QL training and variant analysis examples

QL and variant analysis

Variant analysis is the process of using a known vulnerability as a seed to find similar problems in your code. Security engineers typically perform variant analysis to identify possible vulnerabilities and to ensure that these threats are properly fixed across multiple code bases.

QL is Semmle’s variant analysis engine, and it is also the technology that underpins LGTM, Semmle’s community driven security analysis platform. Together, QL and LGTM provide continuous monitoring and scalable variant analysis for your projects, even if you don’t have your own team of dedicated security engineers. You can read more about using QL and LGTM in variant analysis in the Semmle blog.

The QL language is easy to learn, and exploring code using QL is the most efficient way to perform variant analysis.

Learning QL for variant analysis

Start learning how to use QL in variant analysis for a specific language by looking at the topics below. Each topic links to a short presentation on the QL language, QL libraries, or an example variant discovered using QL.

When you have selected a presentation, use → and ← to navigate between slides. Press p to view the additional notes on slides that have an information icon ⓘ in the top right corner, and press f to enter full-screen mode.

The presentations contain a number of QL query examples. We recommend that you download QL for Eclipse and import the example snapshot for each presentation so that you can find the bugs mentioned in the slides.


The presentations listed below are used in QL language and variant analysis training sessions run by Semmle engineers. Therefore, be aware that the slides are designed to be presented by an instructor. If you are using the slides without an instructor, please use the additional notes to help guide you through the examples.

QL and variant analysis for C/C++

QL and variant analysis for Java

More resources

  • If you are completely new to QL, look at our introductory topics in Getting started.
  • To find more detailed information about how to write QL queries for specific languages, visit the links in Writing QL queries.
  • To read more about how QL queries have been used in Semmle’s security research, and to read about new QL developments, visit the Semmle blog.
  • Find more examples of queries written by Semmle’s own security researchers in the Semmle Demos repository on GitHub.