[Question] is Cross repo taint analysis in java possible ?

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

https://codeql.github.com

MIT License

7.45k stars 1.48k forks source link

[Question] is Cross repo taint analysis in java possible ? #12300

Open chmodxxx opened 1 year ago

chmodxxx commented 1 year ago

Hello, we perform codeql java analysis on some repos, and in case the referenced package is from another repo we lose information,

I was wondering if it's possible to perform cross repo analysis, and how would that look like ? I wonder if a db build of multiple repos is possible and is that the best solution ?

jketema commented 1 year ago

Hi @chmodxxx, Thanks for your question.

CodeQL does not have facilities to do analysis across repositories. The best way to work around this, is to create a source directory that includes the code from both repositories and run database create on the combined source directory.

jflo commented 1 year ago

I'm interested in tracking taint from hyperledger/besu to apache/incubator-tuweni, which are both multi-module gradle projects. Has anyone attempted to create a database that spans 2 large gradle projects?