codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

CodeQL PowerShell Support

Open StartAutomating opened this issue 1 year ago • 3 comments

CodeQL does not currently support PowerShell. Given that PowerShell is quite a potent language that has been used to great effect by red team and blue team alike, this lack of functionality hurts both CodeQL and PowerShell.

I am deeply familiar with the PowerShell AST and would likely be able to make CodeQL PowerShell language support work, if the team can help provide the right guidance on integration.

Please provide more information about how one can write new CodeQL bindings, so that I might turn this issue into a more useful pull request.

StartAutomating avatar Jul 09 '24 18:07 StartAutomating

Awesome to hear this! We have developed an open source PowerShell extractor actually, which allows PowerShell source code to be converted to a CodeQL database. The extractor can be found here: https://github.com/microsoft/codeql/releases. It doesn't matter if the release version is a bit behind, you can just grab the latest powershell.zip and unzip that folder next to your codeql executable. Once you do this, you should be able to run any commands related to extraction/db creation with "powershell" as the language.

What we really need now to enable analysis is the core CodeQL libraries for PowerShell. We have built out a bunch of these already (which we can open source as well), but core libraries related to the AST such as AST.qll, Cfg.qll, and Dataflow.qll need to be populated so that we can start building out qlls on top of them. Here is a repository that has been set up recently that shows how this is done for a simple/demo language, kaleidoscope: https://github.com/aibaars/codeql-kaleidoscope/tree/main (go to ql/lib/codeql/kaleidoscope). Some of these core libraries can probably be shared libraries now (and we can update the kaleidoscope repo to reflect that), @aibaars can explain further there.

dilanbhalla avatar Jul 12 '24 19:07 dilanbhalla

@dilanbhalla @aibaars Thanks for providing some context. Please provide a bit more :-)

  • This looks somewhat workable (I would appreciate setting up a call to understand the implementation, as I am not a codeQL expert).
    • Please link to building instructions for a *.qll file
    • Please link to whatever specification you have (EBNF,ANTLR, etc) for the syntax
    • Please set up time if you are able.

Additionally, if I'm reading the kaleidoscope example correctly, what you're doing is synergistically aligned with a metaprogramming language I build, Pipescript. A major component of that language is AST manipulation. Another major component is an open-ended definition of languages. Here are a couple of items I believe we should also look at:

  • Using a code QL as a selector for any programming language (aka "select a class named this, regardless of language")
  • Denoting transformations of code (aka, "find any foldable region named 'Internal', and remove it")

Please let me know what you think of these scenarios, and if you'd expect either of them to be "natively" handled by CodeQL in the near/mid future.

Forgive me if these are foolish questions; I'm a PowerShell expert, not a CodeQL expert.

StartAutomating avatar Jul 13 '24 00:07 StartAutomating

Hey! Just curious if there's been any updates on this in the last year since the last post? Perhaps more importantly is this Powershell CodeQL support effort getting support from MS? (given we're a MS Shop and a GH Advanced Security customer, we're paying MS quite handsomely every month to scan our C# but not our Powershell) Thanks :)

webstandards avatar Nov 18 '25 20:11 webstandards