Semmle provides extensive documentation to help you learn QL, and we have recently added a new section called QL training and variant analysis examples. These new slideshows provide specific information about the QL language and library features commonly used in variant analysis. They also include examples that guide you through the query writing process to find known security vulnerabilities. All of the examples were discovered by Semmle security researchers in open source projects with the help of QL. Currently, the new training material is for C/C++ and Java, but we will be adding presentations for other languages in the future.
Each presentation contains a series of QL queries and a download link to a snapshot of a specific revision of project, which contains a known vulnerability. The best way to work through the examples in the presentations is by downloading the QL for Eclipse plugin and importing the snapshot. You can then run the QL queries contained in the presentation to find the vulnerability.
You can also run the queries online using the query console on LGTM.com. This allows you to run the queries on the most recently analyzed revision of the selected project. Bear in mind that Semmle always works with project maintainers to fix the security vulnerabilities that we find in open source software. So you will likely no longer find the specific vulnerability in the most recent revision of a project, but you can still use the queries to explore the code and try to find other bugs!
If you are new to QL, it may be worth reviewing some introductory resources first to get a basic understanding of how QL works. Basic C/C++ QL query and Basic Java QL query provide a brief guide to writing and running simple queries in the query console on LGTM.com. Introducing the QL libraries for C/C++ and Introducing the QL libraries for Java introduce the standard libraries used to write queries for C/C++ and Java projects, respectively.
If you have any questions about QL, don't hesitate to ask on the community forum.