-
Notifications
You must be signed in to change notification settings - Fork 46
Analyze opensource package with codeql container
This article demonstrates how you can use codeql-container to analyze an open source package by running codeQL on it.
For this workflow, you will need the open source tool, OSSGadget: https://github.com/microsoft/OSSGadget OSSGadget is a collection of tools for downloading and analyzing various open source packages. Download the release for your Operating System from https://github.com/microsoft/OSSGadget/releases
Use the oss-downloader tool to download any open source package, and extract it. Extraction of source only works for interpreted languages, compiled languages will not have source embedded.
Note that codeql-container currently analyzes only interpreted languages like Python and Javascript.
Run the oss-download command on the package (package should be in PURL notation (https://github.com/package-url/purl-spec)
./oss-download --extract --download-directory /tmp/express/src pkg:npm/[email protected]
Now run codeql-container on the downloaded directory:
./scripts/unix/analyze_security.sh /tmp/express/src /tmp/express/output javascript
This should output the results of the analysis in sarif format at /tmp/express/output/issues.sarif, which you can open with a SARIF viewer and view the results.