1.下载二进制运行文件和规则库
https://github.com/github/codeql-cli-binaries/releases
本地:codeql-win64 (1).zip
https://github.com/github/codeql
本地:codeql-main (1).zip
2.安装vscode插件
配置地址:
3.创建数据库
通过coedql-cli创建一个数据库
执行命令:codeql database create <database> --language=<language-identifier>
参数说明:
--language: 指定数据库语言,输入标识符。当和—db-cluster一起使用时,可以指定多个,用’,’分隔,也可以进行多次指定。
--db-cluster:为多种语言创建数据库
--command:创建一个或多个编译语言数据库的时候使用。python和JavaScript/TypeScript不需要该参数,如果编译语言不带该参数,codeql会自动检测并编译
--no-run-unnecessary-builds:为多语言创建数据库,且包括编译和非编译语言时,可以利用 --no-run-unnecessary-builds来帮助非编译语言跳过command选项
更多参数说明
https://codeql.github.com/docs/codeql-cli/manual/database-create/
CodeQL支持以下语言
语言 标识符
C/C++ cpp
C# csharp
GO go
Java java
JavaScript/TypeScript javascript
Python python
Ruby ruby
C/C++ project built using make:
codeql database create cpp-database --language=cpp --command=make
C# project built using dotnet build (.NET Core 3.0 or later):
codeql database create csharp-database --language=csharp --command='dotnet build /t:rebuild'
On Linux and macOS (but not Windows), you need to disable shared compilation when building C# projects with .NET Core 2 or earlier, so expand the command to:
codeql database create csharp-database --language=csharp --command='dotnet build /p:UseSharedCompilation=false /t:rebuild'
Go project built using the COEQL_EXTRACTOR_GO_BUILD_TRACING=on environment variable:
CODEQL_EXTRACTOR_GO_BUILD_TRACING=on codeql database create go-database --language=go
Go project built using a custom build script:
codeql database create go-database --language=go --command='./scripts/build.sh'
Java project built using Gradle:
codeql database create java-database --language=java --command='gradle clean test'
Java project built using Maven:
codeql database create java-database --language=java --command='mvn clean install'
Java project built using Ant:
codeql database create java-database --language=java --command='ant -f build.xml'
如:根据xss代码文件,创建一个数据库 