QL is a query language designed for analyzing code, and lies at the heart of LGTM technology. All the alerts shown on LGTM, highlighting potential coding errors or security flaws in open-source software, are the results of QL queries that we wrote at Semmle and run on each project on LGTM. However, the power of QL is certainly not limited to these standard queries! You can write your own semantic code analysis using QL, building upon our rich query libraries.
We are keen to give you the best tools to do this, so that you can easily develop queries, run them, inspect the results, and make your software safer and better. The QL for Eclipse plugin, which Semmle engineers and customers already use for code analysis and security research, is now freely available to use on snapshots of code downloaded from LGTM.com.
This plugin lets you write QL queries and run them on snapshots locally in the Eclipse IDE. It has all the QL editor features of the LGTM query console (syntax highlighting, error reporting, autocomplete, tooltips, and jump-to-definition), but provides an even better user experience when developing queries. You can explore the built-in QL queries and libraries for each programming language that LGTM supports, and easily create multiple queries and libraries of your own. It's easier to gradually refine a query, comparing the results as you go along and eliminating false positives.
Interested in trying it out? Get started here! After installing QL for Eclipse from our update site at
https://downloads.lgtm.com/ql-for-eclipse/site, you can obtain the latest snapshot of your favorite LGTM project from its Integrations tab, and run your own queries on it in the IDE.
If you need help along the way, we have some great resources on learning QL and using QL for Eclipse.
Note for users of the LGTM plugin for Eclipse: make sure you upgrade to the latest version if you want to use it alongside QL for Eclipse!
For inspiration on finding security vulnerabilities with QL, check out our blog posts. Future blog posts on security research will include snapshots of the vulnerable codebase, so that readers can import them into QL for Eclipse, run the queries from the blog posts, and reproduce our findings.
We're continually at work to make these products better, and would love to hear what you think about QL and QL for Eclipse! Feedback and suggestions for improvements are very welcome — please send them via the LGTM forums or @lgtmhq on Twitter. We are also looking for engineers to work on the QL language and engine as well as programming language tools like QL for Eclipse. If you're interested in joining the team at Semmle and developing these products, please get in touch!
Note: Post originally published on LGTM.com on August 01, 2018