Just an FYI, we're working on new documentation for Ocular, and lots of it applies to Joern: https://docs.shiftleft.io/ocular/quickstart
Also, how are there two documentation links
https://joern.io/docs/
https://joern.readthedocs.io/en/latest/
https://joern.io/docs/
https://joern.readthedocs.io/en/latest/
@noodlecaake_twitter, first link is the new documentation. second one is the documentation for the old joern (https://github.com/octopus-platform/joern)
I am looking for some well documented use case of using machine learning guided by joern (like the one done by Fabian himself in his phd thesis chapter 7, https://ediss.uni-goettingen.de/bitstream/handle/11858/00-1735-0000-0023-9682-0/mainFastWeb.pdf)
i just need those functions which are defined in that particular file
by function body, do you mean source code of the function?
for that you can do:
for that you can do:
cpg.method.name("main").dump
I just needed function definitions
STACK_OF(X509) X509_chain_up_ref(STACK_OF(X509) chain)
{
STACK_OF(X509) ret;
int i;
ret = sk_X509_dup(chain);
if (ret == NULL)
return NULL;
for (i = 0; i < sk_X509_num(ret); i++) {
X509 x = sk_X509_value(ret, i);
if (!X509_up_ref(x))
goto err;
}
return ret;
err:
while (i-- > 0)
X509_free (sk_X509_value(ret, i));
sk_X509_free(ret);
return NULL;
}
{
STACK_OF(X509) ret;
int i;
ret = sk_X509_dup(chain);
if (ret == NULL)
return NULL;
for (i = 0; i < sk_X509_num(ret); i++) {
X509 x = sk_X509_value(ret, i);
if (!X509_up_ref(x))
goto err;
}
return ret;
err:
while (i-- > 0)
X509_free (sk_X509_value(ret, i));
sk_X509_free(ret);
return NULL;
}
int test(char* s) {
int size = sizeof(s);
char buf[size+1];
strcpy(buf, s);
}
now i want to check if the first argument to strcpy was initialized with correct size or with a constant
i.e. s.th. like cpg.call.lineNumber(7).argument.head....reachableBy(size) s.th. like that so i know that at least sizeof has been called written to size and then used to initialize the buffer
@234235235, this should work for your example
def buf = cpg.identifier.name("buf")
val buf_type = buf.evalType.head
// get identifiers which are reachable by sizeof
val idents = cpg.identifier.whereNonEmpty(
_.reachableBy(cpg.call.name("<operator>.sizeOf"))
)
// check if any of these identifiers were used in declaration
// of buf
idents.l.filter(buf_type.contains(_.name))although this isn't a very good approach since we're just doing string comparison on the data type. here char buf[size+1] will have an evalType of char[size+1].
since we're just doing string comparison, you'll get false matches if any identifier has a name which is a substring of the type.
I run the script with "cpg.runScript("the absolute path of my script")", I must give the absolute path of my script, it is a little trouble. Am I using joern wrong?
@noodlecaake_twitter That's without doubt possible, most of the work is in actually getting the Code Property Graph exported in a format that can be used by your machine learning algorithm. F-Secure has a team that does some tangential security work (though without a CPG involved) that might guide an idea or two: https://blog.f-secure.com/command-lines/
As to the CPG export, you can always use
toJson or toJsonPretty on any queries you run to help you out
Hello everyone, I have a question.
typedef struct {
int num;
void *ptr;
} arg_t;
void f(arg_t a) {
int x = a.num;
void* y = a.ptr;
x = ntohl(x);
printf("%d\n", x);
}I am interested in finding flows from a struct field to any identifier. For example, flow from the void* ptr field of the arg_t struct to any local variable of the function f.
I am not able to find a way to search using field level granularity. My results contain all fields of the struct.
val src = cpg.method.name("f").parameter.filter(_.typ.name("arg_t"))
val sink = cpg.method.name("f").local.referencingIdentifiers
joern> sink.reachableByFlows(src).p
res5: List[String] = List(
"""________________________________________________________________________________________________________
| tracked | lineNumber| method| file |
|=======================================================================================================|
| f(arg_t a) | 9 | f | /local/mnt/workspace/playground/joern_test/struct_access/main.c|
| x = a.num | 10 | f | /local/mnt/workspace/playground/joern_test/struct_access/main.c|
| ntohl(x) | 13 | f | /local/mnt/workspace/playground/joern_test/struct_access/main.c|
| x = ntohl(x) | 13 | f | /local/mnt/workspace/playground/joern_test/struct_access/main.c|
| printf("%d\n", x)| 14 | f | /local/mnt/workspace/playground/joern_test/struct_access/main.c|
""",
...
"""__________________________________________________________________________________________________
| tracked | lineNumber| method| file |
|=================================================================================================|
| f(arg_t a) | 9 | f | /local/mnt/workspace/playground/joern_test/struct_access/main.c|
| * y = a.ptr| 11 | f | /local/mnt/workspace/playground/joern_test/struct_access/main.c|
""",I tried to filter using FieldIdentifier but did not get any results.
val src = cpg.method.name("f").ast.isFieldIdentifier
val sink = cpg.method.name("f").local.referencingIdentifiers
joern> sink.reachableByFlows(src).p
res16: List[String] = List()I am resorting to this stupid hack for now which checks to see if the name of that field is in the path (but I'm sure this is far from foolproof).
def validate(flow: Steps[Path]) = {
flow.l.filter(
_.elements.filter(
_.ast.isFieldIdentifier
.where(
_.canonicalName == "ptr"
).size > 0
).size > 0
).start
}Also, I think FieldIdentifier does not have any data type information either, so I can't filter on data type of the field. This is what I get when I run joern-parse:
2020-07-08 12:10:24.077 WARN MemberAccessLinker: Could not find type member. type=arg_t, member=ptr
2020-07-08 12:10:24.080 WARN MemberAccessLinker: Could not find type member. type=arg_t, member=num