{"id":8052,"date":"2025-09-17T09:13:20","date_gmt":"2025-09-17T09:13:20","guid":{"rendered":"https:\/\/techhub.saworks.io\/?post_type=docs&#038;p=8052"},"modified":"2025-09-24T12:02:34","modified_gmt":"2025-09-24T12:02:34","slug":"executer-codeql-dans-une-base-de-donnees","status":"publish","type":"docs","link":"https:\/\/techhub.saworks.io\/fr\/docs\/tutoriel-github-intermediaire\/securite-avancee-de-github-partie-2-sur-2\/executer-codeql-dans-une-base-de-donnees\/","title":{"rendered":"Ex\u00e9cuter CodeQL dans une base de donn\u00e9es"},"content":{"rendered":"\n<div class=\"wp-block-group is-layout-constrained wp-block-group-is-layout-constrained\">\n<p>Une fois votre code extrait dans une base de donn\u00e9es, vous pouvez l\u2019analyser en utilisant des requ\u00eates CodeQL. Les experts GitHub, les chercheurs en s\u00e9curit\u00e9 et les contributeurs de la communaut\u00e9 r\u00e9digent et maintiennent les requ\u00eates CodeQL par d\u00e9faut. Vous pouvez \u00e9galement \u00e9crire vos propres requ\u00eates.<\/p>\n\n\n\n<p>Les requ\u00eates CodeQL peuvent \u00eatre utilis\u00e9es dans l\u2019analyse de code pour d\u00e9tecter des probl\u00e8mes dans votre code source et identifier des vuln\u00e9rabilit\u00e9s potentielles. Vous pouvez aussi \u00e9crire des requ\u00eates personnalis\u00e9es pour d\u00e9tecter des probl\u00e8mes sp\u00e9cifiques \u00e0 chaque langage utilis\u00e9 dans votre projet.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"il-existe-deux-types-importants-de-requ\u00eates\"><strong>Il existe deux types importants de requ\u00eates :<\/strong><a href=\"https:\/\/techhub.saworks.io\/?post_type=docs&amp;p=8047#il-existe-deux-types-importants-de-requ%C3%AAtes\"><\/a><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Les requ\u00eates d\u2019alerte<\/strong>&nbsp;mettent en \u00e9vidence des probl\u00e8mes \u00e0 des emplacements sp\u00e9cifiques dans votre code.<\/li>\n\n\n\n<li><strong>Les requ\u00eates de chemin<\/strong>&nbsp;d\u00e9crivent le flux d\u2019informations entre une source et une cible (sink) dans votre code.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"requ\u00eate-codeql-simple\"><strong>Requ\u00eate CodeQL simple<\/strong><a href=\"https:\/\/techhub.saworks.io\/?post_type=docs&amp;p=8047#requ%C3%AAte-codeql-simple\"><\/a><\/h3>\n\n\n\n<p>La structure de base d\u2019une requ\u00eate CodeQL utilise l\u2019extension de fichier&nbsp;<code>.ql<\/code>&nbsp;et contient une clause&nbsp;<code>select<\/code>. Voici un exemple de structure de requ\u00eate :<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(2 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/**\n *\n * Query metadata\n *\n *\/\nimport \/* ... CodeQL libraries or modules ... *\/\n\/* ... Optional, define CodeQL classes and predicates ... *\/\nfrom \/* ... variable declarations ... \/\nwhere \/ ... logical formula ... \/\nselect \/ ... expressions ... *\/<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">\/**<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">Query<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">metadata<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">import<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">\/<\/span><span style=\"color: #005CC5\">*<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">CodeQL<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">libraries<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">or<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">modules<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #005CC5\">*<\/span><span style=\"color: #032F62\">\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">\/*<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">Optional,<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">define<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">CodeQL<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">classes<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">and<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">predicates<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #005CC5\">*<\/span><span style=\"color: #032F62\">\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">from<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">\/<\/span><span style=\"color: #005CC5\">*<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">variable<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">declarations<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">where<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">\/<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">logical<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">formula<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">\/<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D73A49\">select<\/span><span style=\"color: #24292E\"> \/ ... expressions ... <\/span><span style=\"color: #D73A49\">*<\/span><span style=\"color: #24292E\">\/<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"m\u00e9tadonn\u00e9es-des-requ\u00eates\"><strong>M\u00e9tadonn\u00e9es des requ\u00eates<\/strong><a href=\"https:\/\/techhub.saworks.io\/?post_type=docs&amp;p=8047#m%C3%A9tadonn%C3%A9es-des-requ%C3%AAtes\"><\/a><\/h3>\n\n\n\n<p>L\u2019utilisation de CodeQL avec l\u2019analyse de code convertit les r\u00e9sultats de mani\u00e8re \u00e0 mettre en \u00e9vidence les probl\u00e8mes potentiels que les requ\u00eates sont con\u00e7ues pour d\u00e9tecter. Les requ\u00eates contiennent des&nbsp;<strong>propri\u00e9t\u00e9s de m\u00e9tadonn\u00e9es<\/strong>&nbsp;qui indiquent comment les r\u00e9sultats doivent \u00eatre interpr\u00e9t\u00e9s.<\/p>\n\n\n\n<p>Les m\u00e9tadonn\u00e9es de requ\u00eate permettent de :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Identifier vos requ\u00eates personnalis\u00e9es lorsque vous les ajoutez \u00e0 votre d\u00e9p\u00f4t GitHub.<\/li>\n\n\n\n<li>Fournir des informations sur l\u2019objectif de la requ\u00eate.<\/li>\n<\/ul>\n\n\n\n<p>Les m\u00e9tadonn\u00e9es peuvent inclure :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>une&nbsp;<strong>description<\/strong>&nbsp;de la requ\u00eate,<\/li>\n\n\n\n<li>un&nbsp;<strong>identifiant unique<\/strong>,<\/li>\n\n\n\n<li>le&nbsp;<strong>type de probl\u00e8me<\/strong>&nbsp;d\u00e9tect\u00e9 (alerte ou chemin).<\/li>\n<\/ul>\n\n\n\n<p>Les m\u00e9tadonn\u00e9es sp\u00e9cifient \u00e9galement comment&nbsp;<strong>interpr\u00e9ter et afficher<\/strong>&nbsp;les r\u00e9sultats de la requ\u00eate.<\/p>\n\n\n\n<p>GitHub propose un&nbsp;<strong>guide de style recommand\u00e9<\/strong>&nbsp;pour les m\u00e9tadonn\u00e9es des requ\u00eates. Vous pouvez le consulter dans la documentation CodeQL.<\/p>\n\n\n\n<p>Voici un exemple de m\u00e9tadonn\u00e9es pour l\u2019une des requ\u00eates standard en Java :<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" data-src=\"https:\/\/techhub.saworks.io\/wp-content\/uploads\/2025\/09\/query-metadata-1.png\" alt=\"\" class=\"wp-image-8049 lazyload\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 857px; --smush-placeholder-aspect-ratio: 857\/348;\" \/><\/figure>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"codeql-n\u2019interpr\u00e8te-pas-les-requ\u00eates-qui-ne-contiennent-pas-de-m\"><strong>CodeQL n\u2019interpr\u00e8te pas les requ\u00eates qui ne contiennent pas de m\u00e9tadonn\u00e9es.<\/strong><a href=\"https:\/\/techhub.saworks.io\/?post_type=docs&amp;p=8047#codeql-n%E2%80%99interpr%C3%A8te-pas-les-requ%C3%AAtes-qui-ne-contiennent-pas-de-m\"><\/a><\/h3>\n\n\n\n<p>Il affiche ces r\u00e9sultats sous forme de tableau,&nbsp;<strong>sans les afficher dans le code source<\/strong>.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"syntaxe-ql\"><strong>Syntaxe QL<\/strong><a href=\"https:\/\/techhub.saworks.io\/?post_type=docs&amp;p=8047#syntaxe-ql\"><\/a><\/h3>\n\n\n\n<p><strong>QL<\/strong>&nbsp;est un langage de requ\u00eate&nbsp;<strong>d\u00e9claratif et orient\u00e9 objet<\/strong>. Il est optimis\u00e9 pour permettre une analyse efficace des structures de donn\u00e9es hi\u00e9rarchiques, en particulier des bases de donn\u00e9es repr\u00e9sentant des artefacts logiciels.<\/p>\n\n\n\n<p>La syntaxe de QL est similaire \u00e0 celle de&nbsp;<strong>SQL<\/strong>, mais sa s\u00e9mantique est bas\u00e9e sur&nbsp;<strong>Datalog<\/strong>, un langage de programmation logique d\u00e9claratif souvent utilis\u00e9 comme langage de requ\u00eate. \u00c9tant principalement un langage logique, toutes les op\u00e9rations en QL sont des op\u00e9rations logiques. QL h\u00e9rite \u00e9galement des&nbsp;<strong>pr\u00e9dicats r\u00e9cursifs<\/strong>&nbsp;de Datalog et ajoute la prise en charge des&nbsp;<strong>agr\u00e9gats<\/strong>&nbsp;pour rendre les requ\u00eates complexes plus concises et simples.<\/p>\n\n\n\n<p>Le langage QL est compos\u00e9 de&nbsp;<strong>formules logiques<\/strong>. Il utilise des connecteurs logiques courants comme&nbsp;<code>and<\/code>,&nbsp;<code>or<\/code>, et&nbsp;<code>not<\/code>, ainsi que des quantificateurs comme&nbsp;<code>forall<\/code>&nbsp;et&nbsp;<code>exists<\/code>. Gr\u00e2ce aux pr\u00e9dicats r\u00e9cursifs, vous pouvez \u00e9crire des requ\u00eates complexes en utilisant la syntaxe QL de base et des agr\u00e9gats comme&nbsp;<code>count<\/code>,&nbsp;<code>sum<\/code>, et&nbsp;<code>average<\/code>.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"requ\u00eates-de-chemin-path-queries\"><strong>Requ\u00eates de chemin (Path queries)<\/strong><a href=\"https:\/\/techhub.saworks.io\/?post_type=docs&amp;p=8047#requ%C3%AAtes-de-chemin-path-queries\"><\/a><\/h3>\n\n\n\n<p>La mani\u00e8re dont l\u2019information circule dans un programme est essentielle. Des donn\u00e9es apparemment inoffensives peuvent circuler de mani\u00e8re inattendue et \u00eatre utilis\u00e9es de fa\u00e7on malveillante.<\/p>\n\n\n\n<p>Cr\u00e9er des&nbsp;<strong>requ\u00eates de chemin<\/strong>&nbsp;permet de&nbsp;<strong>visualiser le flux d\u2019information<\/strong>&nbsp;dans une base de code. Une requ\u00eate peut suivre le chemin que les donn\u00e9es empruntent depuis leurs points de d\u00e9part possibles (<strong>source<\/strong>) jusqu\u2019\u00e0 leurs points d\u2019arriv\u00e9e possibles (<strong>sink<\/strong>). Pour mod\u00e9liser ces chemins, votre requ\u00eate doit fournir des informations sur :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>la&nbsp;<strong>source<\/strong>,<\/li>\n\n\n\n<li>le&nbsp;<strong>sink<\/strong>&nbsp;(cible),<\/li>\n\n\n\n<li>les&nbsp;<strong>\u00e9tapes du flux de donn\u00e9es<\/strong>&nbsp;qui les relient.<\/li>\n<\/ul>\n\n\n\n<p>La mani\u00e8re la plus simple de commencer \u00e0 \u00e9crire votre propre requ\u00eate de chemin est d\u2019utiliser une requ\u00eate existante comme&nbsp;<strong>mod\u00e8le<\/strong>. Pour obtenir ces requ\u00eates pour les langages pris en charge, consultez la documentation CodeQL.<\/p>\n\n\n\n<p>Votre requ\u00eate de chemin doit inclure :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>des&nbsp;<strong>m\u00e9tadonn\u00e9es<\/strong>&nbsp;sp\u00e9cifiques,<\/li>\n\n\n\n<li>des&nbsp;<strong>pr\u00e9dicats de requ\u00eate<\/strong>,<\/li>\n\n\n\n<li>une&nbsp;<strong>structure de clause&nbsp;<code>select<\/code><\/strong>.<\/li>\n<\/ul>\n\n\n\n<p>La plupart des requ\u00eates de chemin int\u00e9gr\u00e9es dans CodeQL suivent une structure de base, qui d\u00e9pend de la mani\u00e8re dont CodeQL mod\u00e9lise le langage que vous analysez.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(2 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/**\n * ...\n * @kind path-problem\n * ...\n *\/\n\nimport &lt;language>\n\/\/ For some languages (Java\/C++\/Python\/Swift), you need to explicitly import the data-flow library, such as\n\/\/ import semmle.code.java.dataflow.DataFlow or import codeql.swift.dataflow.DataFlow\n...\n\nmodule Flow = DataFlow::Global&lt;MyConfiguration>;\nimport Flow::PathGraph\n\nfrom Flow::PathNode source, Flow::PathNode sink\nwhere Flow::flowPath(source, sink)\nselect sink.getNode(), source, sink, \"&lt;message>\"<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">\/**<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">@kind<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">path-problem<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">...<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292E\"> <\/span><span style=\"color: #6F42C1\">*\/<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">import<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #032F62\">languag<\/span><span style=\"color: #24292E\">e<\/span><span style=\"color: #D73A49\">&gt;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">\/\/<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">For<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">some<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">languages<\/span><span style=\"color: #24292E\"> (Java\/C++\/Python\/Swift), you need to explicitly import the data-flow library, such as<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">\/\/<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">import<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">semmle.code.java.dataflow.DataFlow<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">or<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">import<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">codeql.swift.dataflow.DataFlow<\/span><\/span>\n<span class=\"line\"><span style=\"color: #005CC5\">...<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">module<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">Flow<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">=<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">DataFlow::Global<\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #032F62\">MyConfiguratio<\/span><span style=\"color: #24292E\">n<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">import<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">Flow::PathGraph<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">from<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">Flow::PathNode<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">source,<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">Flow::PathNode<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">sink<\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">where<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">Flow::flowPath<\/span><span style=\"color: #24292E\">(<\/span><span style=\"color: #005CC5\">source<\/span><span style=\"color: #24292E\">, <\/span><span style=\"color: #032F62\">sink<\/span><span style=\"color: #24292E\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D73A49\">select<\/span><span style=\"color: #24292E\"> sink.getNode(), source, sink, <\/span><span style=\"color: #032F62\">&quot;&lt;message&gt;&quot;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Dans ce mod\u00e8le :<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>MyConfiguration<\/code><\/strong> est un module qui contient les pr\u00e9dicats d\u00e9finissant comment les donn\u00e9es circulent entre la <strong>source<\/strong> et le <strong>sink<\/strong> (cible).<\/li>\n\n\n\n<li><strong><code>Flow<\/code><\/strong> est le r\u00e9sultat du calcul du flux de donn\u00e9es bas\u00e9 sur <code>MyConfiguration<\/code>.<\/li>\n\n\n\n<li><strong><code>Flow::PathGraph<\/code><\/strong> est le module de graphe de flux de donn\u00e9es que vous devez importer pour inclure les explications de chemin dans la requ\u00eate.<\/li>\n\n\n\n<li><strong><code>source<\/code><\/strong> et <strong><code>sink<\/code><\/strong> sont des n\u0153uds du graphe d\u00e9finis dans la configuration, et <strong><code>Flow::PathNode<\/code><\/strong> est leur type.<\/li>\n\n\n\n<li><strong><code>DataFlow::Global&lt;..&gt;<\/code><\/strong> est une invocation du flux de donn\u00e9es. Vous pouvez utiliser <strong><code>TaintTracking::Global&lt;..&gt;<\/code><\/strong> \u00e0 la place pour inclure un ensemble par d\u00e9faut d\u2019\u00e9tapes de contamination (taint steps).<\/li>\n<\/ul>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Comment \u00e9crire une requ\u00eate de chemin<\/strong><\/h3>\n\n\n\n<p>Votre requ\u00eate doit <strong>calculer un graphe de chemin<\/strong> pour g\u00e9n\u00e9rer des explications de chemin. Pour cela, vous devez d\u00e9finir un pr\u00e9dicat de requ\u00eate appel\u00e9 <strong><code>edges<\/code><\/strong>. Un pr\u00e9dicat de requ\u00eate est un pr\u00e9dicat non membre avec une annotation <code>query<\/code>. Cette annotation retourne tous les tuples \u00e9valu\u00e9s par le pr\u00e9dicat.<\/p>\n\n\n\n<p>Le pr\u00e9dicat <strong><code>edges<\/code><\/strong> d\u00e9finit les relations d\u2019ar\u00eates du graphe que vous calculez. Il est utilis\u00e9 pour d\u00e9terminer les chemins li\u00e9s \u00e0 chaque r\u00e9sultat g\u00e9n\u00e9r\u00e9 par votre requ\u00eate. Vous pouvez aussi importer un pr\u00e9dicat <code>edges<\/code> pr\u00e9d\u00e9fini depuis un module de graphe de chemin dans l\u2019une des biblioth\u00e8ques de flux de donn\u00e9es standard.<\/p>\n\n\n\n<p>Les <strong>biblioth\u00e8ques de flux de donn\u00e9es<\/strong> contiennent les autres classes, pr\u00e9dicats et modules couramment utilis\u00e9s dans l\u2019analyse de flux de donn\u00e9es, en plus du module de graphe de chemin. Elles fonctionnent en mod\u00e9lisant le graphe de flux ou en impl\u00e9mentant l\u2019analyse de flux. Les biblioth\u00e8ques normales sont utilis\u00e9es pour analyser le flux d\u2019information o\u00f9 les valeurs de donn\u00e9es sont conserv\u00e9es \u00e0 chaque \u00e9tape.<\/p>\n\n\n\n<p>Voici un exemple d\u2019instruction pour importer le module <code>PathGraph<\/code> depuis la biblioth\u00e8que <code>DataFlow.qll<\/code>, o\u00f9 <code>edges<\/code> est d\u00e9fini :<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(1 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>import DataFlow::PathGraph<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">import<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">DataFlow::PathGraph<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Vous pouvez importer de nombreuses autres biblioth\u00e8ques incluses avec CodeQL. Il est \u00e9galement possible d\u2019importer des biblioth\u00e8ques con\u00e7ues sp\u00e9cifiquement pour impl\u00e9menter l\u2019analyse de flux dans divers frameworks et environnements.<\/p>\n\n\n\n<p>La classe <strong><code>PathNode<\/code><\/strong> est con\u00e7ue pour impl\u00e9menter l\u2019analyse de flux de donn\u00e9es. Elle \u00e9tend la classe <code>Node<\/code> avec un <strong>contexte d\u2019appel<\/strong> (sauf pour les sinks), un <strong>chemin d\u2019acc\u00e8s<\/strong>, et une <strong>configuration<\/strong>. Seules les valeurs <code>PathNode<\/code> accessibles depuis une source sont g\u00e9n\u00e9r\u00e9es.<\/p>\n\n\n\n<p>Voici un exemple de chemin d\u2019importation :<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(1 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>import semmle.code.cpp.ir.dataflow.internal.DataFlowImpl<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">import<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">semmle.code.cpp.ir.dataflow.internal.DataFlowImpl<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Vous pouvez \u00e9galement d\u00e9finir un pr\u00e9dicat de requ\u00eate <strong><code>nodes<\/code><\/strong> (optionnel), qui sp\u00e9cifie les n\u0153uds du graphe de chemin pour tous les langages. Lorsque vous d\u00e9finissez <code>nodes<\/code>, les n\u0153uds s\u00e9lectionn\u00e9s d\u00e9finissent uniquement les ar\u00eates avec des points d\u2019extr\u00e9mit\u00e9. Si vous ne d\u00e9finissez pas <code>nodes<\/code>, vous devez s\u00e9lectionner tous les points d\u2019extr\u00e9mit\u00e9 possibles des ar\u00eates.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Analyse de la base de donn\u00e9es<\/strong><\/h3>\n\n\n\n<p>Lorsque vous utilisez des requ\u00eates pour analyser une base de donn\u00e9es CodeQL, vous obtenez des r\u00e9sultats significatifs dans le contexte du code source. Les r\u00e9sultats sont pr\u00e9sent\u00e9s sous forme d\u2019<strong>alertes<\/strong> ou de <strong>chemins<\/strong> au format <strong>SARIF<\/strong> ou un autre format interpr\u00e9t\u00e9.<\/p>\n\n\n\n<p>Voici un exemple de commande CodeQL pour analyser une base de donn\u00e9es en ex\u00e9cutant des requ\u00eates s\u00e9lectionn\u00e9es et en interpr\u00e9tant les r\u00e9sultats :<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(1 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>codeql database analyze --format=&lt;format> --output=&lt;output> &#91;--threads=&lt;num>&#93; &#91;--ram=&lt;MB>&#93; &lt;options>... -- &lt;database> &lt;query|dir|suite>...<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">codeql<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">database<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">analyze<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #005CC5\">--format=<\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #005CC5\">format<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #005CC5\">--output=<\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #005CC5\">output<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\"> &#91;--threads=&lt;num&gt;&#93; &#91;--ram<\/span><span style=\"color: #D73A49\">=&lt;<\/span><span style=\"color: #24292E\">MB<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">&#93; <\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #24292E\">options<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">... -- <\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #24292E\">database<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #24292E\">query<\/span><span style=\"color: #D73A49\">|<\/span><span style=\"color: #6F42C1\">dir<\/span><span style=\"color: #D73A49\">|<\/span><span style=\"color: #6F42C1\">suite&gt;...<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Cette commande combine les effets des commandes internes <code>codeql database run-queries<\/code> et <code>codeql database interpret-results<\/code>.<\/p>\n\n\n\n<p>Vous pouvez aussi ex\u00e9cuter des requ\u00eates qui ne r\u00e9pondent pas aux crit\u00e8res pour \u00eatre interpr\u00e9t\u00e9es comme des alertes dans le code source. Pour cela, utilisez :<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(1 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>codeql database run-queries<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">codeql<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">database<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">run-queries<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>ou<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(1 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>codeql query run<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">codeql<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">query<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">run<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Puis utilisez :<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(1 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>codeql bqrs decode<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">codeql<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">bqrs<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">decode<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>pour convertir les r\u00e9sultats bruts en une notation lisible.<\/p>\n\n\n\n<p>\ud83d\udc49 Vous pouvez consulter la liste compl\u00e8te des commandes disponibles dans le <strong>manuel du CodeQL CLI<\/strong>.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Utiliser un fichier SARIF avec des cat\u00e9gories<\/strong><\/h3>\n\n\n\n<p>CodeQL prend en charge <strong>SARIF<\/strong> pour le partage des r\u00e9sultats d\u2019analyse statique. SARIF est con\u00e7u pour repr\u00e9senter les sorties de divers outils d\u2019analyse statique.<\/p>\n\n\n\n<p>Vous devez sp\u00e9cifier une <strong>cat\u00e9gorie<\/strong> lors de l\u2019utilisation du format SARIF pour l\u2019analyse CodeQL. Les cat\u00e9gories permettent de distinguer plusieurs analyses effectu\u00e9es sur le m\u00eame d\u00e9p\u00f4t ou sur diff\u00e9rentes parties du code. Cependant, les fichiers SARIF ayant la m\u00eame cat\u00e9gorie <strong>\u00e9crasent<\/strong> les uns les autres.<\/p>\n\n\n\n<p>Vous pouvez analyser diff\u00e9rents langages dans une m\u00eame base de code en conservant une valeur de cat\u00e9gorie coh\u00e9rente entre les ex\u00e9cutions. Il est recommand\u00e9 d\u2019utiliser le <strong>langage analys\u00e9<\/strong> comme identifiant de cat\u00e9gorie.<\/p>\n\n\n\n<p>Voici un exemple :<br>La valeur de cat\u00e9gorie appara\u00eet comme :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>run.automationId<\/code> dans SARIF v1,<\/li>\n\n\n\n<li><code>run.automationLogicalId<\/code> dans SARIF v2,<\/li>\n\n\n\n<li><code>run.automationDetails.id<\/code> dans SARIF v2.1.0.<\/li>\n<\/ul>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Publier les r\u00e9sultats SARIF sur GitHub<\/strong><\/h3>\n\n\n\n<p>Une fois la base de donn\u00e9es pr\u00eate, vous pouvez l\u2019interroger de mani\u00e8re interactive ou ex\u00e9cuter une suite de requ\u00eates pour g\u00e9n\u00e9rer des r\u00e9sultats au format SARIF, puis les <strong>t\u00e9l\u00e9verser<\/strong> vers un d\u00e9p\u00f4t cible sur GitHub.com :<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.75rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#24292e;--cbp-line-number-width:calc(1 * 0.6 * .75rem);line-height:1rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">ShellScript<\/span><span role=\"button\" tabindex=\"0\" style=\"color:#24292e;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>codeql github upload-results --sarif=&lt;file> &#91;--github-auth-stdin&#93; &#91;--github-url=&lt;url>&#93; &#91;--repository=&lt;repository-name>&#93; &#91;--ref=&lt;ref>&#93; &#91;--commit=&lt;commit>&#93; &#91;--checkout-path=&lt;path>&#93; &lt;options>...<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-light\" style=\"background-color: #fff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">codeql<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">github<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #032F62\">upload-results<\/span><span style=\"color: #24292E\"> <\/span><span style=\"color: #005CC5\">--sarif=<\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #005CC5\">file<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\"> &#91;--github-auth-stdin&#93; &#91;--github-url<\/span><span style=\"color: #D73A49\">=&lt;<\/span><span style=\"color: #24292E\">url<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">&#93; &#91;--repository<\/span><span style=\"color: #D73A49\">=&lt;<\/span><span style=\"color: #24292E\">repository-name<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">&#93; &#91;--ref<\/span><span style=\"color: #D73A49\">=&lt;<\/span><span style=\"color: #24292E\">ref<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">&#93; &#91;--commit<\/span><span style=\"color: #D73A49\">=&lt;<\/span><span style=\"color: #24292E\">commit<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">&#93; &#91;--checkout-path<\/span><span style=\"color: #D73A49\">=&lt;<\/span><span style=\"color: #24292E\">path<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">&#93; <\/span><span style=\"color: #D73A49\">&lt;<\/span><span style=\"color: #24292E\">options<\/span><span style=\"color: #D73A49\">&gt;<\/span><span style=\"color: #24292E\">...<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Pour t\u00e9l\u00e9verser les r\u00e9sultats sur GitHub, assurez-vous que chaque serveur d\u2019int\u00e9gration continue (CI) dispose d\u2019une <strong>GitHub App<\/strong> ou d\u2019un <strong>jeton d\u2019acc\u00e8s personnel<\/strong> avec la permission <code>security_events<\/code> en \u00e9criture.<\/p>\n\n\n\n<p>\ud83d\udc49 Il est possible d\u2019utiliser le m\u00eame jeton que celui utilis\u00e9 par les serveurs CI pour cloner les d\u00e9p\u00f4ts GitHub. Sinon, cr\u00e9ez un nouveau jeton avec la permission <code>security_events<\/code> et ajoutez-le au <strong>stockage s\u00e9curis\u00e9<\/strong> du syst\u00e8me CI.<br>Bonne pratique : utilisez l\u2019option <code>--github-auth-stdin<\/code> et passez le jeton via l\u2019entr\u00e9e standard.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>T\u00e9l\u00e9verser les r\u00e9sultats SARIF<\/strong><\/h3>\n\n\n\n<p>Pour que l\u2019analyse de code affiche les r\u00e9sultats d\u2019un outil d\u2019analyse statique non-Microsoft dans votre d\u00e9p\u00f4t GitHub, les r\u00e9sultats doivent \u00eatre stock\u00e9s dans un fichier SARIF compatible avec un <strong>sous-ensemble sp\u00e9cifique<\/strong> du sch\u00e9ma JSON SARIF 2.1.0.<\/p>\n\n\n\n<p>Chaque fois que vous t\u00e9l\u00e9versez les r\u00e9sultats d\u2019une nouvelle analyse, CodeQL les traite et ajoute des alertes au d\u00e9p\u00f4t. Pour \u00e9viter les doublons, l\u2019analyse utilise la propri\u00e9t\u00e9 <strong><code>partialFingerprints<\/code><\/strong> de SARIF pour faire correspondre les r\u00e9sultats entre les diff\u00e9rentes ex\u00e9cutions, afin qu\u2019ils n\u2019apparaissent qu\u2019une seule fois dans la derni\u00e8re ex\u00e9cution de la branche s\u00e9lectionn\u00e9e.<\/p>\n\n\n\n<p>Le <strong>rule ID<\/strong> d\u2019un r\u00e9sultat doit \u00eatre identique entre les analyses. Les donn\u00e9es d\u2019empreinte sont automatiquement incluses dans les fichiers SARIF cr\u00e9\u00e9s via le workflow d\u2019analyse CodeQL ou le runner CodeQL.<\/p>\n\n\n\n<p>La sp\u00e9cification SARIF utilise la propri\u00e9t\u00e9 JSON <code>partialFingerprints<\/code>, un dictionnaire associant des types d\u2019empreintes nomm\u00e9s \u00e0 leur valeur. Cette propri\u00e9t\u00e9 contient, au minimum, une valeur pour <code>primaryLocationLineHash<\/code>, qui fournit une empreinte bas\u00e9e sur le contexte de l\u2019emplacement principal.<\/p>\n\n\n\n<p>GitHub tente de remplir le champ <code>partialFingerprints<\/code> \u00e0 partir des fichiers source si vous t\u00e9l\u00e9versez un fichier SARIF via l\u2019action <code>upload-sarif<\/code> et que ces donn\u00e9es sont absentes.<br>\u26a0\ufe0f Si vous t\u00e9l\u00e9versez un fichier SARIF sans donn\u00e9es d\u2019empreinte via l\u2019API <code>\/code-scanning\/sarifs<\/code>, des <strong>alertes dupliqu\u00e9es<\/strong> peuvent appara\u00eetre lors du traitement et de l\u2019affichage.<\/p>\n\n\n\n<p>\ud83d\udc49 Pour \u00e9viter les doublons, <strong>calculez les empreintes<\/strong> et <strong>remplissez la propri\u00e9t\u00e9 <code>partialFingerprints<\/code><\/strong> avant de t\u00e9l\u00e9verser.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Une fois votre code extrait dans une base de donn\u00e9es, vous pouvez l\u2019analyser en utilisant des requ\u00eates CodeQL. Les experts GitHub, les chercheurs [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":8024,"menu_order":59,"template":"","doc_tag":[],"doc_badge":[],"class_list":["post-8052","docs","type-docs","status-publish","hentry"],"author_avatar":"https:\/\/secure.gravatar.com\/avatar\/6a70e7c73db9f245e650948d09d74f61?s=96&d=mm&r=g","author_name":"Annick N'dri","_links":{"self":[{"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/docs\/8052"}],"collection":[{"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/users\/2"}],"version-history":[{"count":0,"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/docs\/8052\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/docs\/8024"}],"wp:attachment":[{"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/media?parent=8052"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/doc_tag?post=8052"},{"taxonomy":"doc_badge","embeddable":true,"href":"https:\/\/techhub.saworks.io\/fr\/wp-json\/wp\/v2\/doc_badge?post=8052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}