安装与配置
下载Cli文件
根据不同操作系统下载,下载后配置到cli可执行文件到环境变量
Releases · github/codeql-cli-binaries · GitHub
下载codeql 的标准库,并且将整个目录添加到VScode工作区
https://github.com/github/codeql
VScode下载插件
下载codeQL插件并且配置cli路径
开始体验demo
生成分析库
git clone https://github.com/JoyChou93/java-sec-code
cd java-sec-code
codeql database create qldb-test --language=java
导入到vscode
from a folder选择我们刚才创建好的qldb-test
导入我们生成的qldb-test
然后在工作去新建目录(名字随机),创建文件(名字随机)javaseccode-sqlinjectquery.ql,创建qlpack.yml
yml内容
name: demo-query
version: 0.0.0
libraryPathDependencies: codeql-java
ql内容
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
class SqlinjectConfiguration extends TaintTracking::Configuration{
SqlinjectConfiguration() {
this = "java-sec-code SqlinjectConfiguration"
}
override predicate isSource(DataFlow::Node source){
source instanceof RemoteFlowSource
}
override predicate isSink(DataFlow::Node sink){
exists(Call call |
sink.asExpr() = call.getArgument(0) and
call.getCallee().getQualifiedName() = ["UserMapper.findByUserNameVuln01","UserMapper.findByUserNameVuln02","UserMapper.findByUserNameVuln03"]
)
}
override predicate isSanitizer(DataFlow::Node sink){
exists(Call call |
sink.asExpr() = call.getArgument(0) and
call.getCallee().toString() = "sqlFilter"
)
}
}
from SqlinjectConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink
where dataflow.hasFlow(source, sink)
select source,sink
执行ql
运行结果
点击运行后跳转到了对应源码处,找对对应的可能存在漏洞的位置
参考: