/codeql

GitHub Satellite 2020 workshops on finding security vulnerabilities with CodeQL for Java/JavaScript.

Finding security vulnerabilities with CodeQL

@adityasharad and @lcartey

PrerequisitesResources

CodeQL is GitHub's expressive language and engine for code analysis, which allows you to explore source code to find bugs and security vulnerabilities. During these beginner-friendly workshops, you will learn to write queries in CodeQL and find known security vulnerabilities in open-source Java and JavaScript projects.

There are two workshops on this topic. Both will cover the basics of writing queries in CodeQL. The first will focus on Java, and the second will focus on JavaScript.

Workshop materials

Please complete the Prerequisites section (below) before the workshop. The following links contain the content that will be covered during the workshop:

  1. Thursday May 7 / 7:00am PDT: Finding security vulnerabilities in Java with CodeQL
  2. Thursday May 7 / 9:30am PDT: Finding security vulnerabilities in JavaScript with CodeQL

📣 Prerequisites

  • Install Visual Studio Code.
  • Install the CodeQL extension for Visual Studio Code.
  • You do not need to install the CodeQL CLI: the extension will handle this for you.
  • Set up the CodeQL starter workspace.
    • Important: Don't forget to use git clone --recursive or git submodule update --init --remote to update the submodules when you clone this repository. This allows you to obtain the standard CodeQL query libraries.
    • Open the starter workspace in Visual Studio Code: File > Open Workspace > Browse to vscode-codeql-starter/vscode-codeql-starter.code-workspace in your checkout of the starter workspace.
  • Download and add the CodeQL database to be used in the workshop:
    • If you are attending Finding security vulnerabilities in Java with CodeQL, please download this CodeQL database.
    • If you are attending Finding security vulnerabilities in JavaScript with CodeQL, please download this CodeQL database
    • Unzip the database.
    • Import the unzipped database into Visual Studio Code:
      • Click the CodeQL icon in the left sidebar.
      • Place your mouse over Databases, and click the + sign that appears on the right.
      • Choose the unzipped database directory on your filesystem.

📚 Resources