1. 引言
本文讲解CodeQL在CentOS 7下的环境配置,以及运行CodeQL-CLI扫描django源码的过程。
2. 环境
-
为CentOS7安装配置JDK-11
wget https://mirrors.huaweicloud.com/java/jdk/11.0.2+9/jdk-11.0.2_linux-x64_bin.tar.gz
sudo tar -zxvf jdk-11.0.2_linux-x64_bin.tar.gz -C /usr/local/
sudo ln -s /usr/local/jdk-11.0.2 /usr/local/jdk11
echo 'export JAVA_HOME=/usr/local/jdk11' >> ~/.bashrc
echo 'export PATH=JAVA_HOME/bin:PATH' >> ~/.bashrc
source ~/.bashrc
配置成功后可以看到:
java --version
java 11.0.2 2019-01-15 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.2+9-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.2+9-LTS, mixed mode)- 下载安装CodeQL-CLI
下面是下载安装CodeQL-CLI的过程。
wget -c https://github.com/github/codeql-cli-binaries/releases/download/v2.23.8/codeql-linux64.zip
unzip codeql-linux64.zip
echo 'export PATH="$PATH:$HOME/code/codeql"' >> ~/.bashrc
source ~/.bashrcwget下载不稳定时,-c参数可以做到断点续传。
$ codeql version
CodeQL command-line toolchain release 2.23.8.
Copyright (C) 2019-2025 GitHub, Inc.-
下载安装CodeQL-CLI的Pack依赖
克隆官方 CodeQL 仓库(包含 C/C++、Python 等语言的标准库和查询 Pack)
git clone https://github.com/github/codeql.git codeql-repo
进入仓库并拉取最新 Pack
cd codeql-repo
git checkout main
git pull
cd ..安装 C/C++ Pack 依赖(自动下载缺失依赖)
codeql pack install codeql-repo/cpp/ql/src # 核心分析库
安装 Python Pack 依赖
codeql pack install codeql-repo/python/ql/src
最终输入如下命令,运行正常(参考1)则说明配置成功。
codeql resolve packs3. 运行
-
下载django源码
git clone https://github.com/django/django.git
-
为django源码创建codeql数据库(参考2)
codeql database create codeql-django-db --language=python --source-root=django
-
运行codeql扫描代码(参考3)
codeql database analyze codeql-django-db codeql-repo/python/ql/src/Classes/UselessClass.ql --format=sarif-latest --output=log.sarif
4. 参考
- https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/setting-up-the-codeql-cli
- https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis
- https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries