Post

Static analysis tools

Posted
By Natalie Somersall
2 min read
Static analysis tools

CodeQL

Without the magic of running it somewhere else, it’s a little more of a pain to get it running locally. Running on the M3 Mac makes it worthwhile.

Basic setup stuff 

1
2
3
4
5

# install from homebrew
brew install codeql

# list the languages you can extract (this should be a reasonably large list)
codeql resolve languages

Working with query packs

CodeQL is a query language and there are lots of prewritten queries, bundled into “packs”, that can be used w/o learning the language in depth. On a Mac, they’ll tend to be in ~/.codeql/packages

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

# list the query packs you have (probably not much to start)
codeql resolve packs

# directory structure
.codeql/packages
├── codeql
│   ├── javascript-queries
│   │   └── 1.2.0
│   │       ├── AlertSuppression.ql
│   │       ├── AlertSuppression.qlx
│   │       ├── AngularJS
│   │       │   ├── DeadAngularJSEventListener.md
│   │       │   ├── DeadAngularJSEventListener.ql
│   │       │   ├── DeadAngularJSEventListener.qlx

< ... and so on ... >

285 directories, 2171 files

# download new packs
codeql pack download codeql/python-queries

Non-compiled languages 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# create the database by changing
codeql database create codeql.db --language=python

# run the base queries
codeql database analyze codeql.db \
  --format=sarif-latest \
  --output=results.sarif \
  -- codeql/python-queries

# run specific query packs
codeql database analyze codeql.db \
  --format=sarif-latest \
  --output=results.sarif \
  -- codeql/python-queries:codeql-suites/python-security-and-quality.qls
  
# output to CSV instead
codeql database analyze codeql.db \
  --format=csv \
  --output=results.csv \
  -- codeql/python-queries

Semgrep

Basic setup stuff 

1

brew install semgrep

Basic scan 

1
2
3
4
5

# scan the current directory
semgrep scan . --sarif -o semgrep.sarif

# use the owasp top 10 rules
semgrep scan --config "p/owasp-top-ten" --sarif-output=semgrep.sarif .

If it’s being weird about resource usage, specify the number of jobs with the -j flag - might fix it.

This post is licensed under CC BY 4.0 by the author.