-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
codeql database create ignore minified files #75
Comments
Greetings, thank you for reaching out to us with this issue. Having Ideally, you would run our tool on the non-minified version of your JavaScript code where the alerts that get produced will be much easier to understand and fix. If for some reason you do not have access to the non-minified code, I would suggest you run your JavaScript files through a pretty-printer to get back some meaningful line numbers and then use CodeQL on the pretty-printed files (making sure they are named |
That is basically what I've been doing. Here is a one-liner to rename the files in case anyone needs the same thing.
Thanks, |
Thanks for sharing that one-liner! In terms of supporting this use case more directly, while we definitely don't want to always index |
We are working on ways to pass configuration options to extractors in a more organised fashion. As a current workaround, can you try setting the environment variable (I second @edoardopirovano's concerns about the quality of alerts you may find in minified code, but this should get the behaviour you're asking for.) |
I have successfully found real-world vulnerabilities in public VDPs by inspecting minified files using codeQL running them though a prettyfier first and renaming .min files. If codeQL could somehow perform those steps that would be great for black/gray-box assessments. |
Description
When
codeql database create
is used on a code-base containing files whose names contain multiple dots (.) the files are ignored by the extractors.Steps to reproduce
codeql database create ../foo-db --language=javascript
codeql database create ../foo-min-db --language=javascript
Expected behavior
When using codeql to assess production JavaScript code, minified files should be included in the database.
The text was updated successfully, but these errors were encountered: