Skip to content

Analyze opensource package with codeql container

Jump to bottom
Suraj Jacob edited this page Aug 21, 2020 · 1 revision

Analyze opensource package

This article demonstrates how you can use codeql-container to analyze an open source package by running codeQL on it.

OSSGadget

For this workflow, you will need the open source tool, OSSGadget: https://github.com/microsoft/OSSGadget OSSGadget is a collection of tools for downloading and analyzing various open source packages. Download the release for your Operating System from https://github.com/microsoft/OSSGadget/releases

Use the oss-downloader tool to download any open source package, and extract it. Extraction of source only works for interpreted languages, compiled languages will not have source embedded.

Note that codeql-container currently analyzes only interpreted languages like Python and Javascript.

Run the oss-download command on the package (package should be in PURL notation (https://github.com/package-url/purl-spec)

./oss-download --extract --download-directory /tmp/express/src pkg:npm/express@5.0.0-alpha.8

Now run codeql-container on the downloaded directory:

./scripts/unix/analyze_security.sh /tmp/express/src /tmp/express/output javascript

This should output the results of the analysis in sarif format at /tmp/express/output/issues.sarif, which you can open with a SARIF viewer and view the results.

Clone this wiki locally