL Extension to VSCode.

2020_12_14_3

b. Select the correct database by choosing the folder.

2020_12_14_4

c. Right-click the query file and click Run Query as the image shown below, and the result will be shown on the right-hand side.

2020_12_14_5

d. When clicking the result link, we jump to the definitions directly.

2020_12_14_6

4. (Alternative) Analyze a database by running the command

If you feel unhappy with VSCode, maybe you can try the command line.

$ codeql database analyze <database> <queries> --format=<format> --output=<output>

Run a sample against database:

$ mkdir codeql-analysis
$ touch go-results.csv
$ codeql database analyze codeql_database ../codeql-go/ql/src/localReferences.ql --format=csv --output=codeql-analysis/go-results.csv

2020_12_14_7

However, there may be some problems…The csv file is empty, but the definitions.bqrs file has content. Not sure about the reasons, if you know, can email me, thanks in advance. Haha.

CodeQL Helpsheet

$ codeql [command] [subcommand]
$ codeql database create <database> --language=<language-identifier>
$ codeql database analyze <database> <queries> --format=<format> --output=<output>
$ codeql database upgrade <database> # upgrade database
$ codeql test run <test|dir>   # codeql test run
$ codeql generate query-help <qhelp|query|dir|suite> --format=<format> [--output=<dir|file>]

Shout out to Tri for the tutorial 🥂 thx

Reference