General issue - python default query suite not giving any results

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

https://codeql.github.com

MIT License

7.57k stars 1.52k forks source link

General issue - python default query suite not giving any results #12156

Closed billquan closed 1 year ago

billquan commented 1 year ago

Hi,

I'm trying to use codeql Cli for vulnerability detection for Python programs. I tried out the default query suite codeql\python-queries\0.6.2 on the example cases of CWE-22 (https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/src/Security/CWE-022/examples), but it produced an empty output file.

I'm using the following commands:

codeql database create "example/database/location" --language=python
codeql pack download codeql/python-queries
codeql database analyze "example/database/location" --format csv --output "xxx\codeql_results.csv" codeql/python-queries

Is there any problem?

RasmusWL commented 1 year ago

Hi @billquan. Those examples are mainly for including the in query help (such as https://codeql.github.com/codeql-query-help/python/py-path-injection/) so sometimes proper imports have not been included.

We have dedicated tests for all our queries. For example, you can find the tests for the path injection query here: https://github.com/github/codeql/tree/main/python/ql/test/query-tests/Security/CWE-022-PathInjection

It's certainly better if the examples are written in a way where they are not only helpful for humans, but also the queries are able to highlight the problems. I'll take a look at these in particular, to improve the matter -- but in general I would recommend you use the test folders for testing out the queries :wink:

RasmusWL commented 1 year ago

Closing this question now. Feel free to reopen if you have more question on this topic.

billquan commented 1 year ago

Hi @RasmusWL. It seems the default python query suite does not give any results on the tests either. I followed the same steps.

codeql database create "example/database/location" --language=python
codeql pack download codeql/python-queries
codeql database analyze "example/database/location" --source-root "xxx\codeql\python\ql\test\query-tests\Security\CWE-117-LogInjection" --format csv --output "xxx\codeql_results.csv" codeql/python-querie

Do you have any idea what is wrong, or how can I debug to find out what's wrong? Thank you!

RasmusWL commented 1 year ago

Hi @billquan, it's simply because the log injection query is not part of the default query suite.

you can check this by running the following two commands, and seeing that only the second has a result.

$ codeql resolve queries python/ql/src/codeql-suites/python-code-scanning.qls 2>/dev/null | grep -i loginjection
$ codeql resolve queries python/ql/src/codeql-suites/python-security-extended.qls 2>/dev/null | grep -i loginjection

if you want to run a specific query against a database, you can always use codeql database analyze <database> <query>