Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
xiaotianming
@xiaotianming
Thanyou,I solve the problem by reinstall
I wonder know how fuzzyc2cpg process defines and macros?
Phan Dinh Cong
@DinhCongPhan_gitlab
@fabsx00 How I can add a new node and new edges in each method during the creation process of CPG. For example, I want to create a node that has "Local type" and link all its identifiers to this node.
I find an example of a custom Cpg node in here but it isn't enough clear for me. Thanks.
Michael Pollmeier
@mpollmeier
:trumpet: version 1.1.x series is now ready for prime time - latest release is 1.1.4. The most noteworthy change is the new iteration of our cpg query language (CPGQL).
While that's generally good news, it may impact your existing scripts, so please follow the migration guide.
The documentation has been updated as well.
If you need help with the migration, please let us know.
Yizheng Jiao
@jyizheng
Can Joern be used to get PDG of Linux kernel source code?
xiaotianming
@xiaotianming
How do I know which file function belongs to?
xiaotianming
@xiaotianming
How do I use Joern in Python?
Niko Schmidt
@itsacoderepo
How do I know which file function belongs to?
joern> cpg.method.map{ method=>  s"""${method.name} in ${method.start.file.name.l.head}"""  }.l.sorted.distinct
Ati Priya
@Atipriya

Hey!
I am trying to find the location of all the variables in a function.
When I run the below query, it gives me all the occurrences except where the variable is defined.

joern> cpg.identifier.l.filter(_.method.name.contains("addition")).map(x=> (x.name, x.location.lineNumber.get))
res3: List[(String, Integer)] = List(("sum", 11), ("num2", 6), ("num1", 6), ("sum", 6))
#include <stdio.h>
int addition(int num1, int num2)
{
             int sum;
                  /* Arguments are used here*/
                  sum = num1+num2;

                       /* Function return type is integer so we are returning
                        *       * an integer value, the sum of the passed numbers.
                        *             */
                       return sum;
}

As per my understanding, shouldn't it give me ("sum", 4) as well?
(If not, how can I get the location where the variable is defined?)

AGITO
@GAMERAvsGYAOS_twitter

Hello, I started studying joern a few days ago. I also read the paper and the property graph. I would like to ask you something very simple. What kind of query should I ask to find the "strcpy" vulnerability in the code below?

int main(int argc, char *argv[])
{
char buffer[5]; // If more than 8 characters input

    if (argc < 2) 
   { 
          printf("strcpy() NOT executed....\n"); 
          printf("Syntax: %s <characters>\n", argv[0]); 
          exit(0); 
   } 

    strcpy(buffer, argv[1]); 
   printf("buffer content= %s\n", buffer); 

   printf("strcpy() executed...\n"); 

   return 0; 

}

Jai Verma
@jaiverma

@Atipriya, you can get local variables of a function with:

joern> cpg.method.name("addition").local.l 
res2: List[Local] = List(
  Local(
    id -> 13L,
    code -> "sum",
    name -> "sum",
    closureBindingId -> None,
    typeFullName -> "int",
    dynamicTypeHintFullName -> List(),
    lineNumber -> None,
    columnNumber -> None,
    order -> null
  )
)

This won't have any location information though. You can get Identifiers from this with:

joern> cpg.method.name("addition").local.referencingIdentifiers.l.map(x => (x.name, x.location.lineNumber.get)) 
res5: List[(String, Integer)] = List(("sum", 6), ("sum", 11))

The problem here as well though is that this doesn't have the declaration of the variable. I don't think there's a way to get variable declarations from the CPG.

If you had initialized the variable when you declared it, then it would have been possible, because then that would've been a call to Operators.assignment.

Now when you change the code to this:

#include <stdio.h>
int addition(int num1, int num2)
{
    int sum = 0;  // <--- initialize variable
    sum = num1+num2;
    return sum;
}
joern> cpg.method.name("addition").local.referencingIdentifiers.l.map(x => (x.name, x.location.lineNumber.get)) 
res2: List[(String, Integer)] = List(("sum", 4), ("sum", 5), ("sum", 6))

This is because we have it in a call to the assignment operator.

joern> cpg.call.name(Operators.assignment).l.last 
res5: Call = Call(
  id -> 13L,
  code -> "sum = 0",
  name -> "<operator>.assignment",
  order -> 1,
  methodInstFullName -> None,
  methodFullName -> "<operator>.assignment",
  argumentIndex -> 1,
  dispatchType -> "STATIC_DISPATCH",
  signature -> "TODO assignment signature",
  typeFullName -> "ANY",
  dynamicTypeHintFullName -> List(),
  lineNumber -> Some(4),
  columnNumber -> Some(8),
  resolved -> None,
  depthFirstOrder -> None,
  internalFlags -> None
)
Jai Verma
@jaiverma

@GAMERAvsGYAOS_twitter, I don't know of any easy way to find this bug for a variable declared on the stack. If buffer was allocated with malloc(sz), then this would've been much easier as you would've already seen in some examples.

This is what I could come up with for this snippet:

You could check for calls to strcpy, and basically, since the buffer is allocated on the stack, the size would be in the data type of the variable which you could get with:

joern> cpg.call.name("strcpy").argument.isIdentifier.evalType.p 
res6: List[String] = List("char [ 5 ]")

So you can see that it is a static buffer of size 5.

A more suitable example would be if we replace strcpy with strncpy, since strcpy is generally always vulnerable.

strncpy(buffer, argv[1], 8);

So to find this, we could do:

def f() = {
    val x = cpg.call.name("strncpy")
        .argument
        .order(1)
        .isIdentifier
        .evalType
        .l
        .head

    val y = cpg.call.name("strncpy")
        .argument
        .order(3)
        .isLiteral
        .l
        .head
        .code
        .toInt

    val pattern = "\\d+".r
    val sz = pattern.findFirstIn(x)

    val bufsize = sz match {
        case Some(n) => n.toInt
        case None => 0
    }

    if (bufsize >= y) {
        println("Not vulnerable")
    }
    else {
        println(s"Vulnerable")
    }
}
joern> f 
Vulnerable
xiaotianming
@xiaotianming
image.png
Does anyone know how to solve this problem?
When I want to output the result, jvm cannot create a new thread
AGITO
@GAMERAvsGYAOS_twitter
@jaiverma ,Thank you for your kindness, I see. I check about malloc's samples.
Ati Priya
@Atipriya
@jaiverma Thank you for helping out!
xiaotianming
@xiaotianming
@itsacoderepo Thank you very much for your reply.
Niko Schmidt
@itsacoderepo
you can provide more memory with -J-XmxNg, while N is the number of GB of memory. Eg. ./joern -J-Xmx8g starts joern with 8GB memory
xiaotianming
@xiaotianming
I try to set N to 1, 2, 4, 8, 16, 32, but I still get an error.
I found a strange phenomenon when I run "cpg.runScript ("graph/ast-for-funcs- dump.sc ")" can get the correct result, but I run it "cpg.runScript ("graph/ast-for- funcs.sc ") " will cause an error.
xiaotianming
@xiaotianming
When I use Joern -- sever, I use“ cpg.runScript ("graph/ast-for- funcs.sc ")" did not get the result
Fabian Yamaguchi
@fabsx00
hey. I'll look into all those AST/CFG/PDG scripts this week. They're all a bit dated.
StevenRowe
@StevenRowe

Hi all,

i am trying to analyze the data flow of the following code:

int
snprintf(char *str, size_t count, const char *fmt,...)
{
    int            len;
    va_list        args;

    va_start(args, fmt);
    len = vsnprintf(str, count, fmt, args);
    va_end(args);
    return len;
}

When I tried to execute this query

cpg.method.name("snprintf").call("<operator>.assignment").reachableBy(cpg.method.name("snprintf").parameter).l

i run out of memory and get this error:

2020-09-16 09:17:35.708 WARN HeapUsageMonitor: heap usage after GC: 99% -> will clear some references (if possible)

However, i am running joern with -Xmx300G, so there should more than enough space.

My guess is, that it has something to do with the overall size of the CPG. I have problems executing this query on the CPG of the whole project's codebase (which has a size of 3.7 GB). But when I created a CPG of just the file, that contains the method, my query works just fine.

Am I doing anything wrong?

DarkaMaul
@DarkaMaul
Hi all, I would like to cite Joern in my paper, any clue which reference I should use ? (For the CPG definition, I used : Modeling and Discovering Vulnerabilities with Code Property Graphs)
Jai Verma
@jaiverma

@StevenRowe, I also face the same issue for larger projects. so i create smaller CPGs for subsets of the code and then run a query. I also divide the work into smaller chunks. For example, I try to write a query as a Scala function which will operate on one single function at a time, and then run iteratively for all functions in the CPG so that I can see gradual results and know that it is working.

For your query, try doing:

def f() = {
    val m = cpg.method.name("snprintf")
    val src = m.ast.isCallTo("<operator>.assignment")
    val sink = m.parameter
    sink.reachableBy(src).l
}
StevenRowe
@StevenRowe
@jaiverma Thank you for your help. I thought I was the only one with this problem.
Niko Schmidt
@itsacoderepo

Hi all, I would like to cite Joern in my paper, any clue which reference I should use ? (For the CPG definition, I used : Modeling and Discovering Vulnerabilities with Code Property Graphs)

Hi @DarkaMaul, the paper is correct. :)

Jai Verma
@jaiverma

is there a way to model a 'passes' query in Joern?

For example:

void f(char *s) {
    a(s);
    validate(s);
}
void g(char *s) {
    validate(s);
    a(s);
}
I want to identify code which calls function a without calling validate with s as an argument.
Here, I want Joern to identify function f, but not function g because that is calling validate on s before calling a.
Neeraj Pal
@bsdb0y
@jaiverma I am not quite sure, but just thinking and trying that isn't it possible to do
cpg.method.ast.isCall.code.l
and then for each and every method if only if first is "a" then print function and line info
Neeraj Pal
@bsdb0y
well, this idea is not generic, I mean we can implement some logic to make it generic for any code.
Niko Schmidt
@itsacoderepo
@jaiverma i don't know if this is generic enough but it is a good starter :)
joern> 
def foo(dangerZone:String, validationFunction:String, argument:String) = {  
      val methods = cpg.method 
                       .where(_.callee.name(dangerZone)) 
                       .where(_.callee.name(validationFunction) 
                                      .parameter 
                                      .argument 
                                      .code(argument) 
                             ) 
      methods.filter{ m=> 
            m.start.call.name(validationFunction).lineNumber.head.toInt <  
            m.start.call.name(dangerZone).lineNumber.head.toInt  
  } 
} 
defined function foo

joern> foo("a","validate","s").l.map(_.name) 
res63: List[String] = List("g")
Phan Dinh Cong
@DinhCongPhan_gitlab
@fabsx00 I wonder that why CPG doesn't have nodes for global variables. I see CPG also has FileNode, Namespace, Local, ... but it doesn't have global variables. Is there any way to customize my own global variable node? Thanks for your concern!
Jai Verma
@jaiverma
thanks @itsacoderepo!
Ye Han
@XiaoYeZi121
ddd
Niko Schmidt
@itsacoderepo
<esc>:q!
Fabian Yamaguchi
@fabsx00
For anyone who's been struggling with exporting AST/CFG/DDG/CDG: https://docs.joern.io/exporting
Niko Schmidt
@itsacoderepo
and maybe you want to follow https://twitter.com/joernio :)
Fabian Yamaguchi
@fabsx00
After running joern-parse <directory>, you can now run ./joern-export and it will dump 2014 style intra-procedural code property graphs for all functions into the directory out. Tested it on the VLC code base. Export takes about 2.5 minutes. Those graphs can the be processed with pygraphviz, for example.
I'll be adding a few flags now to export only PDGs or only ASTs. That should close some of the tickets we've been seeing and enable people in their CPG-based research.
Fabian Yamaguchi
@fabsx00
It's ready (joern-export): ShiftLeftSecurity/joern#356
xiaotianming
@xiaotianming
How can Joern handle source code stored in. H5 or other files?
xiaotianming
@xiaotianming
How do I know which file dot belongs to when I use 'run.dump.cpg14'?
xiaotianming
@xiaotianming
Why can't Joern generate data dependency graph and program dependency graph?
image.png
image.png
Phan Dinh Cong
@DinhCongPhan_gitlab
Sorry for my interruption, but Is there anyone curious about ShiftLeft OverflowDB which is the graph database to store nodes in CPG? I want to use it in my project but its documentation in Github is out of date!