July 07, 2020 - 11am PDT

LiveQL episode 1: finding non-intuitive string manipulation vulnerabilities in C code


We often see the same types of bugs repeated in code. What if we could detect an entire bug class and report all of its occurrences at once? What if we could automate this detection for any Pull Request so we can catch bugs before they ever enter your code?

In our LiveQL video series we pair a security researcher and an experienced CodeQL writer to explore a vulnerability class and capture its essence as a CodeQL query.

If you're new to CodeQL, you will discover how to use it to automate and accelerate your variant analysis, and if you are already a CodeQL user, you'll learn more about CodeQL libraries, debugging tips and tricks, and much more.

In this episode, we'll explore how the non-intuitive return values of strlcat and strlcpy can lead to all sorts of problems in your code and how we can use a CodeQL query to detect potential issues in how these functions are used.

Join us on Tuesday July 07, 2020, at 11am PDT (Pacific Time) on https://www.twitch.tv/github

To keep this community open and welcoming, please read our Code of Conduct.