CodeQL Queries in LGTM

I am wanting to place JPL queries from CodeQL to LGTM.

What queries does LGTM have? Where do I find a list of these queries?

Is there a way to use certain CodeQL queries in LGTM besides downloading the queries and placing them in a .lgtm folder as custom queries?

Can LGTM take in a SARIF file and upload its results?

Hi ArielSAdamsNASA,

What queries does LGTM have? Where do I find a list of these queries?

By default, LGTM will run all queries that satisfy the following criteria:

  • The @problem.severity is Error or Warning, and the @precision is at least Medium
  • The @problem.severity is Recommendation and the @precision is at least High

And the queries that satisfy the following criteria are being displayed:

  • The @problem.severity is Error or Warning, and the @precision is at least High
  • The @problem.severity is Recommendation and the @precision is at least Very high

A quick-and-dirty way of getting a list of the queries on LGTM is to search for queries with an @id that starts with cpp/ (to get a list of all the C++ queries). You can see this working here.

Is there a way to use certain CodeQL queries in LGTM besides downloading the queries and placing them in a .lgtm folder as custom queries?

You can configure which queries should be run by using a custom lgtm.yml configuration file. You can download a comprehensive template lgtm.yml file from here that explains this. Specifically, you should look at the queries block:

queries:
  # Start by hiding the results of all queries.
  - exclude: "*"
  # Then include all queries tagged 'security' and 'correctness', and with a severity of
  # 'error'.
  - include:           
      tags:
        - "security"
        - "correctness"           
      severity: "error"
  # Specifically hide the results of two queries.
  - exclude: cpp/use-of-goto
  - exclude: java/equals-on-unrelated-types
  # Refine by including the `java/command-line-injection` query.
  - include: java/command-line-injection

Can LGTM take in a SARIF file and upload its results?

Unfortunately, no. You can’t upload a SARIF file and display the results in LGTM.
It is, however, possible to do this with Code Scanning.

I hope these answers are helpful. If not, I’ll be happy to expand on any of them!

1 Like