{"id":13841703,"url":"https://github.com/safe6Sec/CodeqlNote","last_synced_at":"2025-07-11T13:32:16.176Z","repository":{"id":37787523,"uuid":"413097305","full_name":"safe6Sec/CodeqlNote","owner":"safe6Sec","description":"Codeql学习笔记","archived":false,"fork":false,"pushed_at":"2022-04-25T08:26:06.000Z","size":9227,"stargazers_count":840,"open_issues_count":1,"forks_count":107,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-11-07T12:10:03.097Z","etag":null,"topics":["codeql"],"latest_commit_sha":null,"homepage":"","language":"CodeQL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/safe6Sec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-03T14:14:30.000Z","updated_at":"2024-11-01T02:38:00.000Z","dependencies_parsed_at":"2022-07-14T06:10:32.556Z","dependency_job_id":null,"html_url":"https://github.com/safe6Sec/CodeqlNote","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FCodeqlNote","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FCodeqlNote/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FCodeqlNote/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safe6Sec%2FCodeqlNote/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/safe6Sec","download_url":"https://codeload.github.com/safe6Sec/CodeqlNote/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225729648,"owners_count":17515149,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codeql"],"created_at":"2024-08-04T17:01:18.780Z","updated_at":"2024-11-21T12:30:21.061Z","avatar_url":"https://github.com/safe6Sec.png","language":"CodeQL","readme":"# CodeqlNote\n记录学习Codeql的笔记，国内资料真的挺少。摘抄各种大佬文章随便记的，比较乱,抽空整理。\n\n\n\n**该笔记还在整理中，对codeql感兴趣的师傅推荐直接看文末我收集的一些文章！！！**\n\n\n\n\n\n\n\n# codeql\n\n1. 这东西本质就是写各种过滤条件、各种数据流跟踪，给我的感觉就是在写面向对象的sql一样，所以在学习之前最好掌握面向对象思想，一门面向对象的编程语言，sql语句编写。\n\n2. codeql工作原理主要是，利用分析引擎分析代码之间的关系，生成一个代码数据库。然后我们直接写ql就可以进行各种查询，如找某个方法或者某个类，找方法引用，跟踪某个参数的传递等等用法。\n3. codeql里面的谓词其实就是把各种过滤条件封装成方法。\n4. java里面是万物皆对象，我觉得codeql是万物皆表达式。\n5. lgtm除了用来下数据库还可以用来搜索ql\n6. 这个目录/ql/java/ql/src/Security放着一些官方的规则(java)，可直接用。\n7. 这个/ql/java/ql/src/experimental/Security目录下，一些还在实验中的规则(java)。\n\n\n\n# 相关下载\n文档： https://codeql.github.com/docs/codeql-cli/    \n二进制：https://github.com/github/codeql-cli-binaries     \n现成项目：https://github.com/github/vscode-codeql-starter  \n\n数据库下载，在线查询，规则搜索：https://lgtm.com/\n\n\n# 生成数据库\n\n**ps：生成数据库之前，先保证被分析程序可以正常跑起来。**    \n第一步、创建索引代码数据库。得有数据库才能开始查询。\n\n```\ncodeql database create \u003cdatabase\u003e --language=\u003clanguage-identifier\u003e\n```\n支持的语言及language对应关系如下\n\n\n| Language              | Identity   |\n| --------------------- | ---------- |\n| C/C++                 | cpp        |\n| C#                    | csharp     |\n| Go                    | go         |\n| Java                  | java       |\n| javascript/Typescript | javascript |\n| Python                | python     |\n| Ruby                  | Ruby       |\n\n\n\n1、生成代码扫描数据库(java)\n\n```\ncodeql database create D:\\codeqldb/javasec --language=java  --command=\"mvn clean install --file pom.xml -Dmaven.test.skip=true\" --source-root=./javasec\n```\n\n注：source-root 为源码路径，默认为当前目录,可不指定\n\n一些常用命令\n\n```\n 跳过测试，构建\n --command=\"mvn clean install --file pom.xml -Dmaven.test.skip=true\"\n 无论项目结果如何,构建从不失败\n --command=\"mvn -fn clean install --file pom.xml -Dmaven.test.skip=true\"\n```\n\n\n\n包含xml文件https://github.com/github/codeql/issues/3887\n\n\n\n```\ncodeql database init --source-root=\u003csrc\u003e --language java \u003cdb\u003e\ncodeql database trace-command --working-dir=\u003csrc\u003e \u003cdb\u003e \u003cjava command\u003e\ncodeql database index-files --language xml --include-extension .xml --working-dir=\u003csrc\u003e \u003cdb\u003e\ncodeql database finalize \u003cdb\u003e\n```\n\n将上面的命令拆分为如下4条命令，在index-files中将xml文件添加到CodeQL的数据库中CodeQL将XML文件包含到CodeQL数据库\n\n第二种方案是在codeql-cli/java/tools/pre-finalize.cmd文件中插入--include \"**/resources/**/*.xml\"\n\n\n\n2、更新数据库\n\n```\ncodeql database upgrade database/javasec\n```\n\n\n\n参考：https://help.semmle.com/lgtm-enterprise/admin/help/prepare-database-upload.html\n\n\n\n### 编译与非编译\n\n对于编译型语言来说，需要在创建索引数据库的时候增加编译的功能，主要是针对java，对于非编译性的语言来说，直接扫描吧\n\n对于go来说，可编译也可不编译\n\n\n\n# 基础查询\n\n\n\n### 过滤 Method\n\n#### 根据Method name查询\n\n```java\nimport java\n\nfrom Method method\nwhere method.hasName(\"toObject\")\nselect method\n```\n\n把这个方法的`class` `name`也查出来\n\n```java\nimport java\n\nfrom Method method\nwhere method.hasName(\"toObject\")\nselect method, method.getDeclaringType()\n```\n\n#### 根据Method name 和 interface name 查询\n\n比如我想查询`ContentTypeHandler` 的所有子类`toObject`方法\n\n```java\nimport java\n\nfrom Method method\nwhere method.hasName(\"toObject\") and method.getDeclaringType().getASupertype().hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\")\nselect method\n```\n\n#### Call和Callable\nCallable表示可调用的方法或构造器的集合。   \n\nCall表示调用Callable的这个过程（方法调用，构造器调用等等）    \n\n\n\n\n### MethodAccess\n过滤 方法调用   \n\n一般是先查`method`，与`MethodAccess.getMethod()` 进行比较。\n\n比如查`ContentTypeHandler` 的 `toObject()` 方法的调用。\n\n```java\nimport java\n\nfrom MethodAccess call, Method method\nwhere method.hasName(\"toObject\") and method.getDeclaringType().getASupertype().hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\") and call.getMethod() = method\nselect call\n```\n\n上面这种查询方式不行，只能查到`JsonLibHandler` 这样显式定义的。\n\n怎么改进呢？\n\n也可以使用`getAnAncestor()` 或者`getASupertype()*`\n\n```java\nimport java\n\nfrom MethodAccess call, Method method\nwhere method.hasName(\"toObject\") and method.getDeclaringType().getAnAncestor().hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\") and call.getMethod() = method\nselect call\n```\n### 过滤构造方法\nnew File的参数为我们的sink点，所以构造ql\n```\nclass FileContruct extends ClassInstanceExpr{\n    FileContruct(){\n        this.getConstructor().getDeclaringType*().hasQualifiedName(\"java.io\", \"File\")\n    }\n}\n```\n\n\n# codeql java规则目录\n\n\n一些官方规则，可直接用。\n```\n-java\n\n--ql\n\n---src\n\n----Security(正式运行的规则)\n\n----experimental(还在实验中的规则)\n\n---lib\n\n----semmle\n\n-----code\n\n------java(这个下面都是框架相关的内容)\n```\n\n\n\n# 数据流跟踪\n\nLocal Data Flow分析SPEL\n\n本地数据流\n本地数据流是单个方法(一旦变量跳出该方法即为数据流断开)或可调用对象中的数据流。本地数据流通常比全局数据流更容易、更快、更精确。\n\n```\nimport java\nimport semmle.code.java.frameworks.spring.SpringController\nimport semmle.code.java.dataflow.TaintTracking\nfrom Call call,Callable parseExpression,SpringRequestMappingMethod route\nwhere\n    call.getCallee() = parseExpression and \n    parseExpression.getDeclaringType().hasQualifiedName(\"org.springframework.expression\", \"ExpressionParser\") and\n    parseExpression.hasName(\"parseExpression\") and \n   TaintTracking::localTaint(DataFlow::parameterNode(route.getARequestParameter()),DataFlow::exprNode(call.getArgument(0))) \nselect route.getARequestParameter(),call\n```\n\n\n\n全局数据流分析要继承`DataFlow::Configuration` 这个类，然后重载`isSource` 和`isSink` 方法\n\n```\nclass MyConfig extends DataFlow::Configuration {\n  MyConfig() { this = \"Myconfig\" }\n  override predicate isSource(DataFlow::Node source) {\n    ....\n    \n  }\n\n    override predicate isSink(DataFlow::Node sink) {\n    ....\n    \n  }\n}\n```\n\n# 数据流断的原因\n- 外部的方法，因为没有编译到数据库中，这个是最常见的，基本上市面上的扫描器都存在这个问题，说起来复杂，原因大概是因为构建数据流会随着扫描AST的复杂程度递增导致数据库过大，最后大家在时间和易用性上做了平衡，选择了编译直接依赖的内容进行查询，从而导致这个问题的存在。\n\n- 复杂的字符串拼接,例如append，一些其他的字符串赋值，这个一般出场都是空的，要自己去搞，当然会有一些类似fortify的自带了部分场景的连接，不过有的时候要自己去排查\n\n- 强制类型转换\n\n- 动态特性，例如class.ForName。codeQL有很好的反射类支持这个，对比fortify，你就知道什么是好，什么是不好。Fortify的类太简单了，你去看看codeQL官方手册里的类，简直对比下来就是指数级的，哪怕你看一眼 soot，都比fortify好。\n\n\n## isAddtionalStep技巧\nisAddtionalStep使用就用最简单的二分法来定位，先前移sink，然后检测出来的话就移动到后面，直到找到哪个断开的地方。\n冷知识：数据流是可以混用的，例如我们的sink又可以是一个hasFlow表达式   \n\n上面两点来自xsser师傅文章\n\n\n# 污点跟踪\n\n\n\n全局污点跟踪分析要继承`TaintTracking::Configuration` 这个类，然后重载`isSource` 和`isSink` 方法\n\n```\nclass VulConfig extends TaintTracking::Configuration {\nVulConfig() { this = \"myConfig\" }\n\noverride predicate isSource(DataFlow::Node source) {\n\n}\n\noverride predicate isSink(DataFlow::Node sink) {\n\n}\n}\n\nfrom VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink\nwhere config.hasFlowPath(source, sink)\nselect sink.getNode(), source, sink, \"source are\"\n```\n\n\n\n# 白盒扫描\n\nql库集成了许多常见的安全漏洞，可以直接拿来扫描项目源码\n\nhttps://codeql.github.com/codeql-query-help/java/\n\n\n\n下面是写好的\n\n java\n1、zip slip（zip解压覆盖任意文件）\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql\n\n2、命令注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql\n\n3、cookie安全\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql\n\n4、XSS\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-079/XSS.ql\n\n5、依赖漏洞\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql\n\n6、反序列化\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql\n\n7、http头注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql\n\n8、url跳转\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql\n\n9、ldap注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql\n\n10、sql注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql\n\n11、file权限\u0026目录注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql\n\n12、xml注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXE.ql\n\n13、SSL校验\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql\n\n14、弱加密\n\nhttps://github.com/github/codeql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql\n\n15、随机数种子可预测\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql\n\n\ncodeql analyze命令可以执行单个ql文件，目录下所有ql文件，和查询suite(.qls)\n\n \n\n白盒扫描使用如下命令（执行所有漏洞类查询）\n\n```\ncodeql database analyze source_database_name qllib/java/ql/src/codeql-suites/java-security-extended.qls --format=csv --output=java-results.csv\n```\n\n如果是自己写可用于analyze的必须按规范写，包含元数据@kind,如下这种\n\n```\n/**\n * @name Incomplete regular expression for hostnames\n * @description Matching a URL or hostname against a regular expression that contains an unescaped\n *              dot as part of the hostname might match more hostnames than expected.\n * @kind path-problem\n * @problem.severity warning\n * @security-severity 7.8\n * @precision high\n * @id go/incomplete-hostname-regexp\n * @tags correctness\n *       security\n *       external/cwe/cwe-20\n */\n```\n\n\n\n\n\n\n# Chrome书签\n自己学习codeql 看过的一些文章\n\n- [CodeQL从入门到放弃 - FreeBuf网络安全行业门户](https://www.freebuf.com/articles/web/283795.html)\n- [使用codeql挖掘fastjson利用链 - 先知社区](https://xz.aliyun.com/t/7482)\n- [CodeQL documentation](https://codeql.github.com/docs/)\n- https://www.4hou.com/search-post?page=4\u0026keywords=codeql\n- [代码分析平台CodeQL学习手记（十七） - 嘶吼 RoarTalk – 回归最本质的信息安全,互联网安全新媒体,4hou.com](https://www.4hou.com/posts/o6wX)\n- [Query console - LGTM](https://lgtm.com/query/lang:java/)\n- [使用codeql 挖掘 ofcms - 安全客，安全资讯平台](https://www.anquanke.com/post/id/203674)\n- [haby0/mark: notes](https://github.com/haby0/mark)\n- [codeql学习——污点分析 - 先知社区](https://xz.aliyun.com/t/7789)\n- [codeql学习笔记 - 知乎](https://zhuanlan.zhihu.com/p/354275826)\n- [github/vscode-codeql-starter: Starter workspace to use with the CodeQL extension for Visual Studio Code.](https://github.com/github/vscode-codeql-starter)\n- [codeql学习——污点分析 - 先知社区](https://xz.aliyun.com/t/7789#toc-0)\n- [CodeQL for Golang Practise(3)](http://f4bb1t.com/post/2020/12/16/codeql-for-golang-practise3/)\n- [CodeQL静态代码扫描之实现关联接口、入参、和危险方法并自动化构造payload及抽象类探究](https://mp.weixin.qq.com/s/Rqo12z9mapwlj6wGHZ1zZA)\n- [Codeql分析Vulnerability-GoApp - FreeBuf网络安全行业门户](https://www.freebuf.com/articles/web/253491.html)\n- [codeql反序列化分析](https://github.com/githubsatelliteworkshops/codeql)\n- [[原创\\]58集团白盒代码审计系统建设实践2：深入理解SAST-业务安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com](https://bbs.pediy.com/thread-266995.htm#msg_header_h1_4)\n- [楼兰#CodeQL](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=Mzg4ODU4ODYzOQ==\u0026action=getalbum\u0026album_id=1970201600723910658\u0026scene=173\u0026from_msgid=2247484983\u0026from_itemidx=1\u0026count=3\u0026nolastread=1#wechat_redirect)\n- [CodeQL学习笔记 | Gamous'Site](http://blog.gamous.cn/post/codeql/)\n- [language:go - Search - LGTM](https://lgtm.com/search?q=language%3Ago\u0026t=rules)\n- [CodeQL 和代码扫描简介 - GeekMasher 的博客](https://geekmasher.dev/posts/sast/codeql-introduction)\n- [CVE-2018-11776: 如何使用CodeQL发现5个 Apache Struts RCEs](https://mp.weixin.qq.com/s/LmOFGAhqAKiO8VDQW4vvLg)\n- [CodeQL静态代码扫描规则编写之RemoteFlowSource](https://mp.weixin.qq.com/s/jVZ3Op8FYBmiFAV3p0li3w)\n- [CodeQL静态代码扫描之抽象类探究](https://mp.weixin.qq.com/s/KQso2nvWx737smunUHwXag)\n- [Codeql规则编写入门](https://mp.weixin.qq.com/s/sAUSgRAohFlmzwSkkWjp9Q)\n- [About LGTM - Help - LGTM](https://lgtm.com/help/lgtm/about-lgtm)\n- [LGTM help \u0026 documentation](https://help.semmle.com/home/help/home.html)\n- [Capture the flag | GitHub Security Lab](https://securitylab.github.com/ctf/)\n- [CodeQL笔记 | LFYSec](https://lfysec.top/2020/06/03/CodeQL笔记/)\n- [CodeQL学习——CodeQl数据流分析 - bamb00 - 博客园](https://www.cnblogs.com/goodhacker/p/13583650.html)\n- [分类: codeql - 食兔人的博客](https://blog.ycdxsb.cn/categories/research/codeql/)\n- [CodeQL - butter-fly](https://yourbutterfly.github.io/note-site/module/semmle-ql/codeql/)\n- [表达式](https://www.4hou.com/posts/lM11)\n- [mark/CodeQL-数据流在Java中的使用.md at master · haby0/mark](https://github.com/haby0/mark/blob/master/articles/2021/CodeQL-数据流在Java中的使用.md)\n- [github/securitylab: Resources related to GitHub Security Lab](https://github.com/github/securitylab)\n- [CodeQL从0到1（内附Shiro检测demo） - 安全客，安全资讯平台](https://www.anquanke.com/post/id/255721)\n- [codeql挖掘React应用的XSS实践 | Image's blog](https://hexo.imagemlt.xyz/post/javascript-codeql-learning/)\n- [SummerSec/learning-codeql: CodeQL Java 全网最全的中文学习资料](https://github.com/SummerSec/learning-codeql)\n- [CodeQL query help for Go — CodeQL query help documentation](https://codeql.github.com/codeql-query-help/go/#)\n- [codeql使用指南_zzzzfeng的博客-CSDN博客_codeql使用](https://blog.csdn.net/haoren_xhf/article/details/115064677)\n- [Apache Dubbo：条条大路通RCE | GitHub 安全实验室](https://securitylab.github.com/research/apache-dubbo/)\n- [如何用CodeQL数据流复现 apache kylin命令执行漏洞 - 先知社区](https://xz.aliyun.com/t/8240)\n- [如何利用CodeQL挖掘CVE-2020-10199 - 安全客，安全资讯平台](https://www.anquanke.com/post/id/202987)\n- [南大软件分析课程](https://space.bilibili.com/2919428?share_medium=iphone\u0026share_plat=ios\u0026share_session_id=6851D997-0AC6-4C67-B858-BD1E6258C548\u0026share_source=COPY\u0026share_tag=s_i\u0026timestamp=1639480132\u0026unique_k=8wQBAkV)\n- [各种语言危险sink](https://github.com/haby0/sec-note)\n- [利用CodeQL分析并挖掘Log4j漏洞](https://mp.weixin.qq.com/s/JYco8DysQNszMohH6zJEGw)\n- [几张图结构看懂CodeQL数据流](https://mp.weixin.qq.com/s/3mlRedFwPz31Rwe7VDBAuA)\n- [Firebasky师傅的笔记](https://github.com/Firebasky/CodeqlLearn)\n- [凡人老哥codeql学习资料](https://github.com/SummerSec/learning-codeql)\n- [fynch3r师傅的笔记](https://fynch3r.github.io/tags/CodeQL/)\n- [CodeQL 目录、框架和一些有趣的东西](https://mp.weixin.qq.com/s/zSI157qJXYivSvyxHzXALQ)\n- [CodeQL 提升篇](https://tttang.com/archive/1415/)\n- [CodeQL与OpenJDK的联动](https://fynch3r.github.io/%E8%AE%B0%E4%B8%80%E6%AC%A1CodeQL%E4%B8%8EOpenJDK%E7%9A%84%E8%81%94%E5%8A%A8/)\n- [深入理解CodeQL](https://github.com/ASTTeam/CodeQL)\n- [CodeQL 踩坑指南 - Java](https://tttang.com/archive/1497/)\n- [楼兰师傅codeql学习笔记](https://www.yuque.com/loulan-b47wt/rc30f7)\n- [CodeQL能找到log4shell(CVE-2021-44228)漏洞吗](https://mp.weixin.qq.com/s/CkCnAAc0OafEcLiBV17wdg)\n\n\n\n\n\n\n\n","funding_links":[],"categories":["CodeQL","代码审计"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafe6Sec%2FCodeqlNote","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsafe6Sec%2FCodeqlNote","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafe6Sec%2FCodeqlNote/lists"}