CodeQL - experiential notes for code audits, bug-hunts and CI/CD

Tags: #<Tag:0x00007f06b75976c0> #<Tag:0x00007f06b75975f8> #<Tag:0x00007f06b7597530> #<Tag:0x00007f06b7597468> #<Tag:0x00007f06b7597378> #<Tag:0x00007f06b75972b0> #<Tag:0x00007f06b75971e8>

CodeQL - variant analysis

Semmle (now GitHub / Microsoft) CodeQL is a tool-set for Variant Analysis[1], which is now (since Q4 2019) free for OpenSource development and research.

Variant Analysis bundles a couple of code-analysis techniques for the sake of software-code vulnerability analysis.

In contrast to GNU grep, which can also be used for the most basic Static Application Security Testing (SAST) of program code, Variant Analysis techniques perform deeper analysis with program state and semantics.

Obviously, there are more advanced SAST approaches than grep, which are out of the scope of this Wiki article unless we reference them for a side by side comparison.

CodeQL can be used in Microsoft VSCode[2] on Linux, Windows and macOS[3]

Hands-on lab results

This following section is reduced to hands-on notes.

CodeQL setup

codeQL CLI

mintbox :: Source/codeql-home/codeql » ./codeql resolve languages
cpp (/Users/marius.ciepluch/Source/codeql-home/codeql/cpp)
csharp (/Users/marius.ciepluch/Source/codeql-home/codeql/csharp)
go (/Users/marius.ciepluch/Source/codeql-home/codeql/go)
java (/Users/marius.ciepluch/Source/codeql-home/codeql/java)
javascript (/Users/marius.ciepluch/Source/codeql-home/codeql/javascript)
python (/Users/marius.ciepluch/Source/codeql-home/codeql/python)

And for qlpacks (queries):

mintbox :: ~/Source/codeql-home » codeql/codeql resolve qlpacks
codeql-cpp (/Users/marius.ciepluch/Source/codeql-home/ql/cpp/ql/src)
codeql-cpp-tests (/Users/marius.ciepluch/Source/codeql-home/ql/cpp/ql/test)
codeql-cpp-upgrades (/Users/marius.ciepluch/Source/codeql-home/ql/cpp/upgrades)
codeql-csharp (/Users/marius.ciepluch/Source/codeql-home/ql/csharp/ql/src)
codeql-csharp-tests (/Users/marius.ciepluch/Source/codeql-home/ql/csharp/ql/test)
codeql-csharp-upgrades (/Users/marius.ciepluch/Source/codeql-home/ql/csharp/upgrades)
codeql-go (/Users/marius.ciepluch/Source/codeql-home/codeql-go/ql/src)
codeql-go-tests (/Users/marius.ciepluch/Source/codeql-home/codeql-go/ql/test)
codeql-go-upgrades (/Users/marius.ciepluch/Source/codeql-home/codeql-go/upgrades)
codeql-java (/Users/marius.ciepluch/Source/codeql-home/ql/java/ql/src)
codeql-java-tests (/Users/marius.ciepluch/Source/codeql-home/ql/java/ql/test)
codeql-javascript (/Users/marius.ciepluch/Source/codeql-home/ql/javascript/ql/src)
codeql-javascript-tests (/Users/marius.ciepluch/Source/codeql-home/ql/javascript/ql/test)
codeql-javascript-upgrades (/Users/marius.ciepluch/Source/codeql-home/ql/javascript/upgrades)
codeql-python (/Users/marius.ciepluch/Source/codeql-home/ql/python/ql/src)
codeql-python-tests (/Users/marius.ciepluch/Source/codeql-home/ql/python/ql/test)
codeql-python-upgrades (/Users/marius.ciepluch/Source/codeql-home/ql/python/upgrades)
codeql-suite-helpers (/Users/marius.ciepluch/Source/codeql-home/ql/misc/suite-helpers)
legacy-libraries-cpp (/Users/marius.ciepluch/Source/codeql-home/ql/misc/legacy-support/cpp)
legacy-libraries-csharp (/Users/marius.ciepluch/Source/codeql-home/ql/misc/legacy-support/csharp)
legacy-libraries-go (/Users/marius.ciepluch/Source/codeql-home/codeql-go/ql/config/legacy-support)
legacy-libraries-java (/Users/marius.ciepluch/Source/codeql-home/ql/misc/legacy-support/java)
legacy-libraries-javascript (/Users/marius.ciepluch/Source/codeql-home/ql/misc/legacy-support/javascript)
legacy-libraries-python (/Users/marius.ciepluch/Source/codeql-home/ql/misc/legacy-support/python)
legacy-upgrades (/Users/marius.ciepluch/Source/codeql-home/codeql/legacy-upgrades)

Vulnerable java Spring code

Checked out master branch at revision c95c4f5c3ff9304356b7a53f83f0eaa973e76a87.

mintbox :: ~/Source/damn-vulnerable-spring-boot-app » ./gradlew build
Downloading https://services.gradle.org/distributions/gradle-5.3.1-all.zip
...
SpotBugs rule violations were found. See the report at: file:///home/marius/Source/damn-vulnerable-spring-boot-app/build/reports/spotbugs/main.html

BUILD SUCCESSFUL in 1m 6s
6 actionable tasks: 6 executed

Works as expected. Next, we need to create a database to run CodeQL queries against.

mintbox :: ~/Source/damn-vulnerable-spring-boot-app » 
~/codeql-home/codeql/codeql database create dspring --language=java
Initializing database at /home/marius/Source/damn-vulnerable-spring-boot-app/dspring.
Running command [/home/marius/codeql-home/codeql/java/tools/autobuild.sh] in /home/marius/Source/damn-vulnerable-spring-boot-app.
[2020-01-14 00:15:33] [build] [2020-01-14 00:15:33] Build directory is /home/marius/Source/damn-vulnerable-spring-boot-app/.
...
Finalizing database at /home/marius/Source/damn-vulnerable-spring-boot-app/dspring.
Successfully created database at /home/marius/Source/damn-vulnerable-spring-boot-app/dspring.

All the queries!11!

mintbox :: ~/Source/damn-vulnerable-spring-boot-app » 
~/codeql-home/codeql/codeql database analyze dspring ~/codeql-home/ql/java/ql/src/Security/  --format=csv --output=output.csv
Running queries.
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql.
[1/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql (831ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql.
[2/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql (368ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-079/XSS.ql.
[3/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-079/XSS.ql (290ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql.
[4/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql (201ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql.
[5/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql (256ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql.
[6/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql (280ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql.
[7/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql (246ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql.
[8/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql (131ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql.
[9/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql (195ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-319/UseSSL.ql.
[10/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-319/UseSSL.ql (150ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql.
[11/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql (150ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql.
[12/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql (141ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql.
[13/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql (102ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql.
[14/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql (136ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql.
[15/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql (218ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql.
[16/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql (219ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql.
[17/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql (165ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql.
[18/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql (200ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql.
[19/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql (176ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql.
[20/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql (159ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql.
[21/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql (205ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql.
[22/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql (131ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql.
[23/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql (130ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql.
[24/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql (188ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql.
[25/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql (199ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql.
[26/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql (199ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql.
[27/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql (192ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql.
[28/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql (182ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql.
[29/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql (132ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql.
[30/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql (119ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql.
[31/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql (143ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql.
[32/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql (138ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql.
[33/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql (148ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql.
[34/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql (210ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql.
[35/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql (155ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql.
[36/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql (131ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql.
[37/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql (160ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql.
[38/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql (160ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql.
[39/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql (166ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql.
[40/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql (119ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql.
[41/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql (110ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql.
[42/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql (116ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql.
[43/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql (152ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql.
[44/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql (145ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql.
[45/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql (97ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql.
[46/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql (141ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql.
[47/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql (150ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql.
[48/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql (164ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql.
[49/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql (131ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql.
[50/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql (165ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql.
[51/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql (184ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql.
[52/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql (186ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql.
[53/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql (178ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql.
[54/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql (98ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql.
[55/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql (97ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql.
[56/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql (147ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql.
[57/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql (171ms).
Compiling query plan for /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-611/XXE.ql.
[58/58] Compiled /home/marius/codeql-home/ql/java/ql/src/Security/CWE/CWE-611/XXE.ql (147ms).
Starting evaluation of codeql-java/Security/CWE/CWE-209/StackTraceExposure.ql.
[1/58] Evaluation done (8.5s); writing results to codeql-java/Security/CWE/CWE-209/StackTraceExposure.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-079/XSSLocal.ql.
[2/58] Evaluation done (1.7s); writing results to codeql-java/Security/CWE/CWE-079/XSSLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-079/XSS.ql.
[3/58] Evaluation done (1.4s); writing results to codeql-java/Security/CWE/CWE-079/XSS.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql.
[4/58] Evaluation done (1.2s); writing results to codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql.
[5/58] Evaluation done (1.1s); writing results to codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql.
[6/58] Evaluation done (959ms); writing results to codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql.
[7/58] Evaluation done (1.1s); writing results to codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql.
[8/58] Evaluation done (926ms); writing results to codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql.
[9/58] Evaluation done (693ms); writing results to codeql-java/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-319/UseSSL.ql.
[10/58] Evaluation done (201ms); writing results to codeql-java/Security/CWE/CWE-319/UseSSL.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-319/HttpsUrls.ql.
[11/58] Evaluation done (942ms); writing results to codeql-java/Security/CWE/CWE-319/HttpsUrls.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-319/UseSSLSocketFactories.ql.
[12/58] Evaluation done (202ms); writing results to codeql-java/Security/CWE/CWE-319/UseSSLSocketFactories.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-829/InsecureDependencyResolution.ql.
[13/58] Evaluation done (24ms); writing results to codeql-java/Security/CWE/CWE-829/InsecureDependencyResolution.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql.
[14/58] Evaluation done (147ms); writing results to codeql-java/Security/CWE/CWE-732/ReadingFromWorldWritableFile.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-807/TaintedPermissionsCheck.ql.
[15/58] Evaluation done (834ms); writing results to codeql-java/Security/CWE/CWE-807/TaintedPermissionsCheck.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-807/ConditionalBypass.ql.
[16/58] Evaluation done (867ms); writing results to codeql-java/Security/CWE/CWE-807/ConditionalBypass.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql.
[17/58] Evaluation done (815ms); writing results to codeql-java/Security/CWE/CWE-327/BrokenCryptoAlgorithm.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql.
[18/58] Evaluation done (995ms); writing results to codeql-java/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-312/CleartextStorageClass.ql.
[19/58] Evaluation done (957ms); writing results to codeql-java/Security/CWE/CWE-312/CleartextStorageClass.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-312/CleartextStorageProperties.ql.
[20/58] Evaluation done (747ms); writing results to codeql-java/Security/CWE/CWE-312/CleartextStorageProperties.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-312/CleartextStorageCookie.ql.
[21/58] Evaluation done (697ms); writing results to codeql-java/Security/CWE/CWE-312/CleartextStorageCookie.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-335/PredictableSeed.ql.
[22/58] Evaluation done (629ms); writing results to codeql-java/Security/CWE/CWE-335/PredictableSeed.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-078/ExecRelative.ql.
[23/58] Evaluation done (374ms); writing results to codeql-java/Security/CWE/CWE-078/ExecRelative.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-078/ExecUnescaped.ql.
[24/58] Evaluation done (612ms); writing results to codeql-java/Security/CWE/CWE-078/ExecUnescaped.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-078/ExecTaintedLocal.ql.
[25/58] Evaluation done (1.3s); writing results to codeql-java/Security/CWE/CWE-078/ExecTaintedLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-078/ExecTainted.ql.
[26/58] Evaluation done (819ms); writing results to codeql-java/Security/CWE/CWE-078/ExecTainted.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-601/UrlRedirectLocal.ql.
[27/58] Evaluation done (751ms); writing results to codeql-java/Security/CWE/CWE-601/UrlRedirectLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-601/UrlRedirect.ql.
[28/58] Evaluation done (749ms); writing results to codeql-java/Security/CWE/CWE-601/UrlRedirect.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql.
[29/58] Evaluation done (157ms); writing results to codeql-java/Security/CWE/CWE-798/HardcodedCredentialsComparison.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql.
[30/58] Evaluation done (744ms); writing results to codeql-java/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-798/HardcodedPasswordField.ql.
[31/58] Evaluation done (27ms); writing results to codeql-java/Security/CWE/CWE-798/HardcodedPasswordField.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql.
[32/58] Evaluation done (811ms); writing results to codeql-java/Security/CWE/CWE-798/HardcodedCredentialsApiCall.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-835/InfiniteLoop.ql.
[33/58] Evaluation done (279ms); writing results to codeql-java/Security/CWE/CWE-835/InfiniteLoop.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-502/UnsafeDeserialization.ql.
[34/58] Evaluation done (848ms); writing results to codeql-java/Security/CWE/CWE-502/UnsafeDeserialization.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-022/TaintedPath.ql.
[35/58] Evaluation done (773ms); writing results to codeql-java/Security/CWE/CWE-022/TaintedPath.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-022/ZipSlip.ql.
[36/58] Evaluation done (758ms); writing results to codeql-java/Security/CWE/CWE-022/ZipSlip.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-022/TaintedPathLocal.ql.
[37/58] Evaluation done (680ms); writing results to codeql-java/Security/CWE/CWE-022/TaintedPathLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-681/NumericCastTaintedLocal.ql.
[38/58] Evaluation done (815ms); writing results to codeql-java/Security/CWE/CWE-681/NumericCastTaintedLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-681/NumericCastTainted.ql.
[39/58] Evaluation done (849ms); writing results to codeql-java/Security/CWE/CWE-681/NumericCastTainted.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-614/InsecureCookie.ql.
[40/58] Evaluation done (68ms); writing results to codeql-java/Security/CWE/CWE-614/InsecureCookie.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-421/SocketAuthRace.ql.
[41/58] Evaluation done (141ms); writing results to codeql-java/Security/CWE/CWE-421/SocketAuthRace.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-113/NettyResponseSplitting.ql.
[42/58] Evaluation done (115ms); writing results to codeql-java/Security/CWE/CWE-113/NettyResponseSplitting.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-113/ResponseSplittingLocal.ql.
[43/58] Evaluation done (711ms); writing results to codeql-java/Security/CWE/CWE-113/ResponseSplittingLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-113/ResponseSplitting.ql.
[44/58] Evaluation done (802ms); writing results to codeql-java/Security/CWE/CWE-113/ResponseSplitting.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql.
[45/58] Evaluation done (56ms); writing results to codeql-java/Security/CWE/CWE-676/PotentiallyDangerousFunction.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-089/SqlUnescaped.ql.
[46/58] Evaluation done (1.2s); writing results to codeql-java/Security/CWE/CWE-089/SqlUnescaped.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-089/SqlTaintedLocal.ql.
[47/58] Evaluation done (944ms); writing results to codeql-java/Security/CWE/CWE-089/SqlTaintedLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-089/SqlTainted.ql.
[48/58] Evaluation done (1s); writing results to codeql-java/Security/CWE/CWE-089/SqlTainted.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql.
[49/58] Evaluation done (822ms); writing results to codeql-java/Security/CWE/CWE-190/ArithmeticWithExtremeValues.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-190/ComparisonWithWiderType.ql.
[50/58] Evaluation done (35ms); writing results to codeql-java/Security/CWE/CWE-190/ComparisonWithWiderType.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql.
[51/58] Evaluation done (842ms); writing results to codeql-java/Security/CWE/CWE-190/ArithmeticTaintedLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-190/ArithmeticTainted.ql.
[52/58] Evaluation done (1s); writing results to codeql-java/Security/CWE/CWE-190/ArithmeticTainted.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-190/ArithmeticUncontrolled.ql.
[53/58] Evaluation done (831ms); writing results to codeql-java/Security/CWE/CWE-190/ArithmeticUncontrolled.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-367/TOCTOURace.ql.
[54/58] Evaluation done (168ms); writing results to codeql-java/Security/CWE/CWE-367/TOCTOURace.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-833/LockOrderInconsistency.ql.
[55/58] Evaluation done (158ms); writing results to codeql-java/Security/CWE/CWE-833/LockOrderInconsistency.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-134/ExternallyControlledFormatString.ql.
[56/58] Evaluation done (824ms); writing results to codeql-java/Security/CWE/CWE-134/ExternallyControlledFormatString.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql.
[57/58] Evaluation done (823ms); writing results to codeql-java/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.bqrs.
Starting evaluation of codeql-java/Security/CWE/CWE-611/XXE.ql.
[58/58] Evaluation done (953ms); writing results to codeql-java/Security/CWE/CWE-611/XXE.bqrs.
Shutting down query evaluator.
Interpreting results.

Make use of the results. We declared output.csv as the output file.

mintbox :: ~/Source/damn-vulnerable-spring-boot-app » vim output.csv 
mintbox :: ~/Source/damn-vulnerable-spring-boot-app »
cat output.csv
"Query built from user-controlled sources","Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of malicious code by the user.","error","Query might include code from [[""this user input""|""relative:///src/main/java/com/groovycoder/dvsba/books/BookController.java:34:32:34:68""]].","/src/main/java/com/groovycoder/dvsba/books/BookController.java","37","28","37","30"

Does the file exist?

mintbox :: ~/Source/damn-vulnerable-spring-boot-app » find ./ -name "BookController*"
./build/classes/java/main/com/groovycoder/dvsba/books/BookController.class
./src/main/java/com/groovycoder/dvsba/books/BookController.java

What is the issue? The literal context of the parameter id gets directly concatenated to the String sql variable. Given that the variable is used directly from the HTTP request parameter this is an exploitable In-band SQL injection vulnerability.

Exactly as CodeQL put into the output: finding verified.

    @RequestMapping("/detail")
    public ModelAndView detail(@RequestParam(value = "id") String id) {
        String sql = "SELECT * FROM books WHERE id=" + id;
        final Book[] book = new Book[1];
        jdbcTemplate.query(sql, (ResultSetExtractor) rs -> {
            if (rs.next())
                book[0] = new Book(rs.getLong(1), rs.getString(2), rs.getString(3));

            return null;

        });

At the GitHub repo with the appropriate line numbers of the tested code (keep the revision of the master branch in mind, that might change remotely):

Results

  • CodeQL can detect an obvious SQL injection bug in a Spring app
  • It requires 3 CLI commands

NIST SAMATE test Suite Java - vulnerable code versus CodeQL

Version: Oct. 2017
URL: https://samate.nist.gov/SARD/testsuite.php
Project: Juliet 1.3 Java

TBD


  1. https://semmle.com/variant-analysis ↩︎

  2. https://marketplace.visualstudio.com/items?itemName=github.vscode-codeql ↩︎

  3. https://help.semmle.com/codeql/codeql-cli/procedures/get-started.html ↩︎