Comparism with CodeQL

Question

Comparism with CodeQL

thediveo opened this issue 3 years ago · 4 comments

Would it be possible to compare gokart with CodeQL, at least on some ballpark figure? For instance, can gokart detect problems with int conversions between different sizes, et cetera? For instance, CodeQL is very helpful at catching such things.

And finally, the obvious question: does gokart detect race conditions?

thediveo commented 3 years ago

+CWE-190

Answer 1 · 2021-08-20T10:01:29.000Z

To give an example: CodeQL finds "Incorrect conversion of an integer with architecture-dependent bit size from to a lower bit size type int32 without an upper bound check."

Answer 2 · 2021-08-20T14:01:39.000Z

@thediveo "does gokart detect race conditions?" 😂 Despite the suitability of such a vulnerability check with the tool name, GoKart does not currently detect race conditions. Maybe soon!

Thank you for the issue submission and the example given. We are taking a look at the golang queries defined here and here. At a glance, we believe that CodeQL has broader coverage than what we would typically report as actionable, important security issues. We plan to perform a more thorough analysis to determine if there are other useful security checks that CodeQL covers that would be a fit for GoKart and are currently missing.

Are there other examples of CodeQL security checks that you believe would be important to support with GoKart?

Answer 3 · 2021-08-20T15:37:17.000Z

No more ideas at the moment, the CWE-681 is one that seems to be quite fond of me, unfortunately, when working on system-level Go tools.