Skip to content

DISM Final Year Project, Security Software Tool Development, CodeQL Scanner

Notifications You must be signed in to change notification settings

ISnackable/G8-CodeQL

Repository files navigation


Logo

DISMFYP2021GRP8

FYP Project utilizing CodeQL for code analysis
Explore the docs »

CodeQL · View Demo · Neo4J

Welcome

DISMFYP2021GRP8, also known as G8, is a static code scanning security tool designed with ReactJS and ExpressJS. It utilizes the CodeQL semantic code analysis engine to find all variants of a vulnerability. Below are some features of G8 but are not limited to.

Features

  • Uploading of project with folders, (zipped) files and Git repositories
  • Alert results in a neat and concise page of CodeFlow
  • Alert results visualization with Neo4J integration
  • Interpret custom CodeQL queries
  • Report generation for researcher
  • Viewing custom SARIF file with sarif-web-components
  • Documentation of CodeQL queries

G8 Pages

Dependencies

The following tools should be installed before starting:

Installation

Use the provided docker configuration to deploy the project:

$ docker-compose up -d

Then, visit 127.0.0.1:3000, visit the dashboard page and upload a project you wish to analyze. Click analyze to begin the analysis and watch the magic unfold.

You can optionally edit the configuration file depending on your needs:

Backend Configuration File

Usage

To start trying out the project, follow the steps below.

  1. Visit http://127.0.0.1:3000/#/dashboard/
  2. Click on the Git Repo button and paste in https://github.com/ISnackable/DISMFYP2021GRP8.git
  3. Click Submit to upload the project
  4. Under the Existing Project table, click on Start Analysis and wait for the analysis to be done
  5. Click Load Project and navigate to CodeQL Alert to view the results

Development

Getting Started

To get a local copy up and running follow these simple example steps.

Prerequisites

Clone this repository on the latest version using git and update all submodules to the latest version.

$ git clone https://github.com/ISnackable/DISMFYP2021GRP8/ --recursive --depth 1

Install CodeQL CLI

  1. Download the CodeQL CLI zip package.

  2. Create a new CodeQL directory where you can place the CLI and any queries and libraries you want to use. For example, D:/programs/codeql-home or /opt/codeql.

  3. Extract the zip archive in the CodeQL directory; D:/programs/codeql-home/codeql

  4. Add CodeQL to Path.

    • Windows

      1. Go to Control Panel\System and Security\System
      2. Click on Advance System Settings
      3. Click on Enviroment Variables
      4. Edit Path for both User variables and System variables
      5. Click on New and add the CodeQL directory; D:/programs/codeql-home/codeql
    • Linux

      $ export PATH=/opt/codeql:$PATH
  5. Verify your CodeQL CLI setup.

    $ codeql --help
  6. Download & Install the CodeQL VSCode Extension. (Optional)

Install MariaDB & Neo4J

Installation with Docker (Recommended)
$ docker run -p 3306:3306 -d -v G8/backend/init.sql:/docker-entrypoint-initdb.d --env MYSQL_ROOT_PASSWORD=secret docker.io/library/mariadb:10
$ docker run -p 7474:7474 -p 7687:7687 -d -v $HOME/neo4j/data:/data --env NEO4J_AUTH=neo4j/s3cr3t neo4j:4.2.7
Install Manually
  1. Download & Install MariaDB on the latest version
  2. Verify MariaDB is installed by running the following command
$ sudo service mysql status
  1. Download & Install Neo4J Community Server on the latest version
  2. Verify Neo4J is installed by visiting http://localhost:7474.

Configuration

You can optionally edit the configuration file depending on your needs:

Backend Configuration File

Setup and start the frontend

$ cd G8/frontend
$ yarn install
$ yarn start

Setup and start the backend

$ cd G8/backend
$ yarn install
$ yarn start

License

The version of CodeQL used by the G8 is subject to the CodeQL Research Terms & Conditions.

By using G8, you agree to GitHub CodeQL Terms and Conditions. If you do not accept these Terms, do not download, install, use, or copy the Software.

Acknowledgements