►
From YouTube: Find bugs in your code with CodeQL
Description
#30minutestomerge
CodeQL is free for open source and you can benefit from the continuously growing query set contributed by GitHub, by the community and by top security teams like NASA’s.
0:00 - Start
5:11 - Intros
8:47 - Problem presentation
17:56 - Code QL demo
How to enable CodeQL: https://github.co/3rOmI2k
Get started with CodeQL: codeql.com
Connect with us:
Twitter: @GHSecurityLab
Web: securitylab.github.com
About GitHub Security Lab:
“Securing the world’s software, together” - GitHub Security Lab’s mission is to inspire and enable the community to secure the open source software we all depend on.
Presented by:
Joseph Katsioloudes (@jkcso)
A
A
A
A
A
B
Hey
everybody
and
welcome
to
another
episode
of
30
minutes
to
merge.
I
am
your
host
beard
of
edu.
I
think
I
might
have
missed
you
last
month,
but
I'm
back
and
kind
of
better
than
ever
new
camera.
So
now
you've
got
like
a
a
full
like
blow
up
of
my
face,
which
is
kind
of
weird,
but
here
we
are
today
on
to
on
today's
30
minutes
to
merge
session.
B
I'm
joined
by
a
super
awesome
individual
named
joseph
who's,
going
to
be
kind
of
diving
into
some
security
related
topics,
but
before
I
bring
him
on
stage,
I
just
want
to
give
a
quick
introduction
to
him
as
a
person.
B
So
as
always,
I
like
to
kind
of
ask
a
couple
of
questions
before
I
bring
someone
on
so
his
hobbies
include
tennis,
but
he
also
plays
a
lot
of
sports,
but
tennis
seems
to
be
his
primary
focus
right
now
and
when
he's
not
watching
f1
racing,
he
is
also
playing
chess
at
a
championship
level
in
london.
B
So
that's
always
a
fun
time.
It's
not
necessarily
something
that
I'm
doing,
but
I've
always
been
kind
of
intrigued
by
the
game
of
chess
myself.
He's
currently
not
allowed
to
have
any
animals
in
his
building,
but
if
he
was
able
to
own
an
animal
he'd
either
want
a
french
bulldog
or
a
pug.
So
if
you've
got
any
favorite,
pug
or
french
frenchie
picks,
you
can
always
share
those
in
chat.
B
I
also
like
to
ask
what
people
buy
recently,
just
because
I'm
kind
of
curious
as
to
what
people
are
spending
their
money
on
and
he
bought
some
new
tennis
balls,
which
makes
sense
because
he
plays
tennis,
but
he
also
bought
a
replacement
shirt
because
he
ruined
the
original
shirt
in
the
laundry.
So
a
little
laundry
mishap
ended
up
in
a
duplicate
purchase
in
terms
of
like
where
he's
at
in
the
open
source
world
he's
got
a
couple
of
kind
of
dusty
repositories
on
his
account.
B
Two
two
that
I
thought
were
really
interesting
was
one
is
intel,
one
which
is
kind
of
a
command
line,
driven
tool
that
identifies
the
open
source
footprint
of
an
individual
or
an
organization.
So
you
kind
of
plug
in
some
information
about
an
individual
and
it'll
kind
of
pull
up
a
whole
bunch
of
information
about
where
they're
at
in
the
open
source
space,
which
I
thought
was
really
cool,
and
then
he's
also
got
a
couple
of
other
repositories
around
the
blockchain
and
different
kind
of
simulations
around
those
which
are
really
interesting.
B
If
blockchain
is
something
that
you're
interested
in,
you
might
want
to
check
those
out
and
just
see
what's
going
on
and
then
finally,
I
always
ask
like
if
you
could
build
an
action
to
do
something
kind
of
interesting
outside
of
like
your
normal
ci
or
cd.
What
would
it
be
joseph
said
he
wants
to
he?
He
had
the
idea
of
maybe
connecting
experienced
open
source
con
open
source
maintainers
with
people
who
are
newer
to
the
field,
to
kind
of
create
this
ongoing
dialogue
between
you
know
the
the
mistakes
that
they
made.
B
The
you
know
the
experienced
individuals
kind
of
sharing
information
with
the
newcomers
to
the
scene
to
kind
of
create
an
opportunity
to
grow
the
open
source
space
and
make
sure
that
everyone's
kind
of
successful,
in
whatever
they're
trying
to
accomplish
in
that
open
source
world
and
without
further
ado.
I'd
love
to
bring
joseph
out
on
stage.
C
C
My
part
in
that
mission
is
to
make
security
easy
for
developers,
and
this
is
why
I'm
here
today
to
use
those
30
minutes
to
give
you
the
super
power
of
securing
your
code
like
nasa
did
well.
This
is
not
a
science
fiction
or
a
netflix
scenario.
10
years
ago,
when
nasa's
curiosity
was
landing.
On
the
surface
of
mars,
nasa
engineers
performed
the
code
review
mid
flight.
They
wanted
to
check
the
software
responsible
for
opening
the
parachute
of
the
curiosity
rover
during
landing
on
the
surface
of
mars,
and
that
was
when
they
found
the
back.
C
The
little
bug
that
the
nasa
engineers
discovered
was
that
the
function
signature
in
line
1
expected
an
array
of
12
elements,
but
an
array
of
three
elements
will
be
passed
as
an
argument
in
line
8..
This
means
that
the
looping
lines
2
and
3
will
read.
The
correct
memory
coordinates
just
for
the
first
three
elements,
but
then
it
will
go
out
of
bounds
leading
to
random
behavior.
C
C
C
If
we
now
see
the
bigger
picture
and
compare
this
scenario
of
fixing
a
bug
mid
flight
to
that
of
fixing
a
bug
in
production,
then
I'm
sure
you
will
agree
that
it
is
very
late
in
the
process
of
software
development
lifecycle
last
year,
nasa
send
another
rover
to
mars,
but
what
they
have.
But
what
have
they
done
differently?
C
This
time
they
shifted
security
left
by
integrating
codeql
at
the
very
beginning
of
the
software
development
lifecycle
by
using
github
in
two
clicks,
you
can
enable
code
scanning
with
code
12
and
get
alerted
about
security
vulnerabilities
in
your
code.
Codeq
is
free
for
open
source
and
you
can
benefit
from
the
continuously
growing
query
set
contributed
by
github
by
the
community
and
by
top
security
teams
like
nasa's.
C
C
C
One
of
the
main
levels
of
devops
adoption
was
the
introduction
of
infrastructure
as
code
where
developers
use
code
for
setting
up
their
own
infra
without
the
need
to
open
tickets
to
operations
teams
the
fact
that
developers
were
writing
code,
empowered
them
with
further
benefits
such
as
reading
contributing
and
understanding
what
they
were
doing
same
for
the
world
of
testing
in
the
pre-agile
days,
developers
and
testers
belong
to
two
separate
teams.
Qa
will
find
the
bugs
and
report
them
back
to
devs.
C
This
sharing
helps
developers,
read,
understand
and
contribute
to
the
code,
which
facilitates
a
security.
Culture
therefore
think
about
security
becoming
a
seamless
observer
of
the
day-to-day
devops
that
doesn't
intervene
or
affect
devops
speed
security
as
code
will
be
integrated
and
automated
to
the
pipelines
so
that
every
time
a
security
related
violation
exists,
actionable
feedback
will
be
generated
by
the
way
you
hear
more
and
more
people
talking
about
their
segues
nowadays
right.
C
The
vulnerability
covered
by
our
demo
is
an
sql
injection
or
sql
injection.
It
depends
where
you're
from-
and
I
just
want
to
introduce
it
here,
for
those
that
might
not
me
have
might
not
be
familiar
with
it.
As
per
the
mimo
screen.
This
happens
when
a
user
is
able
to
execute
arbitrary
queries
on
a
database
using
sql.
C
C
This
is
a
very
simple
example,
but
in
real
life
user
input
flows
in
different
places
of
your
code
base
through
files
and
functions
before
reaching
the
sql
execution
in
our
demo.
We
will
build
a
query
that
automatically
finds
sql
injections
in
those
complex
scenarios
just
before
the
demo.
Let's
define
two
important
concepts
for
our
data
flow.
Query
sources
and
syncs
sources
are
places
in
the
program
that
receive
untrusted
user
input,
for
example,
a
field
in
a.
C
C
The
question
we
need
to
ask
is
a
data
flow
one.
Does
this
untrusted
data
ever
flow
to
the
point
of
executing
a
potentially
vulnerable
action?
We
can
answer
this
question
by
identifying
all
paths
from
sources
to
things
by
using
ql
notice
that
cultural
allows
users
to
query
code
in
general,
not
necessarily
for
vulnerabilities.
C
You
can
use
it
for
any
type
of
box
or
just
to
explore
your
code.
We
try
to
make
these
queries.
Generic
to
find
variants
of
vulnerabilities
like
nasa
did
and
the
biggest
benefit
you
get
is
that
you
will
not
be
able
to
codify
your
knowledge
of
a
whole
security
back
pattern
in
an
expressive
query
language
code,
12
is
declarative
and
logical.
C
C
C
C
C
This
is
because
there's
no
sanitization
happening
with
the
username
and
password
variable
being
able
to
maliciously
alter
our
database
like
we've
seen
in
our
meme
and
where
this
is
happening
is
in
line
147,
where
we
have
the
raw
query
method,
accepting
a
query.
So
in
that
line,
the
first
argument
is
essentially
our
sql
execution.
C
C
Every
declaration
in
the
from
clause
has
a
variable
type
like
method
access
here,
and
a
variable
name
like
call
here
while
select
specifies
what
the
result
should
be
by
referring
to
the
variables
above,
as
per
our
scale
injection
explanation.
We
need
to
arrive
at
those
methods
or
functions
in
the
vulnerable
code
base
that
receive
user
input.
How
do
we
do
this?
We
first
need
to
start
by
getting
the
set
of
all
methods
in
the
program
and
then
filter
only
those
that
receive
user
input
in
the
control
java
library
to
find
method
invocations.
C
We
can
use
the
type
method
access
in
line
three,
and
then
we
can
use
a
variable
that
I
could
call
here.
You
can
use
any
variable
name
and
if
we
run
that
we
are
expecting
codeql
to
provide
us
with
all
method
invocations
in
the
program.
So
if
I
click
here,
for
example,
we
have
the
make
text
function
being
called,
and
if
I
click
here,
we
can
see
where
the
show
function
is
being
called.
But
the
problem
is
that
these
are
all
the
functions.
We
just
need
to
arrive
to
those
that
receive
user
input.
C
C
I'm
going
to
use
my
variable
from
above
in
the
function
called
get
argument.
Sorry
get
method
because
we
are
looking
for
methods
followed
by
has
qualified
name
in
order
to
have
the
specific
method
that
I'm
looking
for.
Look
how
I'm
making
use
of
the
autocompletion
and
how
the
inline
dock
helps
me
to
find
the
right
method.
C
In
order
for
me
to
be
productive
and
use
code12
inside
the.
Where
clause,
we
can
also
see
the
object-oriented
nature
of
code2l,
because
get
method
is
an
operation
provided
by
the
type
method
axis
which,
through
chaining,
provides
further
options,
for
example,
to
look
for
a
function
with
a
specific
name,
and
this
is
another
feature
that
cultural
brings
on
top
of
sql,
which
is
expressivity
with
chaining.
C
So
if
we
run
this,
we
arrive
at
the
instances
of
get
text
in
our
code
base.
So
far,
what
you
see
is
like
a
grep
command.
F
control,
f,
but
the
true
power
of
ql
is
gonna,
be
visible
in
here
in
the
data
flow.
So
let's
continue
towards
that.
Let's
now
move
to
syncs
to
find
things.
We
can
use
the
same
strategy
with
the
difference
being
that
we
are
looking
for
a
different
method
in
a
different
package
like
we
do
in
line
four,
as
we
saw
raw
query
takes
two
arguments.
C
C
C
Luckily,
the
language
comes
with
a
rich
set
of
standard
libraries
that
have
ready-made
templates.
We
just
have
to
fill
like
the
one
in
front
of
us
on
top
of
the
file.
We
have
some
metadata
that
will
help
code
ql
to
understand
what
we
are
trying
to
do
ignore
them.
For
now,
we
then
imported
the
10
tracking
library,
which
is
a
template,
configuration
to
try
to
track
untrusted
user
input,
followed
by
the
data
flow
path,
graph
library,
which
is
all
about
the
visualization
of
results.
C
At
the
end,
we
are
defining
a
class
here
on
line
11
to
help
us
out
as
a
10
tracking
configuration
is
a
boilerplate,
so
this
class
is
extending
something
to
help
ourselves
with
inheritance,
composition
and
the
expressiveness
of
the
language,
and
this
is
actually
an
example
of
how
users
can
benefit
from
extensibility
and
through
classes.
The
expressiveness
of
a
language
is
highlighted.
C
C
C
C
C
We
know
that
we
have
untrusted
user
input
entering
our
code
base
and
we
know
that
when
untrusted
user
input
enters
our
code
base,
there's
the
potential
of
that
to
be
malicious,
so
that
was
the
source.
Let's
continue
with
the
sync,
with
the
exact
same
strategy,
there
exists
a
method
such
that,
so
this
becomes
so
that
when
raw
query
is
called
with
an
argument
in
index
0,
you
know
that
you
have
the
sync:
let's
copy
and
paste
again.
C
So
this
should
become
node
as
expression,
okay,
so
what
I've
done
was
just
filling
the
two
template
placeholders
with
the
code
we've
used
before
and
if
we
run
that
we
expect
cultural
to
tell
us
if
we
have
indeed
sql
injections
happening
in
our
code
base.
C
So,
let's
analyze
what
this
says,
if
we
click
on
the
first
sql
injection
finding
we
have
two
pathways
to
explore
in
the
first
one.
We
know
that
we
have
the
username
type,
the
user
being
passed
to
the
code
base.
That
was
then
passed
into
the
login
method,
followed
by
the
definition
of
the
login
method
before
being
executed
in
the
database.
C
C
Sometimes
the
path
from
a
user
input
to
the
real
sql
injection
can
be
very
long
with
more
than
10
steps
across
several
files
functions.
Different
places
of
the
code
base.
Libraries.
Imagine
how
difficult
it
would
be
to
find
those
manually.
Let
code2l
do
it
for
you
back
to
our
presentation
and
the
final
slide.
B
Awesome,
thank
you
so
much
for
joining.
So
before
we
go
into
any
more
like
thanks
and
whatnot.
We
do
have
a
question
in
chat
that
I
was
actually
about
to
interrupt
you
with,
but
then
you
you
wrapped
up
so
chad
asked
these
analyzers
seem
fragile
to
changes
in
the
code.
Library
signatures
so
like
the
names
and
arguments
are
there
best
practices
to
make
your
code
ql
queries
more
resilient
to
change
in
the
libraries.
C
If
we
take
the
example
that
we
just
had
from
the
android
widget
or
in
general
daba,
you
know
that
for
these
libraries
they
will
never
change
code
names
so
easily
in
order
to
maintain
backtrack
functionality
and
avoid
breaking
everything
in
our
world
in
in
a
moment.
C
Basically,
so
definitely
there
are
cases
where
you
need
to
adapt
your
codetrail
queries
based
on
the
code,
but
since
our
community
is
contributing
into
cultural
queries,
github
is
contributing
to
code,
kill
queries
top
security
teams
like
the
one
of
nasa,
like
the
one
of
mercado,
libre
that
we
had
three
months
ago
in
our
demo
days.
You
know
that
this
group
of
people
are
focusing
in
libraries
of
open
source
that
are
out
there
and
that's
why
they
contribute
queries
to
secure
the
open
source.
B
All
right
really
good
response.
Thank
you
very
much.
I
don't
see
any
other
questions
in
chat,
so
if
anyone
has
any
just
throw
them
in
chat
and
if
you're
typing
something
really
long,
maybe
just
like
throw
like
give
me
a
second
and
just
let
us
know
but
yeah.
Thank
you
so
much
for
for
joining.
It
was
a
really
awesome
session.
B
You
really
broke
down
like
how
to
get
started
with
codeql
within
your
your
repository
and
like
how
you
might
actually
use
it
or
how
you
could
see
some
benefits
from
it
pretty
early,
so
yeah
thanks
again
for
joining
and
for
everyone
out
there
watching
today.
I
just
wanted
to
say
thanks
for
joining
us
again.
It's
always
a
pleasure
for
me
to
host
these
things,
and
I
look
forward
to
our.
C
B
Minutes
to
merge
session
yeah
thanks,
everyone
hope
you
have
a
great
rest
of
your
day.
Great
rest
your
week
and
I'll
see
you
next
month,
hopefully
for
another
30
minutes
to
merge
with
another
awesome
host
where
we
get
to
talk
about
all
things,
git
and
github.
So
thanks
again
and
have
a
great
one.