Description
Hello CodeQL team,
I'm currently integrating CodeQL into our CI workflow for an end-to-end security test of our backend system.
Here's the procedure I followed:
Setup:
Downloaded the CLI:
wget https://github.com/github/codeql-cli-binaries/releases/latest/download/codeql-linux64.zip
unzip codeql-linux64.zip
sudo mv codeql /usr/local/bin/
Cloned the CodeQL repository with Python libraries:
git clone https://github.com/github/codeql.git
Inside the backend directory, created the database:
codeql database create db-python --language=python --source-root=.
Ran the analysis:
codeql database analyze db-python codeql/python/ql/src/codeql-suites/python-lgtm-full.qls --format=sarifv2.1.0 --output=python-code-scanning-sec-all.sarif
Checked the results:
jq '.runs[].results[] | {message: .message.text, severity: .level, location: .locations[0].physicalLocation.artifactLocation.uri}' python-code-scanning-sec-all.sarif
Problem
Before running the scan, I added the following code snippet to the backend intentionally to trigger a command injection warning:
import os
user_input = input("Enter command: ")
os.system(user_input) # ⚠️ This should trigger a CodeQL rule: command injection
However, the scan results do not include any findings related to this vulnerable code.
Question
Am I missing something in the setup or the suite configuration?
Is there a different CodeQL query or suite that should be used to detect this specific type of vulnerability (e.g., command injection via os.system) in Python?
Any help or guidance would be much appreciated!
Best regards,
Anton