hvitved
commented
3 years ago I guess you resolved it, since the ticket is closed again, but FTR the above worked fine for me (on MacOS, using latest CodeQL CLI).
Open CaledoniaProject opened 3 years ago
hvitved
commented
3 years ago I guess you resolved it, since the ticket is closed again, but FTR the above worked fine for me (on MacOS, using latest CodeQL CLI).
aibaars
commented
3 years ago The WebGoat project uses "lombok" which isn't supported by CodeQL. We analyzed WebGoat on LGTM.com: https://lgtm.com/projects/g/WebGoat/WebGoat using a custom configuration to first rewrite the "lombok" code to plain Java. This is the script that we use on LGTM:
perl -pi -e 's/(\<outputDirectory\>\.\.\/)\.\.\//$1/' webgoat-lessons/pom.xml
wget https://projectlombok.org/downloads/lombok.jar -O "$TMP/lombok.jar"
java -jar "$TMP/lombok.jar" delombok -n --onlyChanged . -d "$TMP/delombok"
find "$TMP/delombok" -name '*.java' -exec sed '/Generated by delombok/d' -i '{}' ';'
find "$TMP/delombok" -name '*.java' -exec sed '/import lombok/d' -i '{}' ';'
cp -r "$TMP/delombok/." "$SRC_ROOT/"Note that you can fetch a recent CodeQL database directly from LGTM.com: https://lgtm.com/projects/g/WebGoat/WebGoat/ci/#ql
CaledoniaProject
commented
3 years ago I need more help.
Now I'm trying to use the query locally on the database: https://lgtm.com/query/7918265909994268987/ First error is qlpack undefined, so I downloaded https://github.com/github/vscode-codeql-starter and started from there instead. The second error is none of SqlInjectionLib, QueryInjectionSink or queryTaintedBy could be resolved, where is it defined?
aibaars
commented
3 years ago I need more help.
Now I'm trying to use the query locally on the database: https://lgtm.com/query/7918265909994268987/ First error is qlpack undefined, so I downloaded https://github.com/github/vscode-codeql-starter and started from there instead. The second error is none of SqlInjectionLib, QueryInjectionSink or queryTaintedBy could be resolved, where is it defined?
Did you run git submodule update --init --remote ? The query can be found at vscode-codeql-starter/ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
CaledoniaProject
commented
3 years ago Yes, I did run that command. I'm wondering how codeql manages its dependencies?
I've tried to create example.ql in both codeql-custom-queries-java and ql/java/ql, none of those worked.
CaledoniaProject
commented
3 years ago Am I supposed to place my query in vscode-codeql-starter/ql/java/ql/src/Security/CWE/CWE-089/ directly?
aibaars
commented
3 years ago Am I supposed to place my query in
vscode-codeql-starter/ql/java/ql/src/Security/CWE/CWE-089/directly?
I was under the impression that you just wanted to run the standard SqlTainted.ql query. You can just run it in-place. This query uses a helper library SqlInjectionLib.qll . This library is not part of the standard library "qlpack", so other queries cannot use it. The standard library for Java is defined in vscode-codeql-starter/ql/java/ql/src and the standard queries can be found in another "qlpack" in vscode-codeql-starter/ql/java/ql/src. CodeQL packs may depend on "library" packs, but should not depend on other "query" packs.
If you want to make a modified version of SqlTainted.ql then a quick workaround would indeed be to put your query into vscode-codeql-starter/ql/java/ql/src/Security/CWE/CWE-089/ which would make your query part of the standard query pack. A better solution would be to define your query in codeql-custom-queries-java and copy/inline the bits of the SqlInjectionLib.qll file that you need.
Problems
I'm trying to build codeql with Webgoat. mvn build succeed, but no source code detected
Steps to reproduct
Results