Skip to content

CodeQL

Setup

Just follow the offical manual.

Only note that you should extract the cli under our home directory, or some QL libraries may fail.

Compile Linux Kernel into CodeQL Intermediate Data Structure

During this stage we create the CodeQL database and turn the analyze target into intermediate data structure.

Following the instruction for compiled language

We apply the compile commands towards the Linux Kernel:

$ make xxxconfig # generate configuration
$ codeql database create codeql --language=cpp --command='make -j$(nproc)'

Make CodeQL Query

Take one query example: find all struct containing a field with type struct address_space *.

import cpp

from Struct struct
where
    exists(Field f |
        f = struct.getAField() and
        f.getType().getName().matches("address_space%*%")
    )
select struct

Run this query with codeql cli:

codeql query run -d=<path/to/codeql/database> --output=<output-file.bqrs> <query-file.ql>

This command execute the query and generate the resulting file with bqrs extension.

bqrs file is not human-readable. We have to decode it:

codeql bqrs decode <output-file.bqrs> --format=csv -o=<output-file.csv>