tthtlc / source-sink-codeql Goto Github PK

FYP Project utilizing CodeQL for code analysis
Explore the docs »

CodeQL · View Demo · Neo4J

DISMFYP2021GRP8, also known as G8, is a static code scanning security tool designed with ReactJS and ExpressJS. It utilizes the CodeQL semantic code analysis engine to find all variants of a vulnerability. Below are some features of G8 but are not limited to.

• Uploading of project with folders, (zipped) files and Git repositories
• Alert results in a neat and concise page of CodeFlow
• Alert results visualization with Neo4J integration
• Interpret custom CodeQL queries
• Report generation for researcher
• Viewing custom SARIF file with sarif-web-components
• Documentation of CodeQL queries

The following tools should be installed before starting:

• Docker

Use the provided docker configuration to deploy the project:

$ docker-compose up -d

Then, visit 127.0.0.1:3000, visit the dashboard page and upload a project you wish to analyze. Click analyze to begin the analysis and watch the magic unfold.

You can optionally edit the configuration file depending on your needs:

Backend Configuration File

To start trying out the project, follow the steps below.

1. Visit http://127.0.0.1:3000/#/dashboard/
2. Click on the Git Repo button and paste in https://github.com/ISnackable/DISMFYP2021GRP8.git
3. Click Submit to upload the project
4. Under the Existing Project table, click on Start Analysis and wait for the analysis to be done
5. Click Load Project and navigate to CodeQL Alert to view the results

To get a local copy up and running follow these simple example steps.

Clone this repository on the latest version using git and update all submodules to the latest version.

$ git clone https://github.com/ISnackable/DISMFYP2021GRP8/ --recursive --depth 1

1. Download the CodeQL CLI zip package.

2. Create a new CodeQL directory where you can place the CLI and any queries and libraries you want to use. For example, D:/programs/codeql-home or /opt/codeql.

3. Extract the zip archive in the CodeQL directory; D:/programs/codeql-home/codeql

4. Add CodeQL to Path.

   • Windows

     1. Go to Control Panel\System and Security\System
     2. Click on Advance System Settings
     3. Click on Enviroment Variables
     4. Edit Path for both User variables and System variables
     5. Click on New and add the CodeQL directory; D:/programs/codeql-home/codeql

   • Linux

     $ export PATH=/opt/codeql:$PATH

5. Verify your CodeQL CLI setup.

   $ codeql --help

6. Download & Install the CodeQL VSCode Extension. (Optional)

• Docker

$ docker run -p 3306:3306 -d -v backend/init.sql:/docker-entrypoint-initdb.d --env MYSQL_ROOT_PASSWORD=secret docker.io/library/mariadb:10

$ docker run -p 7474:7474 -p 7687:7687 -d -v $HOME/neo4j/data:/data --env NEO4J_AUTH=neo4j/s3cr3t neo4j:4.2.7

• MariaDB
• Neo4J Community Edition

1. Download & Install MariaDB on the latest version
2. Verify MariaDB is installed by running the following command

$ sudo service mysql status

3. Download & Install Neo4J Community Server on the latest version
4. Verify Neo4J is installed by visiting http://localhost:7474.

You can optionally edit the configuration file depending on your needs:

Backend Configuration File

$ cd frontend
$ yarn install
$ yarn start

$ cd backend
$ yarn install
$ yarn start

The version of CodeQL used by the G8 is subject to the CodeQL Research Terms & Conditions.

By using G8, you agree to GitHub CodeQL Terms and Conditions. If you do not accept these Terms, do not download, install, use, or copy the Software.

• CodeQL
• CodeQL Logo
• Themesberg Volt React Dashboard
• Sarif Web Component