{"id":13809717,"url":"https://github.com/trailofbits/codeql-queries","last_synced_at":"2026-01-27T01:05:07.609Z","repository":{"id":206002883,"uuid":"706642871","full_name":"trailofbits/codeql-queries","owner":"trailofbits","description":"CodeQL queries developed by Trail of Bits","archived":false,"fork":false,"pushed_at":"2026-01-14T21:28:49.000Z","size":333,"stargazers_count":138,"open_issues_count":11,"forks_count":7,"subscribers_count":10,"default_branch":"main","last_synced_at":"2026-01-15T02:50:19.355Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"CodeQL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-10-18T10:54:34.000Z","updated_at":"2026-01-13T11:20:02.000Z","dependencies_parsed_at":"2023-11-07T14:45:07.264Z","dependency_job_id":"0d31f53d-d18c-4119-b1d2-0ff6dc16ef50","html_url":"https://github.com/trailofbits/codeql-queries","commit_stats":null,"previous_names":["trailofbits/codeql-queries"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/trailofbits/codeql-queries","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcodeql-queries","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcodeql-queries/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcodeql-queries/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcodeql-queries/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/codeql-queries/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fcodeql-queries/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28794585,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-26T21:49:50.245Z","status":"ssl_error","status_checked_at":"2026-01-26T21:48:29.455Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T02:00:34.861Z","updated_at":"2026-01-27T01:05:07.548Z","avatar_url":"https://github.com/trailofbits.png","language":"CodeQL","readme":"# Trail of Bits public CodeQL queries\n\nThis repository contains CodeQL queries developed by Trail of Bits and made available to the public. They are part of our ongoing development efforts and are used in our security audits, vulnerability research, and internal projects. They will evolve over time as we identify new techniques.\n\n## Using custom CodeQL queries\n\nThe easiest is to [download all packs](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs#running-codeql-pack-download-scopepack) from the GitHub registry:\n```sh\ncodeql pack download trailofbits/cpp-queries trailofbits/go-queries\n```\n\nThen verify that new queries are installed:\n```sh\ncodeql resolve qlpacks | grep trailofbits\n```\n\nAnd use the queries for analysis:\n```sh\ncodeql database analyze database.db --format=sarif-latest --output=./tob.sarif -- trailofbits/cpp-queries\n# or\ncodeql database analyze database.db --format=sarif-latest --output=./tob.sarif -- trailofbits/go-queries\n```\n\n## Queries\n\n### C and C++\n\n#### Cryptography\n\n| Name | Description | Severity | Precision  |\n| ---  | ----------- | :----:   | :--------: |\n|[Crypto variable initialized using static key](./cpp/src/docs/crypto/StaticKeyFlow.md)|Finds crypto variables initialized using static keys|error|high|\n|[Crypto variable initialized using static password](./cpp/src/docs/crypto/StaticPasswordFlow.md)|Finds crypto variables initialized using static passwords|error|high|\n|[Crypto variable initialized using weak randomness](./cpp/src/docs/crypto/WeakRandomnessTaint.md)|Finds crypto variables initialized using weak randomness|error|high|\n|[Invalid key size](./cpp/src/docs/crypto/InvalidKeySize.md)|Tests if keys passed to EVP_EncryptInit and EVP_EncryptInit_ex have the same size as the key size of the cipher used|warning|medium|\n|[Memory leak related to custom allocator](./cpp/src/docs/crypto/CustomAllocatorLeak.md)|Finds memory leaks from custom allocated memory|warning|medium|\n|[Memory use after free related to custom allocator](./cpp/src/docs/crypto/CustomAllocatorUseAfterFree.md)|Finds use-after-frees related to custom allocators like `BN_new`|warning|medium|\n|[Missing OpenSSL engine initialization](./cpp/src/docs/crypto/MissingEngineInit.md)|Finds created OpenSSL engines that may not be properly initialized|warning|medium|\n|[Missing error handling](./cpp/src/docs/crypto/MissingErrorHandling.md)|Checks if returned error codes are properly checked|warning|high|\n|[Missing zeroization of potentially sensitive random BIGNUM](./cpp/src/docs/crypto/MissingZeroization.md)|Determines if random bignums are properly zeroized|warning|medium|\n|[Random buffer too small](./cpp/src/docs/crypto/RandomBufferTooSmall.md)|Finds buffer overflows in calls to CSPRNGs|warning|high|\n|[Use of legacy cryptographic algorithm](./cpp/src/docs/crypto/UseOfLegacyAlgorithm.md)|Detects potential instantiations of legacy cryptographic algorithms|warning|medium|\n\n#### Security\n\n| Name | Description | Severity | Precision  |\n| ---  | ----------- | :----:   | :--------: |\n|[Async unsafe signal handler](./cpp/src/docs/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.md)|Async unsafe signal handler (like the one used in CVE-2024-6387)|warning|high|\n|[Invalid string size passed to string manipulation function](./cpp/src/docs/security/CStrnFinder/CStrnFinder.md)|Finds calls to functions that take as input a string and its size as separate arguments (e.g., `strncmp`, `strncat`, ...) and the size argument is wrong|error|low|\n|[Missing null terminator](./cpp/src/docs/security/NoNullTerminator/NoNullTerminator.md)|This query finds incorrectly initialized strings that are passed to functions expecting null-byte-terminated strings|error|high|\n|[Unsafe implicit integer conversion](./cpp/src/docs/security/UnsafeImplicitConversions/UnsafeImplicitConversions.md)|Finds implicit integer casts that may overflow or be truncated, with false positive reduction via Value Range Analysis|warning|low|\n\n### Go\n\n#### Cryptography\n\n| Name | Description | Severity | Precision  |\n| ---  | ----------- | :----:   | :--------: |\n|[Message not hashed before signature verification](./go/src/docs/crypto/MsgNotHashedBeforeSigVerfication/MsgNotHashedBeforeSigVerfication.md)|Detects calls to (EC)DSA APIs with a message that was not hashed. If the message is longer than the expected hash digest size, it is silently truncated|error|medium|\n\n#### Security\n\n| Name | Description | Severity | Precision  |\n| ---  | ----------- | :----:   | :--------: |\n|[Invalid file permission parameter](./go/src/docs/security/FilePermsFlaws/FilePermsFlaws.md)|Finds non-octal (e.g., `755` vs `0o755`) and unsupported (e.g., `04666`) literals used as a filesystem permission parameter (`FileMode`)|error|medium|\n|[Missing MinVersion in tls.Config](./go/src/docs/security/MissingMinVersionTLS/MissingMinVersionTLS.md)|This rule finds cases when you do not set the `tls.Config.MinVersion` explicitly for servers. By default version 1.0 is used, which is considered insecure. This rule does not mark explicitly set insecure versions|error|medium|\n|[Trim functions misuse](./go/src/docs/security/TrimMisuse/TrimMisuse.md)|Finds calls to `string.{Trim,TrimLeft,TrimRight}` with the 2nd argument not being a cutset but a continuous substring to be trimmed|error|low|\n\n### Java-kotlin\n\n#### Security\n\n| Name | Description | Severity | Precision  |\n| ---  | ----------- | :----:   | :--------: |\n|[Recursive functions](./java-kotlin/src/docs/security/Recursion/Recursion.md)|Detects recursive calls|warning|low|\n\n## Query suites\n\nCodeQL queries are grouped into \"suites\". To execute queries from a specific suit add its name after a colon: `trailofbits/cpp-queries:codeql-suites/tob-cpp-full.qls`.\n\nThe recommended suit - `tob-cpp-code-scanning.qls` - is chosen and executed when you do not explicitly specify any suit. Other suits in this repository are:\n\n* `tob-\u003clang\u003e-crypto.qls` - queries targeting cryptographic vulnerabilities\n* `tob-\u003clang\u003e-security.qls` - queries targeting standard security issues\n* `tob-\u003clang\u003e-full.qls` - all queries, including experimental ones\n\n## Development\n\n#### Prepare environment\n\nClone this repository and configure global CodeQL's search path:\n```sh\ngit clone git@github.com:trailofbits/codeql-queries.git\nmkdir -p \"${HOME}/.config/codeql/\"\necho \"--search-path '$PWD/codeql-queries'\" \u003e \"${HOME}/.config/codeql/config\"\n```\n\nCheck that CodeQL CLI detects the new qlpacks:\n```sh\ncodeql resolve packs | grep trailofbits\n```\n\n#### Before committing\n\nRun tests:\n\n```sh\nmake test\n```\n\nFormat queries:\n\n```sh\nmake format\n```\n\nInstall dependencies:\n\n```sh\nmake install\n```\n\nGenerate query tables and copy-paste it to README.md file\n```sh\npython ./scripts/queries_table_generator.py 2\u003e/dev/null\n```\n\nGenerate markdown query help files\n```sh\ncodeql generate query-help ./cpp/src/ --format=markdown --output ./cpp/src/docs\ncodeql generate query-help ./go/src/ --format=markdown --output ./go/src/docs\ncodeql generate query-help ./java/src/ --format=markdown --output ./java/src/docs\n```\n","funding_links":[],"categories":["CodeQL [Packs](https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs)","others"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fcodeql-queries","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Fcodeql-queries","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fcodeql-queries/lists"}