CodeQL Queries in LGTM

I am wanting to place JPL queries from CodeQL to LGTM.

What queries does LGTM have? Where do I find a list of these queries?

Is there a way to use certain CodeQL queries in LGTM besides downloading the queries and placing them in a .lgtm folder as custom queries?

Can LGTM take in a SARIF file and upload its results?

Hi ArielSAdamsNASA,

What queries does LGTM have? Where do I find a list of these queries?

By default, LGTM will run all queries that satisfy the following criteria:

  • The @problem.severity is Error or Warning, and the @precision is at least Medium
  • The @problem.severity is Recommendation and the @precision is at least High

And the queries that satisfy the following criteria are being displayed:

  • The @problem.severity is Error or Warning, and the @precision is at least High
  • The @problem.severity is Recommendation and the @precision is at least Very high

A quick-and-dirty way of getting a list of the queries on LGTM is to search for queries with an @id that starts with cpp/ (to get a list of all the C++ queries). You can see this working here.

Is there a way to use certain CodeQL queries in LGTM besides downloading the queries and placing them in a .lgtm folder as custom queries?

You can configure which queries should be run by using a custom lgtm.yml configuration file. You can download a comprehensive template lgtm.yml file from here that explains this. Specifically, you should look at the queries block:

queries:
  # Start by hiding the results of all queries.
  - exclude: "*"
  # Then include all queries tagged 'security' and 'correctness', and with a severity of
  # 'error'.
  - include:           
      tags:
        - "security"
        - "correctness"           
      severity: "error"
  # Specifically hide the results of two queries.
  - exclude: cpp/use-of-goto
  - exclude: java/equals-on-unrelated-types
  # Refine by including the `java/command-line-injection` query.
  - include: java/command-line-injection

Can LGTM take in a SARIF file and upload its results?

Unfortunately, no. You can’t upload a SARIF file and display the results in LGTM.
It is, however, possible to do this with Code Scanning.

I hope these answers are helpful. If not, I’ll be happy to expand on any of them!

1 Like

Would it be possible to create the lgtm/cpp-queries in .lgtm.yml like so instead of creating a permanent folder in github?

queries:
- include: "*"
- exclude: "cpp/class-many-fields"
- exclude: "cpp/long-switch"
- exclude: "cpp/trivial-switch"

path_classifiers:
  generated:
    - "**/Ui_*"

extraction:
  python:
    python_setup:
      version: "3"
    index:
      include: "tools/cFS-GroundSystem"
  cpp:
    index:
      build_command:
      - "git clone https://github.com/github/codeql.git codeql"
      - "mkdir -p lgtm/cpp-queries/
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-2/Rule 03/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-2/Rule 04/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-2/Rule 05/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-2/Rule 07/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-2/Rule 09/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-2/Rule 11/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 12/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 13/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 14/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 15/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 16/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 17/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 18/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-3/Rule 20/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 21/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 22/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 23/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 24/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 25/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 26/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 27/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 28/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 29/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 30/.' lgtm/cpp-queries"
      - "cp -a 'codeql/cpp/ql/src/JPL_C/LOC-4/Rule 31/.' lgtm/cpp-queries"
      - "cp cfe/cmake/Makefile.sample Makefile"
      - "cp -r cfe/cmake/sample_defs sample_defs"
      - "make OMIT_DEPRECATED=true ENABLE_UNIT_TEST=true prep"
      - "make"

I’m afraid that this is not possible. LGTM looks for these custom queries when polling the repository for new commits. This is mentioned in passing at LGTM

The daily LGTM poll jobs will detect the queries and automatically run them.

I should add that this is possible using Code Scanning: Configuring code scanning - GitHub Docs.

CodeQL is normally run using Actions, in which case it is easy to arrange the order of operations such that you put the queries in place before performing the analysis. Alternatively if you use another CI system it is typical to invoke the CodeQL CLI yourself and the same applies.