当前位置: 文江博客 话题详情

使用众所周知的弱点与gitHub动作配置CodeQl

发布于 2025-02-01 11:47:32 字数 1904 浏览 3 评论 0 原文

我是CodeQL的新手,因此,如果我的问题是一个显而易见的问题,我深表歉意,但是,我无法理解一些简单的概念。

首先,我可以使用GITHUB操作的YML文件来轻松配置公共存储库,如以下方式:

on:
  push:
    branches: [ master ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ master ]

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'java' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          queries: +security-extended
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
          # By default, queries listed here will override any specified in a config file.
          # Prefix the list here with "+" to use these queries and those in the config file.

          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # queries: security-extended,security-and-quality


      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      # ℹ️ Command-line programs to run using the OS shell.
      #
原文

I am new to CodeQL and therefore my apologies if my question is an obvious one, however, I've been unable to understand a few simple concepts.

Firstly, I can easily configure a public repo with a github action using a yml file configured as follows:

on:
  push:
    branches: [ master ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ master ]

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'java' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          queries: +security-extended
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
          # By default, queries listed here will override any specified in a config file.
          # Prefix the list here with "+" to use these queries and those in the config file.

          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # queries: security-extended,security-and-quality


      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      # ℹ️ Command-line programs to run using the OS shell.
      # ???? See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

      #   If the Autobuild fails above, remove it and uncomment the following three lines.
      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

      # - run: |
      #   echo "Run, Build Application using script"
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

As indicated in the yaml file, I'm using Java as the language. What I'm trying to then do is trigger a failure / alert with a simple code such as this in Java.

public class Main {
    public static void main(String[] args) {

        // Example code for https://cwe.mitre.org/data/definitions/476.html
        String cmd = System.getProperty("cmd");
        cmd = cmd.trim();
    }
}

This simple code is an example from Common Weakness Enumeration (CWE) 416 where I'm trying to dereference a variable that hasn't been defined.

If I go to Security -> Code scanning alerts it will show that the scanning was performed but not alerts were found.

Basically, I'm wondering if I need to initialize the CodeQL with a specific CWE under the Initialize CodeQL step in the yaml file.

Code scanning no alerts screenshot

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

幸福不弃 2025-02-08 11:47:32

CodeQl仅具有a 特定的查询集 CWES。 此列表显示了Java的当前覆盖CWES。

据我所知,目前尚无查询,它检测到您在问题中显示的特定问题(但是,查询检测derefencing null )。这样做的原因很可能很难防止误报。例如,如果您的应用程序是从 -DCMD 开始的,则系统属性将不为 null 。同样,在应用程序的不同部分中,可能会有一个调用 system.setProperty ,该部分将系统属性设置为非 null 值。

除此之外,您已经配置了查询: +Security-Extended ,但是您要查找的查询类型(假设存在)很可能在 QUERY SUITE security-and-Quality ,因为它与安全性无关。

您也可以尝试尝试写下您自己的查询然后将它们包括在代码扫描工作流程中。一开始,某些CodeQl的概念可能会有些不熟悉,但它们提供了一个很好的例子和入门教程。但是,您可能应该首先检查提供的查询是否已经足以满足您的用例。

CodeQL only has a specific set of queries, which do not cover all possible CWEs. This list shows the currently covered CWEs for Java.

As far as I know there exists no query at the moment which detects the specific issue you are showing in your question (there are however queries which detect derefencing null). The reason for this is most likely that it would be difficult to prevent false positives. For example if your application is started with -Dcmd, then the system property would not be null. Similarly there could be a call to System.setProperty in a different part of the application which sets the system property to a non-null value.

Besides that you have configured queries: +security-extended but the type of the query you are looking for (assuming it existed) would most likely be in the query suite security-and-quality because it is not directly security related.

You could also try to write your own queries and then include them in the code scanning workflow. Some concepts of CodeQL might feel a bit unfamiliar at first, but they provide great examples and tutorials for getting started. However, you should probably first check if the provided queries already suffice for your use case.

回复 原文
心意如水 2025-02-08 11:47:32

自2022年5月以来:

代码扫描,而无需将工作流文件提交到存储库(2023年1月)

代码扫描的新默认设置功能自动找到并为您的存储库设置最佳的CodeQl配置。
这将检测存储库中的语言,并为每个拉的请求启用CodeQL分析,并将每个推送到默认分支和任何受保护的分支。
默认设置当前支持JavaScript(包括打字稿),Python和Ruby Code的分析。
很快就会支持更多语言,所有 codeql 继续使用github操作工作流量文件继续工作。

新的默认设置功能可用于使用GitHub操作的存储库中的CodeQl。
您可以在存储库的“ 设置”选项卡上使用“ 代码安全性和分析”(由存储库管理员和安全管理者访问)。

“

使用操作文件文件或通过第三方CI/CD系统上载的API上传设置代码扫描的选项仍然支持并且没有变化。
如果您需要更改默认配置,则这种更高级的设置方法可能会很有用,例如包括自定义查询包
如果您的分析要求更改,也可以将默认设置配置转换为高级设置。

默认设置当前可在存储库级别可用。
我们正在积极研究组织级别的未来功能,因此您可以轻松地在大量存储库中进行大规模扫描代码。

这已发送到github.com,并将在Github Enterprise Server 3.9中使用。
要了解更多信息,请阅读设置存储库的代码扫描

在您的情况下,您仍然需要一个操作工作流文件来指定查询包。

Since May 2022:

Code scanning can be set up more easily without committing a workflow file to the repository (Jan. 2023)

Code scanning's new default setup feature automatically finds and sets up the best CodeQL configuration for your repository.
This will detect the languages in the repository and enable CodeQL analysis for every pull request and every push to the default branch and any protected branches.
Default setup currently supports analysis of JavaScript (including TypeScript), Python, and Ruby code.
More languages will be supported soon, and all other languages supported by CodeQL continue to work using a GitHub Actions workflow file.

The new default setup feature is available for CodeQL on repositories that use GitHub Actions.
You can use default setup on your repository's "Settings" tab under "Code security and analysis" (accessible by repository admins and security managers).

https://i0.wp.com/user-images.githubusercontent.com/19343236/210406786-60bfdf35-2022-4e0e-823a-24e7553497d3.png?ssl=1 -- Screenshot of code scanning's new default setup

The options to set up code scanning using an Actions workflow file or through API upload from 3rd party CI/CD systems remain supported and are unchanged.
This more advanced setup method can be useful if you need to alter the default configuration, for example to include custom query packs.
Default setup configurations can also be converted to advanced setups if your analysis requirements change.

Default setup is currently available at the repository level.
We are actively working on future features at the organization level so you can easily set up code scanning at scale across large numbers of repositories.

This has shipped to GitHub.com and will be available in GitHub Enterprise Server 3.9.
To learn more, read the documentation on setting up code scanning for a repository.

In your case, you would still need an Actions workflow file, to specify a query pack.

回复 原文
~没有更多了~

关于作者

谎言月老

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文