Semmle

Semmle. It was a pioneering platform for semantic code analysis, enabling developers and security researchers to query codebases as if they were data. Founded as a spin-out from the University of Oxford, the company's core technology allowed for the modeling of code relationships within a database, facilitating the discovery of complex security vulnerabilities and bug patterns. Its innovative approach to treating code as data laid the groundwork for significant advancements in the field of application security.

History

The technology originated from research conducted at the Programming Tools Group at the University of Oxford under the guidance of Oege de Moor. Key researchers, including Pavel Avgustinov and Max Schäfer, developed the foundational concepts that would become the QL query language and the associated analysis engine. The commercial entity, Semmle Ltd., was subsequently founded to productize this academic research, attracting investment and establishing itself within the software development and cybersecurity industries. Its evolution was marked by collaborations with major technology firms and integration into the security practices of organizations like NASA and Microsoft.

Technology and Architecture

At its core, Semmle's technology involved creating a comprehensive abstract syntax tree and extracting semantic relationships from source code, which was then stored in a specialized database. Users could interrogate this database using the declarative, object-oriented QL language, which was designed to resemble SQL but was tailored for navigating code structures such as control flow graphs and data flow paths. The platform supported numerous programming languages including Java, C++, C#, and Python, and its architecture allowed analyses to be shared as reusable queries within the community, forming a collective knowledge base for code quality and security.

Applications and Use Cases

The primary application of Semmle was in identifying zero-day vulnerabilities and complex security flaws, such as those cataloged in the Common Vulnerabilities and Exposures list, within large-scale codebases. It was extensively used for variant analysis, where a single bug pattern could be hunted across an entire code repository. Major open-source projects, including the Linux kernel and Apache Web Server, utilized Semmle to harden their security posture. Furthermore, enterprises adopted it for continuous integration checks and enforcing secure coding standards, effectively integrating deep, query-based analysis into their DevOps pipelines.

Acquisition by GitHub

In September 2019, Microsoft's subsidiary GitHub announced the acquisition of Semmle, a strategic move to enhance the native security capabilities of the GitHub platform. Following the acquisition, Semmle's technology was rebranded and integrated as GitHub Advanced Security and its query engine became the foundation for CodeQL, GitHub's flagship code analysis engine. The team, including co-founders like Oege de Moor, joined GitHub to continue development, significantly broadening the technology's reach to the millions of developers using the GitHub Actions ecosystem and GitHub Copilot.

Impact and Reception

Semmle's impact on the security landscape was profound, credited with discovering critical vulnerabilities in essential software like Ubuntu and Google Chrome. Its technology shift towards treating code as queryable data was widely praised by security researchers at firms like Google Project Zero and was instrumental in the concept of "shift-left security." The academic roots of its QL language received recognition at venues like the International Conference on Software Engineering. The acquisition by GitHub was viewed as a validation of its approach, democratizing advanced semantic analysis and making it a central component of modern software supply chain security.

Category:Static program analysis tools Category:Software companies established in 2006 Category:GitHub