Awesome
Summary: Codebox is a graphical tool that helps to create taint-tracking models for Go functions/methods/interfaces.
You specify the taint logic in a graphical (web) interface, and it generates CodeQL taint-tracking models along with Go scenario test cases for those models.
Example
The codebox
tool was created to expand the taint-tracking models of codeql-go (the official CodeQL extractor and libraries for Go.)
You can find below all the models and tests that were generated by codebox
and then merged into the codeql-go repo:
- Taint-tracking models: https://github.com/github/codeql-go/tree/main/ql/src/semmle/go/frameworks/stdlib
- Tests: https://github.com/github/codeql-go/tree/main/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow
- Imports: https://github.com/github/codeql-go/blob/main/ql/src/semmle/go/frameworks/Stdlib.qll#L6-L65
- More about the goal: https://github.com/github/securitylab/issues/187
NOTE: The codebox
tool and its author have no affiliation with GitHub/Semmle.
How it works
# - go get
go get github.com/gagliardetto/codebox
# - Enter the codebox folder:
cd $GOPATH/src/github.com/gagliardetto/codebox
# - Compile and install the binary:
make
# - Spin up the graphical tool http server for e.g. the "io" package.
# NOTE: You still need to be inside $GOPATH/src/github.com/gagliardetto/codebox (to be able to access static assets)
# NOTE: You need to have Go installed to be able to analyze standard library packages.
# NOTE: The --pkg flag can either be <package> (defaults to latest version), or <package>@<version>;
# e.g. github.com/gin-gonic/gin@latest
# e.g. github.com/gin-gonic/gin@v1.6.2
# NOTE: There might be some issues with some packages or modules.
# NOTE: The --out-dir flag is the folder where all the generated files will go.
codebox --out-dir=./generated/compressed --pkg=net/http --stub --http
# - Open the UI in the browser:
chrome http://127.0.0.1:8080/
# - Now that you see the UI in the browser, complete the taint-tracking logic
# and when you're done, close the server program you started in the terminal
# with a CTRL-C.
# You will find the generated codeql and golang files inside ./generated/compressed
# NOTE: if you only want to regenerate the code without starting the server,
# then you need to remove the --http flag:
codebox --out-dir=./generated/compressed --pkg=net/http --stub
Helpful commands for batch processing
# Move all files from child directories to parent directory:
# find . -mindepth 2 -type f -name "*.go" -print -exec mv {} . \;
# find . -mindepth 2 -type f -name "*.qll" -print -exec mv {} . \;
find . -mindepth 2 -type f -print -exec mv {} . \;
#for f in *.qll; do printf '%s\n' "${f%.qll}TaintTracking.qll"; done
rename 's/\.qll$/TaintTracking.qll/' *.qll
# format a codeql file:
codeql query format -qq -i file.qll
# format all codeql files:
echo ~/.config/Code/User/globalStorage/github.vscode-codeql/distribution*/codeql/codeql
find . -type f -name "*.ql" -or -name "*.qll" -exec ~/.config/Code/User/globalStorage/github.vscode-codeql/distribution12/codeql/codeql query format -qq -i {} ';' -print
find . -type f -name "*.ql" -or -name "*.qll" | while read cqlFile; do echo $cqlFile && codeql query format -qq -i $cqlFile; done