Introduction to security research. Find a CVE with CodeQL.

This tutorial will introduce fundamentals of security research and CodeQL when looking for security vulnerabilities in software. We'll share how to look for vulnerabilities in code and how to use static analysis to help us find sources, sinks and vulnerabilities.

Using an example of a vulnerability in an open source project that the speaker has found, CVE-2024-32022, we will walk through how we could detect it manually by reading code, learn how to write CodeQL, and by the end write a CodeQL query to find this vulnerability and its variants.