提到Go语言代码安全检测的现状,我们先分析一下现有开源方案的不足和局限,一些代码规范检查linter工具不在此次讨论范围。gosec
和gokart
这两款代码静态分析工具,都属于过程内分析,对函数调用的参数做最保守假设,过度假设导致丢失精度,所以误报很多。基于污点分析技术的CodeQL就强大多了,但要掌握CodeQL达到编写ql查询模块和qll库模块学习成本颇高。目前绝大部分Go的开源项目会在GitHub Actions中配置CodeQL检测,配置过程超级简单,这里最大的问题就是CodeQL内置库模块支持的框架有局限,针对千变万化的代码,仅仅使用默认的CodeQL规则,检测能力大打折扣,甚至是形如虚设。
- 问题1: 如何为项目编写特定的CodeQL查询模块(ql)和库模块(qll),提升CodeQL检测能力
- 问题2: 在GitHub Actions中配置的CodeQL检测,如何能使用我们编写的qll模块
为了解决这2个问题,我们制造了codemillx
这款辅助工具。
- 在项目代码中添加一些特定注释(注释格式说明),并可生成适配项目的qll库模块,比起掌握QL语法简单很多
- 运行参数-customizeCodeQLAction=true,就会把自定义规则写进CodeQL内置Customizations.qll文件
- 在项目代码中添加一些特定注释(注释格式说明)
- 修改Github Actions的CodeQL检测配置文件(.github/workflows/codeql.yml)
把以下配置添加在Initialize CodeQL步骤与Autobuild步骤之间。
# ...
- name: Generate And Replace CodeQL Customizations
run: |
go install github.com/hudangwei/codemillx/cmd/codemillx@latest
codemillx -customizeCodeQLAction=true ./...
# ...
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: [ master ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'go' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://git.io/codeql-language-support
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
- name: Generate And Replace CodeQL Customizations
run: |
go install github.com/hudangwei/codemillx/cmd/codemillx@latest
codemillx -customizeCodeQLAction=true ./...
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
#- run: |
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
如果你是一名白帽子,介绍使用codemillx
去挖掘Go开源项目漏洞,应该是你感兴趣的。
找代码中的安全问题很难,但让你找代码中的打印日志函数就很容易,只要标记了打印日志函数,就能发现敏感信息泄露之类的安全问题,你只要标记了SQL操作函数SQL语句参数位置,就能精准发现是否存在SQL注入,只要标记了用户可控的不可信输入(例如:web框架存放解析数据包后的对象),就能检测出OWASP TOP10定义的应用安全问题。
- fork开源项目到自己仓库下
- 给开源项目添加注释(自定义标记污点源)(注释格式说明)
- 添加Github Actions CodeQL检测,在项目目录下添加.github/workflows/codeql.yml文件
- 提交代码,触发检测
如果你看不懂本页内容,先学习下如何在GitHub工作流中使用CodeQL检测代码