|
| 1 | +# Custom CodeQL Bundle |
| 2 | + |
| 3 | +The Custom CodeQL Bundle repository can be used in combination with GitHub |
| 4 | +Actions to automate customizing the behavior of the queries in the CodeQL |
| 5 | +standard library for a variety of target languages. It is currently considered |
| 6 | +the best practice for customizing the built-in CodeQL queries. |
| 7 | + |
| 8 | +At current this repository will work with the following languages: |
| 9 | + |
| 10 | +- Java |
| 11 | +- Javascript |
| 12 | +- Python |
| 13 | +- C# |
| 14 | +- Go |
| 15 | + |
| 16 | +Support for Ruby is being added. |
| 17 | + |
| 18 | +# Using the Custom CodeQL Bundle |
| 19 | + |
| 20 | +Using the Custom CodeQL bundle involves two main steps: |
| 21 | + |
| 22 | +1. Creating a copy of the `custom-codeql-bundle` repository within your |
| 23 | + organization. |
| 24 | +2. Modifying your CodeQL action to retrieve your custom bundle during query |
| 25 | + execution. |
| 26 | + |
| 27 | +The tooling within this repository takes care of combining your customizations |
| 28 | +here with the main codeql-bundle distribution. It uses the `Customizations.qll` |
| 29 | +mechanism which ensures that upstream changes are never made, thus making it |
| 30 | +possible to rebase your clone of this repository on newer versions of CodeQL |
| 31 | +without conflict. |
| 32 | + |
| 33 | +1. To use this repository, first start by clicking the `Use This Template` button |
| 34 | +on github.com interface located here: |
| 35 | +https://github.com/advanced-security/custom-codeql-bundle |
| 36 | + |
| 37 | +This will allow you to create a copy of this repository that you will customize |
| 38 | +with your additions. |
| 39 | + |
| 40 | +2. Modify `bundles.json` in the root of this repository. This controls the |
| 41 | + CodeQL version that will be used with your queries. |
| 42 | + |
| 43 | +3. Add your customizations to the `customizations/<language>` directory within |
| 44 | + the root of this repository. You may add as many independent `.qll` |
| 45 | + files in these directories as you wish. They will be combined and added to |
| 46 | + the appropriate extension points within your target language. |
| 47 | + |
| 48 | +4. Modify your `codeql-analysis.yml` file to point at your custom bundle. Please |
| 49 | + see the following file for an example: https://github.com/advanced-security/custom-codeql-bundle-test/blob/develop/.github/workflows/codeql-analysis.yml |
| 50 | + |
| 51 | +The relevant portion of that file when the CodeQL bundle repository is private is the following: |
| 52 | + |
| 53 | +```yml |
| 54 | +steps: |
| 55 | + - name: Download CodeQL bundle |
| 56 | + env: |
| 57 | + GITHUB_TOKEN: ${{ secrets.CODEQL_BUNDLE_PAT }} |
| 58 | + run: | |
| 59 | + # Download custom CodeQL bundle as codeql-bundle.tar.gz |
| 60 | + gh release -R <your-clone-of-custom-codeql-bundle> download <tag> |
| 61 | + # Initializes the CodeQL tools for scanning. |
| 62 | + - name: Initialize CodeQL |
| 63 | + uses: github/codeql-action/init@v1 |
| 64 | + with: |
| 65 | + languages: ${{ matrix.language }} |
| 66 | + # Specify the use of our custom CodeQL bundle |
| 67 | + tools: codeql-bundle.tar.gz |
| 68 | +``` |
| 69 | +
|
| 70 | +In the above, you set the location of your bundle as well as the tag. |
| 71 | +
|
| 72 | +If the CodeQL bundle repository is public, or the bundle is stored in a public location, then we can directly specify it in the `tools` configuration like: |
| 73 | + |
| 74 | +```yml |
| 75 | +steps: |
| 76 | + # Initializes the CodeQL tools for scanning. |
| 77 | + - name: Initialize CodeQL |
| 78 | + uses: github/codeql-action/init@v1 |
| 79 | + with: |
| 80 | + languages: ${{ matrix.language }} |
| 81 | + # Specify the use of our custom CodeQL bundle |
| 82 | + tools: https://<url>/<version>/codeql-bundle.tar.gz |
| 83 | +``` |
| 84 | + |
| 85 | +Where `<version>` follows the versioning scheme used in the `bundles.json` |
| 86 | + |
| 87 | +Once these steps are performed, you will be able to analyze your project using |
| 88 | +your custom CodeQL bundle with your customizations in place. |
| 89 | + |
| 90 | +To get an idea of the sorts of customizations that are possible, please |
| 91 | +see: |
| 92 | + |
| 93 | +- https://codeql.github.com/docs/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript/ |
| 94 | +- https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-csharp/#flow-sources |
| 95 | +- https://codeql.github.com/docs/codeql-language-guides/modeling-data-flow-in-go-libraries/#sources |
| 96 | +- https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-java/#flow-sources |
| 97 | +- https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-python/#predefined-sources-and-sinks |
| 98 | + |
| 99 | + |
| 100 | +# Limitations |
| 101 | + |
| 102 | +This repository may be used to refine the behavior of the out of the box queries |
| 103 | +by: |
| 104 | +- Extending existing [abstract classes](https://codeql.github.com/docs/ql-language-reference/types/#abstract-classes) |
| 105 | +- Adding additional sinks and sources specific to your organization |
| 106 | + |
| 107 | +It may not be used for replacing classes within CodeQL. |
| 108 | + |
| 109 | +# Contributing |
| 110 | + |
| 111 | +Please direct your contributions to us by opening up a pull request. |
| 112 | + |
| 113 | + |
0 commit comments