Skip to content

trailofbits/codeql-queries

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

71 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Trail of Bits public CodeQL queries

This repository contains CodeQL queries developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability research, and internal projects. They will evolve over time as we identify new techniques.

Using custom CodeQL queries

The easiest is to download all packs from the GitHub registry:

codeql pack download trailofbits/cpp-queries trailofbits/go-queries

Then verify that new queries are installed:

codeql resolve qlpacks | grep trailofbits

And use the queries for analysis:

codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -- trailofbits/cpp-queries
# or
codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -- trailofbits/go-queries

Queries

C and C++

Cryptography

Name Description Severity Precision
Crypto variable initialized using static key Finds crypto variables initialized using static keys error high
Crypto variable initialized using static password Finds crypto variables initialized using static passwords error high
Crypto variable initialized using weak randomness Finds crypto variables initialized using weak randomness error high
Invalid key size Tests if keys passed to EVP_EncryptInit and EVP_EncryptInit_ex have the same size as the key size of the cipher used warning medium
Memory leak related to custom allocator Finds memory leaks from custom allocated memory warning medium
Memory use after free related to custom allocator Finds use-after-frees related to custom allocators like BN_new warning medium
Missing OpenSSL engine initialization Finds created OpenSSL engines that may not be properly initialized warning medium
Missing error handling Checks if returned error codes are properly checked warning high
Missing zeroization of potentially sensitive random BIGNUM Determines if random bignums are properly zeroized warning medium
Random buffer too small Finds buffer overflows in calls to CSPRNGs warning high
Use of legacy cryptographic algorithm Detects potential instantiations of legacy cryptographic algorithms warning medium

Security

Name Description Severity Precision
Async unsafe signal handler Async unsafe signal handler (like the one used in CVE-2024-6387) warning high
Invalid string size passed to string manipulation function Finds calls to functions that take as input a string and its size as separate arguments (e.g., strncmp, strncat, ...) and the size argument is wrong error low
Missing null terminator This query finds incorrectly initialized strings that are passed to functions expecting null-byte-terminated strings error high
Unsafe implicit integer conversion Finds implicit integer casts that may overflow or be truncated, with false positive reduction via Value Range Analysis warning low

Go

Cryptography

Name Description Severity Precision
Message not hashed before signature verification Detects calls to (EC)DSA APIs with a message that was not hashed. If the message is longer than the expected hash digest size, it is silently truncated error medium

Security

Name Description Severity Precision
Invalid file permission parameter Finds non-octal (e.g., 755 vs 0o755) and unsupported (e.g., 04666) literals used as a filesystem permission parameter (FileMode) error medium
Missing MinVersion in tls.Config This rule finds cases when you do not set the tls.Config.MinVersion explicitly for servers. By default version 1.0 is used, which is considered insecure. This rule does not mark explicitly set insecure versions error medium
Trim functions misuse Finds calls to string.{Trim,TrimLeft,TrimRight} with the 2nd argument not being a cutset but a continuous substring to be trimmed error low

Java-kotlin

Security

Name Description Severity Precision
Recursive functions Detects recursive calls warning low

Query suites

CodeQL queries are grouped into "suites". To execute queries from a specific suit add its name after a colon: trailofbits/cpp-queries:codeql-suites/tob-cpp-full.qls.

The recommended suit - tob-cpp-code-scanning.qls - is chosen and executed when you do not explicitly specify any suit. Other suits in this repository are:

  • tob-<lang>-crypto.qls - queries targeting cryptographic vulnerabilities
  • tob-<lang>-security.qls - queries targeting standard security issues
  • tob-<lang>-full.qls - all queries, including experimental ones

Development

Prepare environment

Clone this repository and configure global CodeQL's search path:

git clone [email protected]:trailofbits/codeql-queries.git
mkdir -p "${HOME}/.config/codeql/"
echo "--search-path '$PWD/codeql-queries'" > "${HOME}/.config/codeql/config"

Check that CodeQL CLI detects the new qlpacks:

codeql resolve packs | grep trailofbits

Before committing

Run tests:

cd codeql-queries
codeql test run ./cpp/test
codeql test run ./go/test
codeql test run ./java/test

Update dependencies:

bash ./scripts/install_all.sh

Generate query tables and copy-paste it to README.md file

python ./scripts/queries_table_generator.py 2>/dev/null

Generate markdown query help files

codeql generate query-help ./cpp/src/ --format=markdown --output ./cpp/src/docs
codeql generate query-help ./go/src/ --format=markdown --output ./go/src/docs
codeql generate query-help ./java/src/ --format=markdown --output ./java/src/docs