DEV Community

Kurt Feeley for AWS Community Builders

Posted on • Edited on

Find Source Code Vulnerabilities with CodeQL Before You Commit

You have a plethora of Python code to commit for your new Django API. STOP! Before you commit and push, first scan your source code with the CodeQL CLI!

Insecure

Photo by iMattSmart on Unsplash

The Solution

In this tutorial, we’ll go over scanning Python source code for vulnerabilities in a development environment using the CodeQL CLI.

Prerequisites

To complete this tutorial, you will need to install the CodeQL CLI.

Our Dev Environment

This tutorial was developed using Ubuntu 22.10, Python 3.10.6, CodeQL CLI 2.13.1 and Visual Studio Code 1.78.2. Some commands/constructs may vary across platforms.

What is CodeQL?

CodeQL is a type of static application security testing (SAST) scanner that scans source code for vulnerabilities. A vulnerability is a weakness in an application that allows an attacker to cause harm to the application’s owner, the application users, and/or organizations that rely on the application, et. al. Popular attacks include: SQL injection, cross-site scripting and brute force attacks. Using a tool like CodeQL early in the development process can save time, money and possibly prevent damage to a company’s reputation.

1) Setup the CodeQL CLI

Download the CodeQL CLI

Point your browser to the CodeQL releases page on GitHub and download the archive that corresponds to the platform that you are using. For this tutorial, we are downloading and using the release specified with “linux64” in the filename.

CodeQL Releases: https://github.com/github/codeql-cli-binaries/releases

Once the file has been downloaded, extract the files from the archive. For our Linux system, we’ll use the unzip command.

$ unzip codeql-linux64.zip -d ~/bin/codeql/
Enter fullscreen mode Exit fullscreen mode

We are going to take one more step and add the codeql executable to our PATH variable so that we can call “codeql” from any location within the OS. On our Ubuntu system we can accomplish this by modifying the PATH variable in the ~/.profile file by appending the path of the codeql executable.

Test the CodeQL CLI

We can test the CodeQL CLI by checking the version at the command line.

$ codeql ––version
Enter fullscreen mode Exit fullscreen mode

If everything is setup correctly, We should see output something like this:

CodeQL command-line toolchain release 2.13.1.
Copyright (C) 2019-2023 GitHub, Inc.
Unpacked in: /home/user/bin/codeql
Analysis results depend critically on separately distributed query and
extractor modules. To list modules that are visible to the toolchain,
use ‘codeql resolve qlpacks’ and ‘codeql resolve languages’.
Enter fullscreen mode Exit fullscreen mode

You can further test by using the following command to get a list of the languages that can be used.

$ codeql resolve languages
Enter fullscreen mode Exit fullscreen mode

Download the CodeQL Language Packs

To download precompiled queries for Python, use the following command:

$ codeql pack download codeql/python-queries
Enter fullscreen mode Exit fullscreen mode

2) Create the CodeQL Database

Now that we have CodeQL downloaded and configured, we can create the CodeQL database.

Create a Directory for the CodeQL Database

The first thing we will need to do is create a directory to house the CodeQL database.

$ mkdir ~/codeql-dbs
Enter fullscreen mode Exit fullscreen mode

Create the CodeQL Database

Now that we have a location for the database, let’s change to the directory of your app.

$ cd ~/source/python-app
Enter fullscreen mode Exit fullscreen mode

Now we are set to create the CodeQL database with the following command:

Parameters:
~/codeql-dbs/python-app: The CodeQL database location.
language: The language to scan. In this case, Python.

$ codeql database create ~/codeql-dbs/python-app \
––language=python
Enter fullscreen mode Exit fullscreen mode

If everything goes to plan, the output of the database create command will end with something like this:

“Successfully created database at /home/user/codeql-dbs/python-app.”
Enter fullscreen mode Exit fullscreen mode

3) Scan the Source Code for Vulnerabilities

With the CodeQL database created, we can start to scan our source code.

Create a Directory for the CodeQL Output

CodeQL aggregates its findings in an output file. Let’s create a directory to house the output file.

$ mkdir ./codeql-output/
Enter fullscreen mode Exit fullscreen mode

Code Analysis

Running the following command will instruct CodeQL to analyze the code using the previously built database for, “python-app.”

Parameters:
~/codeql-dbs/python-app: The CodeQL database location.
format: The output format. (Also supports SARIF and graph formats)
output: The path to the output file.

$ codeql database analyze ~/codeql-dbs/python-app \
––format=”csv” \
––output=”./codeql-output/scan.csv”
Enter fullscreen mode Exit fullscreen mode

When CodeQL completes its analysis, the console should display a message like:

Shutting down query evaluator.
Interpreting results.
Analysis produced the following diagnostic data:
| Diagnostic | Summary |
+——————————+———–+
| Compilation message | 3 results |
| Successfully extracted files | 6 results |
Analysis produced the following metric data:
| Metric | Value |
+—————————————-+——–+
| Total lines of Python code in the database | 13,700 |
Enter fullscreen mode Exit fullscreen mode

View the CodeQL Analysis Output

$ nano ./codeql-output/scan.csv
Enter fullscreen mode Exit fullscreen mode

Summary

We have concluded this tutorial where you have learned how to scan Python source code for vulnerabilities in a development environment using the CodeQL CLI.

Now, before you commit code for that Django API –– scan it for source code vulnerabilities with CodeQL before you commit.

Top comments (0)