GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

GitHub announced at the Global Developerconference that it had launched a new community program called Security Lab. In the program, GitHub not only opens up CodeQL, the code analytics engine, but also sets up a vulnerability incentive program with a bonus of up to $3,000.

The mission of GitHub Security Labs is to inspire and empower the global security research community to secure our code around the world, and to further address code security challenges, improve the gaps in the open source community, and lay a good foundation for high-quality code contributions from the open source community. The program is also supported by a number of big bull companies, including Microsoft, Google, Intel, and so on, and now Lei Feng.com AI developers have compiled the community’s specific content.

GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

Security vulnerability of the fire-eye gold-eye CodeQL

CodeQL is a new open source tool that GitHub has just launched. This is a semantic code analysis engine designed to find different versions of the same vulnerability in a large amount of code.

CodeQL helps us discover vulnerabilities across code bases, allows us to query code like query data, write queries to find and permanently eliminate all variations of the vulnerability, and share the query results to help others eliminate the vulnerability.

GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

Ql is the query language and the basis of CodeQL, dedicated to analyzing code. This is a logical programming language, so it consists of logical formulas. QL uses common logic to connect words (such as and, or, and not), quantitative words (such as forall and exists), and other important logical concepts. Examples of query statements are as follows (implementing the addition of null to the collection):

import java

Method Access Call, Method Add

Where

call.getMethod (.) (add) and

add.hasName (“add”) and

add.getDeclaringType.getSourceDeclaration.hasqualifiedName (“java.util,” “Collection”) and

call.getAnArgument () instanceofnull

select call

QL also supports recursive and aggregation, which allows us to write complex recursive queries using simple syntax and use libraries directly, such as count, sum, and average.

As a result, queries written with CodeQL can uncover variations of vulnerabilities and critical security vulnerabilities. In addition to the GitHub platform, CodeQL has also been used in vulnerability code scanning activities on other platforms, such as Mozilla.

GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

More about QL

https://help.semmle.com/QL/learn-ql/

How should CodeQL be used?

Online inquiries

We can use the CodeQL query console on the LGTM platform (https://lgtm.com/query/rule:1823453799/lang:java/) to run the actual query directly on the popular open source library.

GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

LGTM platform interface, directly write code that needs to be queried

Once we understand the patterns in which vulnerabilities are found, we can find similar situations throughout the code base. In the following example, we used the built-in CodeQL library to encode the insecure deserialization pattern for data flow and spot tracking.

UnsafeDeserialization.ql

From DataFlow: :Path Node source, DataFlow: :Path Node sink, UnsafeDesanoConfig conf

Where conf.hasFlowPath (source, sink)

select sink.getNode (). (Unsafe DeserialnaturedSink.) getMethodAccess(), source, sink,

“Unsafe deserialization of $.” source.getNode (), “user input”

Local queries

If you need to write and run queries locally, you can do so by installing the CodeQL extension of Visual Studio Code.

GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

Write and run query code in Visual Studio

After installing the CodeQL extension, the steps are:

1. Get the CodeQL database

Search LGTM.com for open source projects to study, and then import the project page;

Add the CodeQL database of the downloaded and the project itself to the VS code to implement the use of these instructions;

2. Query the code and find the vulnerability

Copy the CodeQL starter workspace and open it in VS Code;

Run the query by right-clicking and selecting Run Query;

For more information, see the documentation:

https://help.semmle.com/codeql/codeql-for-vscode.html

Query open source library

Under OSI-approved open source license sq., we can create a CodeQL database for any project that is eligible.

CodeQL analysis relies on extracting relational data from code and uses it to build a CodeQL database (https://help.semmle.com/codeql/glossary.html.codeql-database) that contains all the data needed to run queries on code.

Before you build the CodeQL database, you need to:

Install and set up The CodeQL CLI. (For more information, see CodeQL CLI Getting Started below)

Move out of the version of the code base you want to analyze. The directory should be ready to be established and all dependencies installed.

GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

Query open source library example

Note, however, that GitHub CodeQL can only be used for code bases published under OSI-approved open source licenses, or for academic research. It cannot be used for automated analysis, continuous integration, or continuous delivery, whether as part of a normal software engineering process or otherwise.

CodeQL extended detailed documentation:

https://help.semmle.com/codeql/codeql-for-vscode.html

Local query download address:

https://marketplace.visualstudio.com/items?itemName=github.vscode-codeql

Getting Started with CodeQL CLI:

https://help.semmle.com/codeql/codeql-cli/procedures/get-started.html

CodeQL “Capture Flag” Challenge

If you want to challenge vulnerability search skills and quickly learn Semmle CodeQL, try to complete the given task of using CodeQL to find variations of the jQuery plug-in that expose clients to undocumented XSS (cross-site scripting) vulnerabilities.

Specifically, jQuery is a very popular but very old, open source JavaScript library designed to simplify HTML document traversal and manipulation, event handling, animation, and Ajax. As of May 2019, jQuery had 73% of the 10 million most popular sites. The jQuery library supports modular plug-ins, and developers around the world have implemented thousands of plug-ins that seamlessly extend the capabilities of jQuery.

GitHub opens source analytics engine CodeQL Sync launches $3000 vulnerability reward program

Bootstrap is a popular repository that makes extensive use of the jQuery plug-in mechanism, but the jQuery plug-in in Bootstrap used to be implemented in an insecure manner, which may have made Bootstrap users vulnerable to cross-site scripting (XSS).

This is the use of a web application by an attacker to send malicious code to other end users, usually in the form of browser-side scripts, which can access any cookies, session tags, or other sensitive information that the browser retains and uses with the site.

Therefore, throughout the lookup process, you need to write queries using step-by-step guides to find the jQuery plug-inthats that are not securely implemented in the boot. Send the answers to the ctf@github.com when you’re done to get the chance to win. GitHub will select the two best CodeQL queries received by December 31, 2019 to win the jackpot, and will also select 10 additional CodeQL queries to win other prizes.

See previous challenges:

https://securitylab.github.com/ctf/jquery

A broader plan to improve security

In addition, GitHub has recently become an authorized CVE number publisher, which is able to publish CVE numbers for vulnerabilities. This feature has been added to the Security Recommendations service feature. Once the vulnerability is fixed, the project owner can issue a security bulletin, and GitHub will be available to all upstream project owners who use the vulnerable version of the code of the original maintainer, but the project owner can request and receive a CVE number directly from GitHub and receive the CVE number before issuing the security bulletin.

Of course, in addition to the CVE, which represents honor, Github has launched a bonus mechanism wheresecurity researchers who use CodeQL to exploit new vulnerabilities can receive a reward of up to $2,500, or even a $3,000 reward if the CodeQL query code is high enough.

Bounty Detailrules:

https://securitylab.github.com/bounties

In addition to the new security lab, GitHub has launched the GitHub Security Bulletin Database, which collects all security bulletins found on the platform, providing greater space for tracking security vulnerabilities found in GitHub hosting projects.

Finally, GitHub has updated Token Scanning’s own service. It scans for API keys and tokens that are inadvertently left in the source code in a user project. The service was previously able to detect API tokens for 20 services, while the new version added four more vendors to the format: GoCardless, HashiCorp, Postman and Tencent Cloud.

Github address:

https://securitylab.github.com/tools/codeql/

Add a Comment

Your email address will not be published. Required fields are marked *