GithubHelp home page GithubHelp logo

crypto-com / cosmos-sdk-codeql Goto Github PK

View Code? Open in Web Editor NEW
19.0 4.0 6.0 159 KB

A query suite for common bug patterns in Cosmos SDK-based applications

License: Apache License 2.0

CodeQL 100.00%

cosmos-sdk-codeql's Introduction

cosmos-sdk-codeql

A query suite for common bug patterns in Cosmos SDK-based applications.

Passive Maintenance

This repository is in a passive maintenance mode: it is not actively developed, but we will accept pull requests and issues. It may, however, take some time to respond.

Usage

In CodeQL CLI, you can download it using the following command:

$ codeql pack download crypto-com/[email protected]

See more details in the CodeQL CLI documentation.

In order to add the extra queries to the CI pipeline, you can use the queries or packs option in the CodeQL initialization:

#...
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: 'go'
        queries: crypto-com/[email protected], <...other queries...>
#...

See more details in the GitHub Code Scanning documentation.

False Negatives

The queries have heuristics based on the usage in the Cosmos SDK codebase to reduce false positives. They may, however, lead to false negatives: for example, if you used "client" package's code parts (that may be ignored by queries) in consensus-critical sections, related bugs from ignored packages may not be uncovered by queries. If you are worried about false negatives in particular queries, you can open an issue to discuss the query change. Alternatively, you can tweak the query and either execute it manually from time to time, or add the tweaked query to your CI scanning action.

False Positives

The queries over-approximate and may lead to false positives. If you encounter a false positive, you can do the following:

  1. you can dismiss the false positive alerts in the Security tab on GitHub;
  2. if see a repeating pattern of false positives, you can open an issue to discuss the query improvement;
  3. alternatively, if you cannot dismiss alerts in the Security tab on GitHub, some of the queries will ignore findings that have an explicit comment (starting with "SAFE:") that explains why it is safe to ignore that bit of code. The comments can be placed either on the preceding line or on the enclosing function:
// SAFE: ...explanation why findings in this function are false positives...
func myFun(...) {
   ...
}

func myFun2(...) {
  ...
  // SAFE: ...explanation why this particular finding is a false positive...
  myVar := ...
  ...
}

cosmos-sdk-codeql's People

Contributors

calvinaco avatar ivan-gavran avatar tomtau avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

ingridamilsina calvinaco ivan-gavran julienrbrt dashbaord202401 pavelnikolov

cosmos-sdk-codeql's Issues

Reason for only Begin/EndBlock panic checks

The beginendblock rule checks for panics in these ABCI calls. Is there a reason that this check is only performed in these 2 situations? For example, why not in the CheckTx ABCI call?

Thanks!

Explanation of Bech32 rule

Hey,

As a part of my thesis I'm scanning live cosmos-sdk chains for possible vulnerabilities, and one way is using these CodeQl rules. However, I am unsure on why using variables called Bech32... is a vulnerability (like this rule suggests).

A more concrete example: this line in the osmosis repo is being flagged as a warning. I cannot seem to figure out why this would be insecure.

Would you mind explaining it a bit?

Thanks!

Query beginendblock-panic.ql : potential problems

Hi,

Thanks for this great repo!

I was recently looking into the beginendblock-panic.ql and trying to understand it.
In particular, the query uses mayPanic() as an indicator that the function would panic.
The problem is, however, that mayPanic() will return true almost always, the only exception being a couple of built-in functions (as discussed in this codeQL issue).
This also means that the beginendblock-panic.ql will not be precise (because mayPanic() is not precise).

I believe there is a second problem in the query: namely, calling getParent*, which repeatedly calls the function getParent.
The problem is that getParent is not returning a function call parent, but an AST node parent (where the top ancestor is a file in which the call resides) .

Does this make sense?
In case I got things wrong, please let me know.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.