CodeQL with Alvaro Munoz
Summary
Alvaro Munoz, a security researcher from GitHub Security Lab, discusses CodeQL, a powerful static analysis tool for finding security vulnerabilities. He explains its declarative nature, similar to SQL, and how it enables comprehensive code exploration and variant analysis at scale. The episode covers CodeQL's use in CI/CD pipelines, its developer-first approach to reduce false positives, and notable real-world bug discoveries, including an RCE in a COVID-19 tracing app.Episode description
In this episode of Hacker Talk:
One of the most powerful newer static analysis tool is CodeQL.
By converting your code base into a Codeql database, you can now write
queries in a read-only way, in order to find security vulnerabilities
and problems in you Code-base.
We wanted to know more about this declarative language called "CodeQL".
Straight from Github's Security Lab, we are joined by Alvaro Munoz!
Alvaro, is a Security Researcher, Leads a team of researchers that leverage Codeql to find and model vulnerabilities at Github, with a background in research related to finding remote code execution bugs through deserialization.
Tune in as we get to hear the ins and out of CodeQL, how to get started, when Codeql was used to find a vulnerability in a public Covid-19 system, how to find vulnerabilities with Codeql and a lot more!
Topics covered:
Learning to thing outsite the box by playing Capture the flag
CodeQL declarative languages
Static code analysis
Getting a broad view of the source code
Writing queries with CodeQL to find vulnerabilities
Modeling vulnerabilities with CodeQL
The learning curve of CodeQL
Quering github repositories for vulnerabilities
Write codeql for a large amount of repositories with lgtm(use it goes before it goes EOL)
Linters vs codeql
CodeQL integrated with continuous integration pipelines
Get started with Codeql
Submit your codeql queries to Github Security Lab's Bug bounty
Best practices for writing queries
Thinking of the code as a database with codeql
Finding vulnerabilities in Covid-19 systems
Best pratices for CodeQL
Reduce false possitives
CodeQL with nvim(neovim)
Improving vim by creating a more interactive development enviroment alternative, "neovim".
LSP integration with neovim.
CodeQL with Emacs
Remote code execution bugs found with CodeQL.
Bugs found in Radar Covid App
Patterns leading to remote code execution
Auditing javascript frameworks
CodeQL vs other static analysis tools
Capture the flag codeql challanges
The future of CodeQL
External links:
https://en.wikipedia.org/wiki/Language_Server_Protocol
https://en.wikipedia.org/wiki/Semgrep
Covid 19 tracing app
- https://securitylab.github.com/research/securing-the-fight-against-covid19-through-oss/
- https://threatpost.com/german-covid-19-contact-tracing-vulnerability-rce/161419/
Github Security Lab web site: https://securitylab.github.com/
Join Github Security Lab Slack Channel:
https://join.slack.com/t/ghsecuritylab/shared_invite/zt-120w4vby8-_O9u9k2hPfgbju1tddBPcg
Bounty program: https://securitylab.github.com/bounties/
https://codeql.github.com/docs/codeql-overview/
https://en.wikipedia.org/wiki/Abstract_syntax_tree
https://en.wikipedia.org/wiki/Control_flow_analysis
https://github.com/github/codeql-learninglab-actions
https://github.com/anticomputer/emacs-codeql/
Special thanks too:
We want to give a huge thanks to Github's Security Lab Team for making this episode a reality!