search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
542 stars 201 forks source link

Collect CodeQL queries for detecting specific vulnerabilities #215

Open sbs2001 opened 4 years ago

sbs2001 commented 4 years ago

https://github.com/github/codeql is a project by GitHub which is to put it simply is SQL for codebases. CodeQL queries are used by LGTM for static analysis of bad code practices.

The more interesting use of CodeQL is in finding security vulnerabilities, the way this works is you run a query designed to find say CVE-a on any codebase, and CodeQL determines whether the query is satisfied by the codebase(if yes than the codebase is vulnerable to CVE-a ).

Check this tweet. https://twitter.com/ghsecuritylab/status/1258077647030022144

We should collect such queries and link them to Vulnerability objects. See https://github.com/github/codeql/tree/master/python/ql/src/Security/CVE-2018-1281 , https://github.com/github/codeql/tree/master/java/ql/src/Security/CWE,
https://blog.mozilla.org/security/2019/11/14/adding-codeql-and-clang-to-our-bug-bounty-program/

pombredanne commented 4 years ago

That's quite interesting: Can you ask and find out where all the "queries" can be found? are they open too?

sbs2001 commented 4 years ago

@pombredanne they provide queries for many of them for each language to detect CWEs(not CVEs) I find this definition of CWE made most sense to me so sharing it here.

CWE refers to the types of software weaknesses, rather than specific instances of vulnerabilities within products or systems. Essentially, CWE is a “dictionary” of software vulnerabilities, while CVE is a list of known instances of vulnerability for specific products or systems.

NVD provides the CWE for each CVE, so mapping the queries would be something like query->CWE->CVE

https://github.com/github/codeql/tree/master/java/ql/src/Security/CWE, https://github.com/github/codeql/tree/master/python/ql/src/Security , https://github.com/github/codeql/tree/master/javascript/ql/src/Security, https://github.com/github/codeql/tree/master/csharp/ql/src/Security%20Features, https://github.com/github/codeql/tree/master/cpp/ql/src/Security/CWE .

You can also check https://hackerone.com/github-security-lab , which tells bounty hunters to open PR at the codeql repo. They also have PRs like https://github.com/github/codeql/pull/3423

pombredanne commented 4 years ago

It looks like codeql (the runtime engine) is NOT open source: see https://securitylab.github.com/tools/codeql/license and https://github.com/github/codeql-cli-binaries So unless we would gain explicit authorization from GitHub I would not too comfy with using this