I find an example of a custom Cpg node in here but it isn't enough clear for me. Thanks.
1.1.x series is now ready for prime time - latest release is 1.1.4. The most noteworthy change is the new iteration of our cpg query language (CPGQL).While that's generally good news, it may impact your existing scripts, so please follow the migration guide.
The documentation has been updated as well.
If you need help with the migration, please let us know.
Hey!
I am trying to find the location of all the variables in a function.
When I run the below query, it gives me all the occurrences except where the variable is defined.
joern> cpg.identifier.l.filter(_.method.name.contains("addition")).map(x=> (x.name, x.location.lineNumber.get))
res3: List[(String, Integer)] = List(("sum", 11), ("num2", 6), ("num1", 6), ("sum", 6))#include <stdio.h>
int addition(int num1, int num2)
{
int sum;
/* Arguments are used here*/
sum = num1+num2;
/* Function return type is integer so we are returning
* * an integer value, the sum of the passed numbers.
* */
return sum;
}As per my understanding, shouldn't it give me ("sum", 4) as well?
(If not, how can I get the location where the variable is defined?)
Hello, I started studying joern a few days ago. I also read the paper and the property graph. I would like to ask you something very simple. What kind of query should I ask to find the "strcpy" vulnerability in the code below?
int main(int argc, char *argv[])
{
char buffer[5]; // If more than 8 characters input
if (argc < 2)
{
printf("strcpy() NOT executed....\n");
printf("Syntax: %s <characters>\n", argv[0]);
exit(0);
}
strcpy(buffer, argv[1]);
printf("buffer content= %s\n", buffer);
printf("strcpy() executed...\n");
return 0; }
@Atipriya, you can get local variables of a function with:
joern> cpg.method.name("addition").local.l
res2: List[Local] = List(
Local(
id -> 13L,
code -> "sum",
name -> "sum",
closureBindingId -> None,
typeFullName -> "int",
dynamicTypeHintFullName -> List(),
lineNumber -> None,
columnNumber -> None,
order -> null
)
)This won't have any location information though. You can get Identifiers from this with:
joern> cpg.method.name("addition").local.referencingIdentifiers.l.map(x => (x.name, x.location.lineNumber.get))
res5: List[(String, Integer)] = List(("sum", 6), ("sum", 11))The problem here as well though is that this doesn't have the declaration of the variable. I don't think there's a way to get variable declarations from the CPG.
If you had initialized the variable when you declared it, then it would have been possible, because then that would've been a call to Operators.assignment.
Now when you change the code to this:
#include <stdio.h>
int addition(int num1, int num2)
{
int sum = 0; // <--- initialize variable
sum = num1+num2;
return sum;
}joern> cpg.method.name("addition").local.referencingIdentifiers.l.map(x => (x.name, x.location.lineNumber.get))
res2: List[(String, Integer)] = List(("sum", 4), ("sum", 5), ("sum", 6))This is because we have it in a call to the assignment operator.
joern> cpg.call.name(Operators.assignment).l.last
res5: Call = Call(
id -> 13L,
code -> "sum = 0",
name -> "<operator>.assignment",
order -> 1,
methodInstFullName -> None,
methodFullName -> "<operator>.assignment",
argumentIndex -> 1,
dispatchType -> "STATIC_DISPATCH",
signature -> "TODO assignment signature",
typeFullName -> "ANY",
dynamicTypeHintFullName -> List(),
lineNumber -> Some(4),
columnNumber -> Some(8),
resolved -> None,
depthFirstOrder -> None,
internalFlags -> None
)@GAMERAvsGYAOS_twitter, I don't know of any easy way to find this bug for a variable declared on the stack. If buffer was allocated with malloc(sz), then this would've been much easier as you would've already seen in some examples.
This is what I could come up with for this snippet:
You could check for calls to strcpy, and basically, since the buffer is allocated on the stack, the size would be in the data type of the variable which you could get with:
joern> cpg.call.name("strcpy").argument.isIdentifier.evalType.p
res6: List[String] = List("char [ 5 ]")So you can see that it is a static buffer of size 5.
A more suitable example would be if we replace strcpy with strncpy, since strcpy is generally always vulnerable.
strncpy(buffer, argv[1], 8);So to find this, we could do:
def f() = {
val x = cpg.call.name("strncpy")
.argument
.order(1)
.isIdentifier
.evalType
.l
.head
val y = cpg.call.name("strncpy")
.argument
.order(3)
.isLiteral
.l
.head
.code
.toInt
val pattern = "\\d+".r
val sz = pattern.findFirstIn(x)
val bufsize = sz match {
case Some(n) => n.toInt
case None => 0
}
if (bufsize >= y) {
println("Not vulnerable")
}
else {
println(s"Vulnerable")
}
}joern> f
Vulnerable
Hi all,
i am trying to analyze the data flow of the following code:
int
snprintf(char *str, size_t count, const char *fmt,...)
{
int len;
va_list args;
va_start(args, fmt);
len = vsnprintf(str, count, fmt, args);
va_end(args);
return len;
}When I tried to execute this query
cpg.method.name("snprintf").call("<operator>.assignment").reachableBy(cpg.method.name("snprintf").parameter).li run out of memory and get this error:
2020-09-16 09:17:35.708 WARN HeapUsageMonitor: heap usage after GC: 99% -> will clear some references (if possible)However, i am running joern with -Xmx300G, so there should more than enough space.
My guess is, that it has something to do with the overall size of the CPG. I have problems executing this query on the CPG of the whole project's codebase (which has a size of 3.7 GB). But when I created a CPG of just the file, that contains the method, my query works just fine.
Am I doing anything wrong?
@StevenRowe, I also face the same issue for larger projects. so i create smaller CPGs for subsets of the code and then run a query. I also divide the work into smaller chunks. For example, I try to write a query as a Scala function which will operate on one single function at a time, and then run iteratively for all functions in the CPG so that I can see gradual results and know that it is working.
For your query, try doing:
def f() = {
val m = cpg.method.name("snprintf")
val src = m.ast.isCallTo("<operator>.assignment")
val sink = m.parameter
sink.reachableBy(src).l
}a without calling validate with s as an argument.Here, I want Joern to identify function
f, but not function g because that is calling validate on s before calling a.
joern>
def foo(dangerZone:String, validationFunction:String, argument:String) = {
val methods = cpg.method
.where(_.callee.name(dangerZone))
.where(_.callee.name(validationFunction)
.parameter
.argument
.code(argument)
)
methods.filter{ m=>
m.start.call.name(validationFunction).lineNumber.head.toInt <
m.start.call.name(dangerZone).lineNumber.head.toInt
}
}
defined function foo
joern> foo("a","validate","s").l.map(_.name)
res63: List[String] = List("g")
joern-parse <directory>, you can now run ./joern-export and it will dump 2014 style intra-procedural code property graphs for all functions into the directory out. Tested it on the VLC code base. Export takes about 2.5 minutes. Those graphs can the be processed with pygraphviz, for example.
