Configuring CodeQL with Github actions using well known weaknesses
I am new to CodeQL and therefore my apologies if my question is an obvious one, however, I've been unable to understand a few simple concepts.
Firstly, I can easily configure a public repo with a github action using a yml file configured as follows:
on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'java' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
queries: +security-extended
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# âšī¸ Command-line programs to run using the OS shell.
# đ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
As indicated in the yaml file, I'm using Java as the language. What I'm trying to then do is trigger a failure / alert with a simple code such as this in Java.
public class Main {
public static void main(String[] args) {
// Example code for https://cwe.mitre.org/data/definitions/476.html
String cmd = System.getProperty("cmd");
cmd = cmd.trim();
}
}
This simple code is an example from Common Weakness Enumeration (CWE) 416 where I'm trying to dereference a variable that hasn't been defined.
If I go to Security -> Code scanning alerts it will show that the scanning was performed but not alerts were found.
Basically, I'm wondering if I need to initialize the CodeQL with a specific CWE under the Initialize CodeQL step in the yaml file.
CodeQL only has a specific set of queries, which do not cover all possible CWEs. This list shows the currently covered CWEs for Java.
As far as I know there exists no query at the moment which detects the specific issue you are showing in your question (there are however queries which detect derefencing null). The reason for this is most likely that it would be difficult to prevent false positives. For example if your application is started with -Dcmd, then the system property would not be null. Similarly there could be a call to System.setProperty in a different part of the application which sets the system property to a non-null value.
Besides that you have configured queries: +security-extended but the type of the query you are looking for (assuming it existed) would most likely be in the query suite security-and-quality because it is not directly security related.
You could also try to write your own queries and then include them in the code scanning workflow. Some concepts of CodeQL might feel a bit unfamiliar at first, but they provide great examples and tutorials for getting started. However, you should probably first check if the provided queries already suffice for your use case.
- How to update list of files in README
- Github actions share workspace/artifacts between jobs?
- GitHub Actions dynamic workflow name
- Delete a workflow from GitHub Actions
- Testing Expo app using Realm on GitHub fails
- Cannot trigger dispatches from GitHub API
- Change nuget.config location using environment variable in dotnet tool restore
- Utilize pre-installed MinGW in GitHub actions?
- How to put conditional job in need of another job in Github Action
- Github Action boolean input with default value
- On-demand self-hosted AWS EC2 runner for GitHub Actions
- How to schedule a GitHub Actions nightly build, but run it only when there where recent code changes?
- GitActions - How do I check if the logged in user is part of a team
- npm ci can only install packages with an existing package-lock.json or npm-shrinkwrap.json with lockfileVersion >= 1
- Enable GitHub Dependabot Updates for actions used in Composite actions
- Retrieve commit message in a GH Action triggered on pull request
- ESLint only runs locally (not github actions). Ignore patternt and src pattern conflict
- GitHub Actions: How can I specify ref to checkout conditionally?
- ZIP Deployment to Azure Web App fails when triggered from GitHub Actions workflow due to Storage Limitations
- Azure App Service Deployment Error: "Resource Not Found" for Deployment Slot even if resource exists
- GitHub Action with Pandoc & GNU Parallel
- How to share a calculated value between job steps?
- "sh: 1: !: not found" in GitHub Actions
- Using the same job to target different environments in Github Actions
- Trigger GitHub Action with just a URL and process url parameters
- GitHub Actions Not Triggered on Pushing Tags
- How to run GitHub Actions workflow only if the pushed files are in a specific folder
- Special characters in GitHub Actions workflow secret are not being preserved
- ./gradlew build failed with Error: Could not find or load main class org.gradle.wrapper.GradleWrapperMain
- GitHub Actions Error: Unable to Build Xcode 16 Project Due to Compatibility with Xcode 15.2 Runners