本项目收集CodeQL相关内容,包括CodeQL的设计原理实现方法或使用CodeQL进行的漏洞挖掘案例等。其优点在于可以利用已知的漏洞信息来挖掘类似的漏洞,就像处理数据一样寻找漏洞。基于语义的代码分析思想在SAST领域更将会是一把利剑,这种思想更是下一代代码审计工具的发展方向。但CodeQL往往更适合开发人员对自己项目的漏洞自检,在某些环节处理上还存在较大问题,技术瓶颈有待提高。作者:0e0w
本项目创建于2021年12月13日,最近的一次更新时间为2023年11月21日。
本章节收集整理CodeQL的相关资源内容,文章内容质量参差不齐,建议深入学习官方资源!
一、官方资源
- https://codeql.github.com/docs
- https://github.com/github/codeql
- https://github.com/github/codeql-go
- https://github.com/github/codeql-cli-binaries
- https://github.com/github/vscode-codeql-starter
- https://github.com/github/codeql-learninglab-actions
- https://github.com/github/securitylab/issues
- https://github.com/github/securitylab
二、优秀资源
- 《深入理解CodeQL》@0e0w
- 《CodeQL 学习笔记》@楼兰
- 《Codeql学习笔记》@safe6Sec
- 《记录学习codeql的过程》@Firebasky
- 《CodeQL Java 全网最全的中文学习资料》@SummerSec
- 《代码分析平台CodeQL学习手记》@fanyeee
- 《静态分析☞CodeQL/Soot/SAST》@pen4uin
- 《Finding security vulnerabilities with CodeQL》@GitHub Satellite Workshops
- 《CodeQL 寻找 JNDI利用 Lookup接口》@SummerSec
-
《CodeQL中文入门教程》@Cl0udG0d - https://github.com/haby0/mark
- https://github.com/johnjohncom/webinar-2021sep-codeql2
- https://github.com/githubsatelliteworkshops/codeql-cpp
- https://github.com/pwntester/codeql_grehack_workshop
- https://github.com/haby0/sec-note
三、视频资源
- 《CodeQL合集》
- 《使用 CodeQL 挖掘 Java 应用漏洞》
- 《Discover vulnerabilities with CodeQL》@admin4571
- https://www.youtube.com/watch?v=y_-pIbsr7jc
- https://www.youtube.com/watch?v=G_yDbouY0tM
四、学术刊物
五、其他资源
- 先知
- https://xz.aliyun.com/search?keyword=Codeql
- CodeQL 提升篇@Ironf4
- https://xz.aliyun.com/t/7789
- https://xz.aliyun.com/t/10829
- https://xz.aliyun.com/t/10756
- https://xz.aliyun.com/t/10755
- https://xz.aliyun.com/t/10707
- https://xz.aliyun.com/t/10046
- https://xz.aliyun.com/t/9275
- https://xz.aliyun.com/t/7979
- https://xz.aliyun.com/t/7657
- 跳跳糖
- https://tttang.com/?keyword=codeql
- https://tttang.com/archive/1511
- https://tttang.com/archive/1512
- https://tttang.com/archive/1322
- https://tttang.com/archive/1353
- https://tttang.com/archive/1415
- https://tttang.com/archive/1378
- https://tttang.com/archive/1314
- https://tttang.com/archive/1497
- https://tttang.com/archive/1570
- https://tttang.com/archive/1660
- https://tttang.com/archive/1704
- 安全客
- https://www.anquanke.com/search?s=codeql
- https://www.anquanke.com/post/id/266823
- https://www.anquanke.com/post/id/157583
- https://www.anquanke.com/post/id/212305
- https://www.anquanke.com/post/id/193171
- https://www.anquanke.com/post/id/266824
- 知乎
- https://www.zhihu.com/search?type=content&q=codeql
- https://zhuanlan.zhihu.com/p/354275826
- https://zhuanlan.zhihu.com/p/137569940
- https://zhuanlan.zhihu.com/p/479431942
- https://zhuanlan.zhihu.com/p/451369565
- https://zhuanlan.zhihu.com/p/92769710
- https://zhuanlan.zhihu.com/p/463665699
- https://zhuanlan.zhihu.com/p/451364774
- https://zhuanlan.zhihu.com/p/466504018
- https://zhuanlan.zhihu.com/p/448538180
- https://zhuanlan.zhihu.com/p/475499290
- https://zhuanlan.zhihu.com/p/466932373
- 微信
- https://mp.weixin.qq.com/s/jVZ3Op8FYBmiFAV3p0li3w
- https://mp.weixin.qq.com/s/KQso2nvWx737smunUHwXag
- https://mp.weixin.qq.com/s/sAUSgRAohFlmzwSkkWjp9Q
- https://mp.weixin.qq.com/s/3mlRedFwPz31Rwe7VDBAuA
- https://mp.weixin.qq.com/s/zSI157qJXYivSvyxHzXALQ
- https://mp.weixin.qq.com/s/Rqo12z9mapwlj6wGHZ1zZA
- https://mp.weixin.qq.com/s/DW0PJfRC0LtMOYx1CQPWpA
- https://mp.weixin.qq.com/s/mDWqyw5aRxBnW4Sewt9sLQ
- Freebuf
- https://search.freebuf.com/search/?search=codeql#article
- https://www.freebuf.com/articles/web/283795.html
- https://www.freebuf.com/articles/network/316551.html
- https://www.freebuf.com/sectool/291916.html
- https://wiki.freebuf.com/detail?wiki=106&post=319285
- Github
- https://github.com/l3yx/Choccy
- https://github.com/Semmle/SecurityQueries
- https://github.com/artem-smotrakov/ql-fun
- https://github.com/s0/language-ql
- https://github.com/pwntester/codeql-cs-template
- https://github.com/ghas-bootcamp/ghas-bootcamp
- https://github.com/zbazztian/codeql-inject
- https://github.com/zbazztian/codeql-tools
- https://github.com/JLLeitschuh/lgtm_hack_scripts
- https://github.com/silentsignal/jms-codeql
- https://github.com/Marcono1234/codeql-jdk-docker
- https://github.com/j3ssie/codeql-docker
- https://github.com/microsoft/codeql-container
- https://github.com/zbazztian/codeql-debug
- https://github.com/dsp-testing/codeql-action
- https://github.com/uainc/codeql-example-01
- https://github.com/advanced-security/custom-codeql-bundle
- https://github.com/iflody/codeql-workshop
- https://github.com/dassencio/parallel-code-scanning
- https://github.com/advanced-security/codeql-basics
- https://github.com/vchekan/CodeQL
- https://github.com/ThibaudLopez/GHAS
- https://github.com/synacktiv/QLinspector
- https://github.com/advanced-security/codeql-workshop-2021-learning-journey
- Medium
- 《The journey of CodeQL》 @Boik Su
- 《CodeQL thần chưởng》@Jang
- Hunting for XSS with CodeQL@Daniel Santos
- Detect dangerous RMI objects with CodeQL@Artem Smotrakov
- About the CodeQL for research@Lalida Aramrueng
- Detecting Jackson deserialization vulnerabilities with CodeQL@Artem Smotrakov
- Using CodeQL to detect client-side vulnerabilities in web applications@Arseny Reutov
- 其他博客
- https://bestwing.me/codeql.html
- https://lfysec.top/2020/06/03/CodeQL%E7%AC%94%E8%AE%B0/
- https://docs.microsoft.com/zh-cn/windows-hardware/drivers/devtest/static-tools-and-codeql
- https://codeantenna.com/a/fnmZS3Qg4F
- https://www.cnblogs.com/goodhacker/p/
- https://geekmasher.dev/posts/sast/codeql-introduction
- http://blog.gamous.cn/post/codeql
- https://www.cnblogs.com/goodhacker/p/13583650.html
- https://yourbutterfly.github.io/note-site/module/semmle-ql/codeql
- https://fynch3r.github.io/tags/CodeQL
- https://blog.ycdxsb.cn/categories/research/codeql
- https://cloud.tencent.com/developer/article/1645870
- https://jorgectf.github.io/blog/post/practical-codeql-introduction
- https://www.slideshare.net/shabgrd/semmle-codeql
- https://blog.szfszf.top/article/59
- https://firebasky.github.io/2022/03/22/Codeql-excavate-Java-quadratic-deserialization
- https://www.synacktiv.com/en/publications/finding-gadgets-like-its-2022.html
- https://github.com/waderwu/extractor-java
- https://github.com/zbazztian/codeql-tools
- https://paper.seebug.org/1921
- https://github.com/webraybtl/codeQlpy
本章节介绍CodeQL的基础用法及设计思路实现原理等!
- AST、source、sink、
- CodeQL的处理对象并不是源码本身,而是中间生成的AST结构数据库,所以我们先需要把我们的项目源码转换成CodeQL能够识别的CodeDatabase。
- 1、创建数据库。2、对数据库进行查找。3、分析查询结果发现漏洞
- Engine、Database、Queries
- AutoBuilder、extractor、trap、逻辑谓词、连接词、逻辑连接词、predicate
- CodeQL的缺点?不能直接通过打包好的程序进行代码审计。
一、CodeQL安装
二、CodeQL语法
三、CodeQL数据库
- https://github.com/waderwu/extractor-java
- https://lgtm.com/help/lgtm/generate-database
- 生成数据库之前,需要先保证被分析程序可以正常跑起来。
- 创建数据库
- codeql database create java-db --language=java
- codeql database create java-db --language=java --command='mvn clean install'
- codeql database create cpp-database --language=cpp --command=make
- codeql database create csharp-database --language=csharp --command='dotnet build /t:rebuild
- codeql database create csharp-database --language=csharp --command='dotnet build /p:UseSharedCompilation=false /t:rebuild'
- codeql database create java-database --language=java --command='gradle clean test'
- codeql database create java-database --language=java --command='mvn clean install'
- codeql database create java-database --language=java --command='ant -f build.xml'
- codeql database create new-database --language=java --command='./scripts/build.sh'
- 分析数据库
- codeql database analyze java-db CWE-020.ql --format=csv --output=result.csv
本章节介绍QL语言的语法规则,包括优秀规则等内容。CodeQL为王,规则为先!
一、基础语法
二、规则编写
- Java
- C#
- Go
三、官方规则
四、优秀规则
- 《My CodeQL queries collection》@cldrn
- https://github.com/cor0ps/codeql
- https://github.com/GeekMasher/security-queries
- https://github.com/Marcono1234/codeql-java-queries
- https://github.com/imagemlt/myQLrules
- https://github.com/advanced-security/codeql-queries
- https://github.com/jenkins-infra/jenkins-codeql
- https://github.com/ice-doom/CodeQLRule
- https://github.com/zbazztian/codeql-queries
本章节是针对不同的开发语言进行CodeQL扫描的例子,本章节待整理。
一、Java安全分析
- https://codeql.github.com/codeql-query-help/java
- https://codeql.github.com/codeql-standard-libraries/java
- https://lgtm.com/search?q=language%3Ajava&t=rules
- https://github.com/msrkp/codeql_for_gadgets
- https://github.com/chaimu100/java-test-for-codeql
- https://github.com/synacktiv/QLinspector
二、C#安全分析
- https://codeql.github.com/codeql-query-help/csharp/
- https://lgtm.com/search?q=language%3Acsharp&t=projects
三、Golang安全分析
- https://codeql.github.com/codeql-query-help/go/
- https://lgtm.com/search?q=language%3Ago&t=rules
- https://lgtm.com/search?q=language%3Ago&t=projects
- https://codeql.github.com/codeql-standard-libraries/go
- https://github.com/github/codeql-ctf-go-return
- https://github.com/gagliardetto/codemill
- http://f4bb1t.com/post/2020/12/16/codeql-for-golang-practise3
- https://www.freebuf.com/articles/web/253491.html
四、Python
- https://codeql.github.com/codeql-query-help/python/
- https://github.com/10thmagnitude/custom-codeql-python
- https://github.com/AlexAltea/codeql-python
五、C++安全分析
- https://github.com/trailofbits/itergator
- https://github.com/0xcpu/codeql-uboot
- https://github.com/RadCet/CodeQL
六、Ruby
七、CodeQL工具
- https://github.com/ZhuriLab/Yi
- https://github.com/ice-doom/codeql_compile
- https://github.com/hudangwei/codemillx
- https://github.com/gagliardetto/codemill
- https://github.com/pwntester/codeql.nvim
- https://github.com/gagliardetto/codebox
本章节介绍CodeQL的具体使用案例,包括自己通过CodeQL挖掘的漏洞等内容。
一、大型应用分析
- 分析Shiro
- 分析Fastjson
- 分析Log4j
- 分析Dubbo
- 分析kylin
- 分析grafana
- 分析Hadoop
- 分析Struts2
二、代码审计案例
- https://www.anquanke.com/post/id/203674
- https://www.jianshu.com/p/99942852a3aa
- https://www.anquanke.com/post/id/202987
- https://mp.weixin.qq.com/s/LmOFGAhqAKiO8VDQW4vvLg
- https://github.com/hac425xxx/codeql-snippets
- https://github.com/elManto/StaticAnalysisQueries