how can i analysis two project with "database import" command?

[k6ymaker]

analysis two project with "database import" command

Hello，i want to analysis two project with "database import" command.

The first project is "hello-springboot-7". It just a springboot web demo, and it relies on the second project.

The first project is "hello-springboot-7" . And there is a taintedPathWeb function which is a spring web controller function in "hello-springboot-7". The taintedPathWeb will call FileHelper.isExist function which is defined in the second project.

The second project is "filehelper" which is a tool project.And the FileHelper.isExist function is in it.

The "hello-springboot-7"" relies on "filehelper" through maven depdendency.

I run the follow command generate the code database of hello-springboot-7 and filehelper.

codeql database init --language=java --source-root=./cmdhelper --allow-missing-source-root=false --allow-already-existing -- ./cmdhelperdb

codeql database trace-command --working-dir=./cmdhelper --index-traceless-dbs --no-db-cluster -- ./cmdhelperdb mvn clean install

codeql database init --language=java --source-root=./hello-springboot-7 --allow-missing-source-root=false --allow-already-existing -- ./webdb

codeql database trace-command --working-dir=./hello-springboot-7 --index-traceless-dbs --no-db-cluster -- ./webdb mvn clean install

And then i run "database import" command. Add cmdhelperdb to webdb
codeql database import -- ./webdb ./cmdhelperdb

Finally, i run "database finalize" command finalize webdb.
codeql database finalize --mode=normal --no-db-cluster -- ./webdb

I run the TaintedPath.ql
(https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql) in this database.
I want get the result that codeql can find the taint flow from filename parameter in Hellocontroller.taintedPathWeb to new File(filename) in FileHelper.isExist.
But i did't get the result which i desired. It can't get the taint flow from project a to project b.

Did i use "database import" command in a wrong way? Or i misunderstanding the mean of the "database import" command.Please give me some suggestion. ｡^‿^｡

Two projects in the zip file.project.zip

[tausbn]

Thank you for your question!

Unfortunately, things like the call graph are resolved during extraction, and so even though the calls inside webdb and cmdhelperdb will have been resolved, combining the databases into a single database will not resolve the call across databases. (Because of this, the database import command should only be used in cases where this shortcoming has been taken into account.)

To get the behaviour you desire, you would have to ensure that the two code bases are extracted at the same time, as if they were one large project.

[k6ymaker]

Thank you for you answer!
Do you have the plan to implement this? When the database import command is running, the edge in call graph which stand for the call across database can be add in the codeql database. I think it's a good way to reuse the code database to find more vulnerability.

[smowton]

For the time being we would suggest to extract the projects into one database. In the particular case you gave above, what happens if you trace two different maven invocations, and use a --source-root that includes both projects?

[k6ymaker]

It's difficult to add two project to one large project. Because the config of maven.

[k6ymaker]

And if i want to analysis many projects which have dependencies among them , it will cost a lot of time to combine them.Or do you have another way to combine two project?