使用众所周知的弱点通过 Github 操作配置 CodeQL
Configuring CodeQL with Github actions using well known weaknesses
我是 CodeQL 的新手,因此如果我的问题很明显,我深表歉意,但是,我一直无法理解一些简单的概念。
首先,我可以使用如下配置的 yml 文件轻松配置带有 github 操作的 public 存储库:
on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'java' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
queries: +security-extended
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
如 yaml 文件中所示,我使用 Java 作为语言。然后我要做的是使用 Java.
中的简单代码触发故障/警报
public class Main {
public static void main(String[] args) {
// Example code for https://cwe.mitre.org/data/definitions/476.html
String cmd = System.getProperty("cmd");
cmd = cmd.trim();
}
}
这个简单的代码是 Common Weakness Enumeration (CWE) 416 中的一个示例,我在其中尝试取消引用尚未定义的变量。
如果我转到安全 -> 代码扫描警报,它将显示已执行扫描但未找到警报。
基本上,我想知道是否需要在 yaml 文件中的初始化 CodeQL 步骤下使用特定的 CWE 初始化 CodeQL。
CodeQL 只有 specific set of queries, which do not cover all possible CWEs. This list 显示了 Java 当前涵盖的 CWE。
据我所知,目前没有查询可以检测到您在问题中显示的具体问题(但是有 queries which detect derefencing null)。这样做的原因很可能是很难防止误报。例如,如果您的应用程序以 -Dcmd 启动,那么系统 属性 就不会是 null。同样,可以在应用程序的不同部分调用 System.setProperty,将系统 属性 设置为非 null 值。
此外,您已经配置了 queries: +security-extended,但您要查找的查询类型(假设它存在)很可能在 query suite security-and-quality 中,因为它与安全性没有直接关系。
您也可以尝试write your own queries and then include them in the code scanning workflow。 CodeQL 的一些概念起初可能会让人觉得有点陌生,但它们提供了很好的入门示例和教程。但是,您可能应该首先检查提供的查询是否已满足您的用例。
我是 CodeQL 的新手,因此如果我的问题很明显,我深表歉意,但是,我一直无法理解一些简单的概念。
首先,我可以使用如下配置的 yml 文件轻松配置带有 github 操作的 public 存储库:
on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'java' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
queries: +security-extended
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
如 yaml 文件中所示,我使用 Java 作为语言。然后我要做的是使用 Java.
中的简单代码触发故障/警报public class Main {
public static void main(String[] args) {
// Example code for https://cwe.mitre.org/data/definitions/476.html
String cmd = System.getProperty("cmd");
cmd = cmd.trim();
}
}
这个简单的代码是 Common Weakness Enumeration (CWE) 416 中的一个示例,我在其中尝试取消引用尚未定义的变量。
如果我转到安全 -> 代码扫描警报,它将显示已执行扫描但未找到警报。
基本上,我想知道是否需要在 yaml 文件中的初始化 CodeQL 步骤下使用特定的 CWE 初始化 CodeQL。
CodeQL 只有 specific set of queries, which do not cover all possible CWEs. This list 显示了 Java 当前涵盖的 CWE。
据我所知,目前没有查询可以检测到您在问题中显示的具体问题(但是有 queries which detect derefencing null)。这样做的原因很可能是很难防止误报。例如,如果您的应用程序以 -Dcmd 启动,那么系统 属性 就不会是 null。同样,可以在应用程序的不同部分调用 System.setProperty,将系统 属性 设置为非 null 值。
此外,您已经配置了 queries: +security-extended,但您要查找的查询类型(假设它存在)很可能在 query suite security-and-quality 中,因为它与安全性没有直接关系。
您也可以尝试write your own queries and then include them in the code scanning workflow。 CodeQL 的一些概念起初可能会让人觉得有点陌生,但它们提供了很好的入门示例和教程。但是,您可能应该首先检查提供的查询是否已满足您的用例。