《深入理解CodeQL》

本项目收集CodeQL相关内容，包括CodeQL的设计原理实现方法或使用CodeQL进行的漏洞挖掘案例等。其优点在于可以利用已知的漏洞信息来挖掘类似的漏洞，就像处理数据一样寻找漏洞。基于语义的代码分析思想在SAST领域更将会是一把利剑，这种思想更是下一代代码审计工具的发展方向。但CodeQL往往更适合开发人员对自己项目的漏洞自检，在某些环节处理上还存在较大问题，技术瓶颈有待提高。作者：0e0w

本项目创建于2021年12月13日，最近的一次更新时间为2023年11月21日。

• 01-CodeQL资源
• 02-CodeQL基础
• 03-CodeQL语言
• 04-CodeQL进阶
• 05-CodeQL案例
• 06-CodeQL参考

01-CodeQL资源

本章节收集整理CodeQL的相关资源内容，文章内容质量参差不齐，建议深入学习官方资源！

一、官方资源

• [ ] https://codeql.github.com/docs
• [ ] https://github.com/github/codeql
• [ ] https://github.com/github/codeql-go
• [ ] https://github.com/github/codeql-cli-binaries
• [ ] https://github.com/github/vscode-codeql-starter
• [ ] https://github.com/github/codeql-learninglab-actions
• [ ] https://github.com/github/securitylab/issues
• [ ] https://github.com/github/securitylab

二、优秀资源

• [ ] 《深入理解CodeQL》@0e0w
• [x] 《CodeQL 学习笔记》@楼兰
• [x] 《Codeql学习笔记》@safe6Sec
• [x] 《记录学习codeql的过程》@Firebasky
• [x] 《CodeQL Java 全网最全的中文学习资料》@SummerSec
• [x] 《代码分析平台CodeQL学习手记》@fanyeee
• [ ] 《静态分析☞CodeQL/Soot/SAST》@pen4uin
• [x] 《Finding security vulnerabilities with CodeQL》@GitHub Satellite Workshops
• [ ] 《CodeQL 寻找 JNDI利用 Lookup接口》@SummerSec
• [ ] ~~《CodeQL中文入门教程》@Cl0udG0d~~
• [ ] https://github.com/haby0/mark
• [ ] https://github.com/johnjohncom/webinar-2021sep-codeql2
• [ ] https://github.com/githubsatelliteworkshops/codeql-cpp
• [ ] https://github.com/pwntester/codeql_grehack_workshop
• [ ] https://github.com/haby0/sec-note

三、视频资源

• [ ] 《CodeQL合集》
• [ ] 《使用 CodeQL 挖掘 Java 应用漏洞》
• [ ] 《Discover vulnerabilities with CodeQL》@admin4571
• [ ] https://www.youtube.com/watch?v=y_-pIbsr7jc
• [ ] https://www.youtube.com/watch?v=G_yDbouY0tM

四、学术刊物

• https://codeql.github.com/publications

五、其他资源

• 先知
• [x] https://xz.aliyun.com/search?keyword=Codeql
• [ ] CodeQL 提升篇@Ironf4
• [ ] https://xz.aliyun.com/t/7789
• [ ] https://xz.aliyun.com/t/10829
• [ ] https://xz.aliyun.com/t/10756
• [ ] https://xz.aliyun.com/t/10755
• [ ] https://xz.aliyun.com/t/10707
• [ ] https://xz.aliyun.com/t/10046
• [ ] https://xz.aliyun.com/t/9275
• [ ] https://xz.aliyun.com/t/7979
• [ ] https://xz.aliyun.com/t/7657
• 跳跳糖
• [x] https://tttang.com/?keyword=codeql
• [ ] https://tttang.com/archive/1511
• [ ] https://tttang.com/archive/1512
• [ ] https://tttang.com/archive/1322
• [ ] https://tttang.com/archive/1353
• [ ] https://tttang.com/archive/1415
• [ ] https://tttang.com/archive/1378
• [ ] https://tttang.com/archive/1314
• [ ] https://tttang.com/archive/1497
• [ ] https://tttang.com/archive/1570
• [ ] https://tttang.com/archive/1660
• [ ] https://tttang.com/archive/1704
• 安全客
• [x] https://www.anquanke.com/search?s=codeql
• [ ] https://www.anquanke.com/post/id/266823
• [ ] https://www.anquanke.com/post/id/157583
• [ ] https://www.anquanke.com/post/id/212305
• [ ] https://www.anquanke.com/post/id/193171
• [ ] https://www.anquanke.com/post/id/266824
• 知乎
• [ ] https://www.zhihu.com/search?type=content&q=codeql
• [ ] https://zhuanlan.zhihu.com/p/354275826
• [ ] https://zhuanlan.zhihu.com/p/137569940
• [ ] https://zhuanlan.zhihu.com/p/479431942
• [ ] https://zhuanlan.zhihu.com/p/451369565
• [ ] https://zhuanlan.zhihu.com/p/92769710
• [ ] https://zhuanlan.zhihu.com/p/463665699
• [ ] https://zhuanlan.zhihu.com/p/451364774
• [ ] https://zhuanlan.zhihu.com/p/466504018
• [ ] https://zhuanlan.zhihu.com/p/448538180
• [ ] https://zhuanlan.zhihu.com/p/475499290
• [ ] https://zhuanlan.zhihu.com/p/466932373
• 微信
• [ ] https://mp.weixin.qq.com/s/jVZ3Op8FYBmiFAV3p0li3w
• [ ] https://mp.weixin.qq.com/s/KQso2nvWx737smunUHwXag
• [ ] https://mp.weixin.qq.com/s/sAUSgRAohFlmzwSkkWjp9Q
• [ ] https://mp.weixin.qq.com/s/3mlRedFwPz31Rwe7VDBAuA
• [ ] https://mp.weixin.qq.com/s/zSI157qJXYivSvyxHzXALQ
• [ ] https://mp.weixin.qq.com/s/Rqo12z9mapwlj6wGHZ1zZA
• [ ] https://mp.weixin.qq.com/s/DW0PJfRC0LtMOYx1CQPWpA
• [ ] https://mp.weixin.qq.com/s/mDWqyw5aRxBnW4Sewt9sLQ
• Freebuf
• [x] https://search.freebuf.com/search/?search=codeql#article
• [ ] https://www.freebuf.com/articles/web/283795.html
• [ ] https://www.freebuf.com/articles/network/316551.html
• [ ] https://www.freebuf.com/sectool/291916.html
• [ ] https://wiki.freebuf.com/detail?wiki=106&post=319285
• Github
• [ ] https://github.com/l3yx/Choccy
• [ ] https://github.com/Semmle/SecurityQueries
• [ ] https://github.com/artem-smotrakov/ql-fun
• [ ] https://github.com/s0/language-ql
• [ ] https://github.com/pwntester/codeql-cs-template
• [ ] https://github.com/ghas-bootcamp/ghas-bootcamp
• [ ] https://github.com/zbazztian/codeql-inject
• [ ] https://github.com/zbazztian/codeql-tools
• [ ] https://github.com/JLLeitschuh/lgtm_hack_scripts
• [ ] https://github.com/silentsignal/jms-codeql
• [ ] https://github.com/Marcono1234/codeql-jdk-docker
• [ ] https://github.com/j3ssie/codeql-docker
• [ ] https://github.com/microsoft/codeql-container
• [ ] https://github.com/zbazztian/codeql-debug
• [ ] https://github.com/dsp-testing/codeql-action
• [ ] https://github.com/uainc/codeql-example-01
• [ ] https://github.com/advanced-security/custom-codeql-bundle
• [ ] https://github.com/iflody/codeql-workshop
• [ ] https://github.com/dassencio/parallel-code-scanning
• [ ] https://github.com/advanced-security/codeql-basics
• [ ] https://github.com/vchekan/CodeQL
• [ ] https://github.com/ThibaudLopez/GHAS
• [ ] https://github.com/synacktiv/QLinspector
• [ ] https://github.com/advanced-security/codeql-workshop-2021-learning-journey
• Medium
• [ ] 《The journey of CodeQL》 @Boik Su
• [ ] 《CodeQL thần chưởng》@Jang
• [ ] Hunting for XSS with CodeQL@Daniel Santos
• [ ] Detect dangerous RMI objects with CodeQL@Artem Smotrakov
• [ ] About the CodeQL for research@Lalida Aramrueng
• [ ] Detecting Jackson deserialization vulnerabilities with CodeQL@Artem Smotrakov
• [ ] Using CodeQL to detect client-side vulnerabilities in web applications@Arseny Reutov
• 其他博客
• [ ] https://bestwing.me/codeql.html
• [ ] https://lfysec.top/2020/06/03/CodeQL%E7%AC%94%E8%AE%B0/
• [ ] https://docs.microsoft.com/zh-cn/windows-hardware/drivers/devtest/static-tools-and-codeql
• [ ] https://codeantenna.com/a/fnmZS3Qg4F
• [ ] https://www.cnblogs.com/goodhacker/p/
• [ ] https://geekmasher.dev/posts/sast/codeql-introduction
• [ ] http://blog.gamous.cn/post/codeql
• [ ] https://www.cnblogs.com/goodhacker/p/13583650.html
• [ ] https://yourbutterfly.github.io/note-site/module/semmle-ql/codeql
• [ ] https://fynch3r.github.io/tags/CodeQL
• [ ] https://blog.ycdxsb.cn/categories/research/codeql
• [ ] https://cloud.tencent.com/developer/article/1645870
• [ ] https://jorgectf.github.io/blog/post/practical-codeql-introduction
• [ ] https://www.slideshare.net/shabgrd/semmle-codeql
• [ ] https://blog.szfszf.top/article/59
• [ ] https://firebasky.github.io/2022/03/22/Codeql-excavate-Java-quadratic-deserialization
• [ ] https://www.synacktiv.com/en/publications/finding-gadgets-like-its-2022.html
• [ ] https://github.com/waderwu/extractor-java
• [ ] https://github.com/zbazztian/codeql-tools
• [ ] https://paper.seebug.org/1921
• [ ] https://github.com/webraybtl/codeQlpy

02-CodeQL基础

本章节介绍CodeQL的基础用法及设计思路实现原理等！

• AST、source、sink、
• CodeQL的处理对象并不是源码本身，而是中间生成的AST结构数据库，所以我们先需要把我们的项目源码转换成CodeQL能够识别的CodeDatabase。
• 1、创建数据库。2、对数据库进行查找。3、分析查询结果发现漏洞
• Engine、Database、Queries
• AutoBuilder、extractor、trap、逻辑谓词、连接词、逻辑连接词、predicate
• CodeQL的缺点？不能直接通过打包好的程序进行代码审计。

一、CodeQL安装

二、CodeQL语法

• https://github.com/semmle/ql

三、CodeQL数据库

• https://github.com/waderwu/extractor-java
• https://lgtm.com/help/lgtm/generate-database
• 生成数据库之前，需要先保证被分析程序可以正常跑起来。
• 创建数据库
  • codeql database create java-db --language=java
  • codeql database create java-db --language=java --command='mvn clean install'
  • codeql database create cpp-database --language=cpp --command=make
  • codeql database create csharp-database --language=csharp --command='dotnet build /t:rebuild
  • codeql database create csharp-database --language=csharp --command='dotnet build /p:UseSharedCompilation=false /t:rebuild'
  • codeql database create java-database --language=java --command='gradle clean test'
  • codeql database create java-database --language=java --command='mvn clean install'
  • codeql database create java-database --language=ja