HOME

TheInfoList



Click Here for Items Related To - CodeQL
OR:
CodeQL on:   [Wikipedia]   [Google]   [Amazon]

Semmle Inc is a code-analysis platform with offices in San Francisco, Seattle,
New York New York most commonly refers to: * New York City, the most populous city in the United States, located in the state of New York * New York (state), a state in the northeastern United States New York may also refer to: Film and television * '' ...
, Oxford, Valencia and Copenhagen. Semmle was acquired by GitHub (itself owned by Microsoft) on 18 September 2019 for an undisclosed amount. Semmle's LGTM technology automates
code review Code review (sometimes referred to as peer review) is a software quality assurance activity in which one or several people check a program mainly by viewing and reading parts of its source code, and they do so after implementation or as an interru ...
, tracks developer contributions, and flags software security issues. The LGTM platform leverages the CodeQL query engine (formerly QL) to perform semantic analysis on software code bases. GitHub aims to integrate Semmle technology to provide continuous vulnerability detection services. In November 2019, use of CodeQL was made free for research and open source. CodeQL either shares a direct pedigree with
.QL .QL (pronounced "dot-cue-el") is an object-oriented query language used to retrieve data from relational database management systems. It is reminiscent of the standard query language SQL and the object-oriented programming language Java. .QL is ...
(dot-que-ell), which derives from the Datalog family tree, or is an evolution of similar technology. SemmleCode is an object-oriented query language for deductive databases developed by Semmle. It is distinguished within this class by its support for recursive query.


Corporate background

The company is headquartered in San Francisco, with its development operations based in Blue Boar Court,
Alfred Street Alfred Street is a street running between the High Street to the north and the junction with Blue Boar Street and Bear Lane at the southern end, in central Oxford, England.
, central Oxford, England. Semmle's customers include
Credit Suisse Credit Suisse Group AG is a global investment bank and financial services firm founded and based in Switzerland. Headquartered in Zürich, it maintains offices in all major financial centers around the world and is one of the nine global " ...
, NASA and
Dell Dell is an American based technology company. It develops, sells, repairs, and supports computers and related products and services. Dell is owned by its parent company, Dell Technologies. Dell sells personal computers (PCs), servers, data ...
.


SemmleCode background


Academic

SemmleCode builds on academic research on querying the source of software programs. The first such system was Linton's Omega system, where queries were phrased in QUEL. QUEL did not allow for recursion in queries, making it difficult to inspect hierarchical program structures such as the call graph. The next significant development was therefore the use of logic programming, which does allow such recursive queries, in the XL C++ Browser. The disadvantage of using a full logic programming language is however that it is very difficult to attain acceptable efficiency. The CodeQuest system, developed at the University of Oxford, was the first to exploit the observation that Datalog, a very restrictive version of logic programming, is in the sweet spot between expressive power and efficiency. The QL query language is an object-oriented version of Datalog.


Industrial

The early research works on querying the source of software programs spun off a number of industrial applications. In particular it became the cornerstone of systems for application intelligence ( data mining on the source of software systems) and software renovation. In 2007, Paris-based CAST is one of the market leaders in that area, and other significant players include
BluePhoenix BluePhoenix Solutions Ltd. is a publicly traded company, headquartered in Israel, that develops and sells modernization services for legacy information technology systems. Its shares are traded on the NASDAQ Global Market exchange. The company pa ...
in Herzliya, Israel. SemmleCode differs from these systems in its use of an object-oriented query language, which allows programmers to easily formulate new queries that are particular to their own project. A full account of the academic and industrial developments leading up to the creation of SemmleCode can be found in a paper by Hajiyev et al.Elnar Hajiyev, Mathieu Verbaere, and Oege de Moor, CodeQuest: Scalable Source Code Queries with Datalog. In ''ECOOP 2006: Proceedings of the 2006 European Conference on Object-Oriented Programming'', pages 2–27. Springer, 2006.


Sample query in QL

To illustrate the use of QL, consider the well-known rule in object-oriented programming that public fields should be declared final. To find violations of that rule, we should search for fields that are public but not final. In QL, that requirement is expressed as follows: from Field f where f.hasModifier("public") and not(f.hasModifier("final")) select f.getDeclaringType().getPackage(), f.getDeclaringType(), f Here not only is the offending field f selected, but also the package and type in which its declaration occurs.


SemmleCode integration with development environments

SemmleCode provides a user interface via the
Eclipse IDE Eclipse is an integrated development environment (IDE) used in computer programming. It contains a base workspace and an extensible plug-in system for customizing the environment. It is the second-most-popular IDE for Java development, and, un ...
to query Java code (both source code and bytecode) as well as XML files, and to edit QL queries. This is however but one application of the technology that underlies it: QL can be used to query any other type of complex data. As part of the fold into the Microsoft/GitHub corporate house, the original
Eclipse An eclipse is an astronomical event that occurs when an astronomical object or spacecraft is temporarily obscured, by passing into the shadow of another body or by having another body pass between it and the viewer. This alignment of three ce ...
-based workflow has been supplanted with a workflow based around Microsoft's Visual Studio Code.


See also

* List of tools for static code analysis *
.QL .QL (pronounced "dot-cue-el") is an object-oriented query language used to retrieve data from relational database management systems. It is reminiscent of the standard query language SQL and the object-oriented programming language Java. .QL is ...
* Datalog


References


Further reading

* Mark A. Linton. Implementing relational views of programs. In Peter B. Henderson, editor, ''Software Development Environments (SDE)'', pages 132–140, 1984.


External links

* {{DEFAULTSORT:Semmle Companies based in Oxford Software companies of the United Kingdom Software testing tools Java development tools Static program analysis tools