CodeQL is GitHub's expressive language and engine for code analysis, which allows you to explore source code to find bugs and security vulnerabilities. During these beginner-friendly workshops, you will learn to write queries in CodeQL and find known security vulnerabilities in open-source Java and JavaScript projects.
There are two workshops on this topic. Both will cover the basics of writing queries in CodeQL. The first will focus on Java, and the second will focus on JavaScript.
Please complete the Prerequisites section (below) before the workshop. The following links contain the content that will be covered during the workshop:
- Thursday May 7 / 7:00am PDT: Finding security vulnerabilities in Java with CodeQL
- Thursday May 7 / 9:30am PDT: Finding security vulnerabilities in JavaScript with CodeQL
- Install Visual Studio Code.
- Install the CodeQL extension for Visual Studio Code.
- You do not need to install the CodeQL CLI: the extension will handle this for you.
- Set up the CodeQL starter workspace.
- Important: Don't forget to use
git clone --recursive
orgit submodule update --init --remote
to update the submodules when you clone this repository. This allows you to obtain the standard CodeQL query libraries. - Open the starter workspace in Visual Studio Code: File > Open Workspace > Browse to
vscode-codeql-starter/vscode-codeql-starter.code-workspace
in your checkout of the starter workspace.
- Important: Don't forget to use
- Download and add the CodeQL database to be used in the workshop:
- If you are attending Finding security vulnerabilities in Java with CodeQL, please download this CodeQL database.
- If you are attending Finding security vulnerabilities in JavaScript with CodeQL, please download this CodeQL database
- Unzip the database.
- Import the unzipped database into Visual Studio Code:
- Click the CodeQL icon in the left sidebar.
- Place your mouse over Databases, and click the
+
sign that appears on the right. - Choose the unzipped database directory on your filesystem.