This is a minimal example workshop demonstrating the standard workshop structure for teaching CodeQL query development.
Students will learn to:
- Find pointer dereference expressions
- Identify null pointer literals
- Use local data flow to connect sources to sinks
- Filter out safe dereferences with null checks
- CodeQL CLI installed
- VS Code with CodeQL extension
- Basic C++ knowledge
- Understanding of pointers and null values
-
Install pack dependencies:
codeql pack install exercises codeql pack install solutions
-
Build test databases:
./build-databases.sh
Goal: Identify all pointer dereference expressions in the code.
Concepts: PointerDereferenceExpr, basic pattern matching
Hint: Look for expressions that dereference a pointer using * or ->
Goal: Identify null pointer literals (nullptr, NULL, 0).
Concepts: Literal, null pointer values
Hint: Check for null literal values
Goal: Find dereferences where the pointer comes from a null literal using local data flow.
Concepts: DataFlow::localFlow, sources, sinks
Hint: Define a data flow source (null literal) and sink (dereference)
- Open
exercises/Exercise1.ql - Implement the TODO sections
- Run tests:
codeql test run exercises-tests/Exercise1 - Compare with
solutions/Exercise1.ql - Move to Exercise 2
Test exercises:
codeql test run exercises-tests/Verify solutions:
codeql test run solutions-tests/Reference implementations are in the solutions/ directory. Try to complete each exercise before checking the solution.
exercises/- Exercise queries to completeexercises-tests/- Tests for exercisessolutions/- Complete reference solutionssolutions-tests/- Tests for solutions (should pass 100%)graphs/- AST/CFG visualizationstests-common/- Shared test code
After completing this workshop, you should understand:
- How to find specific C++ expressions
- How to identify null pointer values
- How to use local data flow analysis
- Basic CodeQL query patterns for C++