简体繁体 English

CodeQL扫描JAR个文件

[英]CodeQL Scanning JAR Files

原文 2021-12-14 18:18:01 2 2 java/ security/ jar/ static-analysis/ codeql

I'm just getting started with CodeQL and have had plenty of success scanning Python projects.我刚刚开始使用 CodeQL，并且已经成功扫描了 Python 个项目。 Now, I'm starting to scan Java projects, and I struggle to scan precompiled projects.现在，我开始扫描 Java 个项目，我很难扫描预编译的项目。

From what I gathered, it appears CodeQL CLI includes an autobuilder for Java code and will build the projects for me.从我收集到的信息来看，CodeQL CLI 似乎包括一个用于 Java 代码的自动构建器，并将为我构建项目。 I'm trying to scan projects already compiled from the Maven central repository.我正在尝试扫描已从 Maven 中央存储库编译的项目。

Question:问题：

Is it possible to scan compiled Java source code (ie, bytecode, class files) contained within a JAR file with CodeQL?是否可以使用 CodeQL 扫描包含在 JAR 文件中的已编译 Java 源代码（即字节码、class 文件）？
If so, how can I invoke these properties to scan JAR files from the CLI?如果是这样，我如何调用这些属性从 CLI 扫描 JAR 个文件？

Thanks for any insight!感谢您的任何见解！

2 个解决方案

As mentioned in the other answer, for Java CodeQL observes the results during compilation and creates a database from it.正如另一个答案中提到的，对于 Java，CodeQL 在编译期间观察结果并从中创建一个数据库。 It is therefore not possible to build a database from a JAR containing compiled classes.因此不可能从包含已编译类的 JAR 构建数据库。 It is however possible to use compiled classes in a project (eg in the form of Maven dependencies, or JDK usage), and CodeQL will record the information that these classes are used, but it has no insight into what these classes do.然而，可以在项目中使用编译类（例如以 Maven 依赖项的形式，或 JDK 用法），并且 CodeQL 将记录这些类被使用的信息，但它无法洞察这些类的作用。 That means no dataflow or taintflow will be available for them, unless CodeQL explicitly models it, see the list of supported frameworks .这意味着它们将无法使用数据流或污点流，除非 CodeQL 对其进行显式建模，请参阅支持的框架列表。

However, since your plan is to run queries against projects from Maven Central, it is most likely easiest to obtain the databases from lgtm.com , or to directly use the Query Console on lgtm.com, see also the documentation .但是，由于您的计划是针对来自 Maven Central 的项目运行查询，因此最容易从 lgtm.com 获取数据库，或者直接使用 lgtm.com 上的查询控制台，另请参阅文档。 For most projects lgtm.com is able to build the project on its own.对于大多数项目，lgtm.com 能够自行构建项目。

lgtm.com is owned by Semmle, which originally created CodeQL and was acquired by GitHub . lgtm.com 归 Semmle 所有，Semmle 最初创建了 CodeQL，并被GitHub 收购。

From what I read, it does not seem to work on compiled classes.根据我的阅读，它似乎不适用于已编译的类。 You will need the src code, whether that exists as a (Jar, which then you need to unzip before processing), or a Github project.您将需要 src 代码，无论是作为（Jar，然后您需要在处理之前解压缩）还是 Github 项目存在。

Usually during running you would provide the way to build your project, such as --language=java --command='mvn clean install -DskipTests' <-- This requires source code.通常在运行过程中你会提供构建项目的方式，例如--language=java --command='mvn clean install -DskipTests' <-- 这需要源代码。