Summary: Codebox is a graphical tool that helps to create taint-tracking models for Go functions/methods/interfaces.
You specify the taint logic in a graphical (web) interface, and it generates CodeQL taint-tracking models along with Go scenario test cases for those models.
The codebox tool was created to expand the taint-tracking models of codeql-go (the official CodeQL extractor and libraries for Go.)
You can find below all the models and tests that were generated by codebox and then merged into the codeql-go repo:
- Taint-tracking models: https://github.com/github/codeql-go/tree/main/ql/src/semmle/go/frameworks/stdlib
- Tests: https://github.com/github/codeql-go/tree/main/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow
- Imports: https://github.com/github/codeql-go/blob/main/ql/src/semmle/go/frameworks/Stdlib.qll#L6-L65
- More about the goal: github/securitylab#187
NOTE: The codebox tool and its author have no affiliation with GitHub/Semmle.
# - go get go get github.com/gagliardetto/codebox # - Enter the codebox folder: cd $GOPATH/src/github.com/gagliardetto/codebox # - Compile and install the binary: make # - Spin up the graphical tool http server for e.g. the "io" package. # NOTE: You still need to be inside $GOPATH/src/github.com/gagliardetto/codebox (to be able to access static assets) # NOTE: You need to have Go installed to be able to analyze standard library packages. # NOTE: The --pkg flag can either be <package> (defaults to latest version), or <package>@<version>; # e.g. github.com/gin-gonic/gin@latest # e.g. github.com/gin-gonic/gin@v1.6.2 # NOTE: There might be some issues with some packages or modules. # NOTE: The --out-dir flag is the folder where all the generated files will go. codebox --out-dir=./generated/compressed --pkg=net/http --stub --http # - Open the UI in the browser: chrome http://127.0.0.1:8080/ # - Now that you see the UI in the browser, complete the taint-tracking logic # and when you're done, close the server program you started in the terminal # with a CTRL-C. # You will find the generated codeql and golang files inside ./generated/compressed # NOTE: if you only want to regenerate the code without starting the server, # then you need to remove the --http flag: codebox --out-dir=./generated/compressed --pkg=net/http --stub# Move all files from child directories to parent directory: # find . -mindepth 2 -type f -name "*.go" -print -exec mv {} . \; # find . -mindepth 2 -type f -name "*.qll" -print -exec mv {} . \; find . -mindepth 2 -type f -print -exec mv {} . \; #for f in *.qll; do printf '%s\n' "${f%.qll}TaintTracking.qll"; done rename 's/\.qll$/TaintTracking.qll/' *.qll # format a codeql file: codeql query format -qq -i file.qll # format all codeql files: echo ~/.config/Code/User/globalStorage/github.vscode-codeql/distribution*/codeql/codeql find . -type f -name "*.ql" -or -name "*.qll" -exec ~/.config/Code/User/globalStorage/github.vscode-codeql/distribution12/codeql/codeql query format -qq -i {} ';' -print find . -type f -name "*.ql" -or -name "*.qll" | while read cqlFile; do echo $cqlFile && codeql query format -qq -i $cqlFile; done