下载Cli文件
根据不同操作系统下载,下载后配置到cli可执行文件到环境变量
Releases · github/codeql-cli-binaries · GitHub
下载codeql 的标准库,并且将整个目录添加到VScode工作区
https://github.com/github/codeql
VScode下载插件
下载codeQL插件并且配置cli路径
生成分析库
git clone https://github.com/JoyChou93/java-sec-code
cd java-sec-code
codeql database create qldb-test --language=java
导入到vscode
from a folder选择我们刚才创建好的qldb-test
导入我们生成的qldb-test
然后在工作去新建目录;名字随机);创建文件;名字随机)javaseccode-sqlinjectquery.ql;创建qlpack.yml
yml内容
name: demo-query version: 0.0.0 libraryPathDependencies: codeql-java
ql内容
import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources class SqlinjectConfiguration extends TaintTracking::Configuration{ SqlinjectConfiguration() { this = ;java-sec-code SqlinjectConfiguration; } override predicate isSource(DataFlow::node source){ source instanceof RemoteFlowSource } override predicate isSink(DataFlow::Node sink){ exists(Call call | sink.asExpr() = call.getArgument(0) and call.getCallee().getQualifiedName() = [;UserMapper.findByUserNameVuln01;,;UserMapper.findByUserNameVuln02;,;UserMapper.findByUserNameVuln03;] ) } override predicate isSanitizer(DataFlow::Node sink){ exists(Call call | sink.asExpr() = call.getArgument(0) and call.getCallee().toString() = ;sqlFilter; ) } } from SqlinjectConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink where dataflow.hasFlow(source, sink) select source,sink
执行ql
运行结果
点击运行后跳转到了对应源码处;找对对应的可能存在漏洞的位置
参考;
codeql白盒代码审计工具初体验