下载Cli文件
根据不同操作系统下载,下载后配置到cli可执行文件到环境变量
Releases · github/codeql-cli-binaries · GitHub
下载codeql 的标准库,并且将整个目录添加到VScode工作区
https://github.com/github/codeql
VScode下载插件
下载codeQL插件并且配置cli路径
生成分析库
git clone https://github.com/JoyChou93/java-sec-code
cd java-sec-code
codeql database create qldb-test --language=java
导入到vscode
from a folder选择我们刚才创建好的qldb-test
导入我们生成的qldb-test
然后在工作去新建目录;名字随机);创建文件;名字随机)javaseccode-sqlinjectquery.ql;创建qlpack.yml
yml内容
name: demo-query version: 0.0.0 libraryPathDependencies: codeql-java
ql内容
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
class SqlinjectConfiguration extends TaintTracking::Configuration{
SqlinjectConfiguration() {
this = ;java-sec-code SqlinjectConfiguration;
}
override predicate isSource(DataFlow::node source){
source instanceof RemoteFlowSource
}
override predicate isSink(DataFlow::Node sink){
exists(Call call |
sink.asExpr() = call.getArgument(0) and
call.getCallee().getQualifiedName() = [;UserMapper.findByUserNameVuln01;,;UserMapper.findByUserNameVuln02;,;UserMapper.findByUserNameVuln03;]
)
}
override predicate isSanitizer(DataFlow::Node sink){
exists(Call call |
sink.asExpr() = call.getArgument(0) and
call.getCallee().toString() = ;sqlFilter;
)
}
}
from SqlinjectConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink
where dataflow.hasFlow(source, sink)
select source,sink
执行ql
运行结果
点击运行后跳转到了对应源码处;找对对应的可能存在漏洞的位置
参考;
codeql白盒代码审计工具初体验
