CodeQL as an audit oracle: Dubbo Workshop
5th and 6th October 2021
Preparation
For this workshop, you are invited to actively participate by writing CodeQL queries in Visual Studio Code. To do this, you will need to have Visual Studio Code up and running.
Running locally
-
Install Visual Studio Code.
-
Clone the repository (https://github.com/github/codeql-dubbo-workshop) locally. Make sure to get the submodules. For example with the command line
git clone --recursive https://github.com/github/codeql-dubbo-workshop.git
-
Open the repository folder in Visual Studio Code.
-
Install the CodeQL extension for Visual Studio Code, from the Visual Studio Code extensions marketplace. (Use the "Extensions" icon on the left of Visual Studio Code).
-
Click on the CodeQL icon on the left, dismiss the dialog if needed, then select "Add a CodeQL database/From an archive". Navigate to the
databasesfolder and selectdubbo_2.7.8.zip. -
Go back to the CodeQL view (click on the CodeQL icon on the left if necessary). Hover over the database and select "Set Current Database".
-
Open the file
HelloWorld.qlin VScode. (Use the Explorer icon on the left of Visual Studio Code, and locate the file in the root of the repository). -
Right-click on the file, and select "CodeQL: Run query". You should see the "CodeQL Query Results" window on the right hand side.
-
Proceed to the main content.
📚 Resources
- For more advanced CodeQL development in future, you may wish to set up the CodeQL starter workspace for all languages.
- CodeQL overview
- CodeQL for Java
- Analyzing data flow in Java
- Using the CodeQL extension for VS Code
- CodeQL on GitHub Learning Lab
- CodeQL on GitHub Security Lab