Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Rasmus Lindqvist
@rasmusli_gitlab
Oh alright, thanks! Is it possible to export it as .json though ? :) Sorry if I missed something in the documentation
xiaotianming
@xiaotianming
How to distinguish whether method is defined in source code or just called?
Fabian Yamaguchi
@fabsx00
@rasmusli_gitlab @jaiverma concerning the plotting functionality: You can also set config.tools.imageViewer to another image viewer on the shell
so joern > config.tools.imageViewer = "/path/to/a/different/viewer"
@rasmusli_gitlab right now, it's just dot, so you'd have to convert.
Might get to json some time, but until then: PRs are welcome ;)
@xiaotianming cpg.method.isExternal
Alessandro Mantovani
@elManto
Hi all! I'm a new Joern user. I'm writing to you because I don't know how to model a problem (speaking about C language). Basically I want to capture off-by-one errors that write in a buffer. The typical scenario could be:
int i; 
int buf[N];
for(i = 0; i <= N; i++){ 
buf[i] = 1;
}
buf[i]= 0;
Alessandro Mantovani
@elManto
To me, it seems that to properly detect this, you need to have some info about the state . I mean, you should know that the i variable is increasing, and that eventually it exceeds the buffer length. But honestly I don't have any ideas about how to implement this in Joern. Maybe is there a better strategy more Joern-oriented?
Niko Schmidt
@itsacoderepo
@elManto you can query for the for condition
eg.
joern> cpg.method.controlStructure.expressionDown.order(2).code.l 
res45: List[String] = List("i <= N")
Niko Schmidt
@itsacoderepo
You could also do something like this:
joern> val loopTo = cpg.method.controlStructure.expressionDown.order(2).isCallTo(Operators.lessEqualsThan).argument.order(2).code.l.head 
loopTo: String = "N"

joern> cpg.method.local.typeFullNameExact(s"""int [ $loopTo ]""").code.l 
res60: List[String] = List("buf")
Niko Schmidt
@itsacoderepo
cpg.method                                        // query all methods
   .controlStructure                              // filter for control structures
   .parserTypeName("ForStatement")                // only for statements
   .expressionDown                                // "going one layer down"
   .order(2)                                      // choosing the second argument of the expression => for(i = 0; i <= N; i++){  
   .isCallTo(Operators.lessEqualsThan)            // it has to be a call to "<="   
   .argument                                      // going to the arguments of the call to "<="
   .order(2)                                      // second argument is the "N"
   .code                                          // get the code of the second argument
   .l                                             // as list (in this case it is only argument but could be more)
   .head                                          // get the first entry in the list
i guess we need to add a "howto find off-by-one errors" example, with comments and everything
Alessandro Mantovani
@elManto
I see, cool! Thanks
Alessandro Mantovani
@elManto

Hey, sorry guys, I cannot model this UAF:

struct a_type * a;
...
free(a);
a->field--;

My idea was to track the flows between the free args and the <operator>.indirectFieldAccess calls. But I'm getting en empty list for now

Rasmus Lindqvist
@rasmusli_gitlab

@rasmusli_gitlab right now, it's just dot, so you'd have to convert.

I re-wrote the old 'graph_for_funcs.sc' script to make it convert to json in that way. But I guess you'd want a more long-term solution that is not a script as a PR

Viktor Bard
@viktorbard_gitlab
Hi everyone! I'm using python subprocess to write commands into the Joern interactive shell. As my dataset is quite large i decided to split the process into many subsets. This is working fine for a small number of splits but for >3 splits the Joern interactive shell freezes and doesn't process. Is there a limit of calls that can be processed after each other in the interactive shell or should this be possible without closing it in between the calls?
Fabian Yamaguchi
@fabsx00
No intended limit, at least. Can you provide exact steps to reproduce?
@rasmusli_gitlab if you could share the script, that would be great. We can base a long term solution on it.
Viktor Bard
@viktorbard_gitlab
@fabsx00 After some consideration I think the problem lies in the size of the functions to be parsed. I tried filtering out large functions and then it works fine.
shan
@shan12138
@rasmusli_gitlab Hello, are you also reproducing the devign paper? I encountered the same problem as you during this process. After the revision, joern does not seem to support vertex node traversal, so that the "graph-for-funcs.sc" script does not run successfully. Do you have a solution to this problem now, and if yes, can you share it?Thank you very much.
Rasmus Lindqvist
@rasmusli_gitlab
@shan12138 , @fabsx00 , Yeah sure, I can share the script. I´ll be able to do it tomorrow afternoon :)
2 replies
scolleyuk3
@scolleyuk3
just a quick question: what algorithm do Joern/Ocular use to carry out taint tracking? taint tracking in Joern is interprocedural these days right?
xiaotianming
@xiaotianming
Does Joern support variable renaming?
@fabsx00 What is the way to call Joern in Python to analyze the source code of string format, not to generate files in workspace? There are so many files generated in this way that it is very slow.
m1cm1c
@m1cm1c
what is the difference between ORDER and ARGUMENT_INDEX? if present, ARGUMENT_INDEX always seems to be the same as ORDER
colorlight
@colorlight
hi everyone, I'm a starter of joern, I'm following the document of quick start, but when I import code in the joern-cli, I get a response of
joern> importCode(inputPath="./x42/c", projectName="x42-c")
Creating project x42-c for code at ./x42/c
Project with name x42-c already exists - overwriting
Support for this language is only available in ShiftLeft Ocular with an appropriate license
res0: Option[Cpg] = None
I'm wondering what's the problem
Fabian Yamaguchi
@fabsx00
hm, sounds like a bug in the distro. We'll get that fixed. For now, try joern-parse ./x42/c/ instead, and then in joern: importCpg("cpg.bin")
DogeWatch
@DogeWatch

@fabsx00 What is the way to call Joern in Python to analyze the source code of string format, not to generate files in workspace? There are so many files generated in this way that it is very slow.

I have the same question, do you have any idea now?

Claudiu-Vlad Ursache
@ursachec
@colorlight did you try downloading the latest version of Joern using the instructions at https://docs.joern.io/installation?
I've just tested the quickstart instructions on a Linux machine and they work as expected.
If that doesn't help, could you post your system details so we can look for potential issues with the distribution?
Claudiu-Vlad Ursache
@ursachec
@xiaotianming If I understood you correctly, and you'd like to generate a CPG for a subset of files found in a project directory, then I suggest that you point Joern at the subdirectory you intend to analyze. You won't get around generated files in the workspace, that's part of Joern's core functionality. As to your question about Python, you can start Joern as a server (https://docs.joern.io/server) and use a Python client library (https://github.com/joernio/cpgqls-client-python) to send it commands
@DogeWatch ^^
xiaotianming
@xiaotianming
@ursachec When my project contains a lot of files and I want to generate Cpg one by one, Joern's speed is too slow. When I generate Cpg from the project at once, the speed will be very fast.Is there any way to improve the separate analysis Speed?
Claudiu-Vlad Ursache
@ursachec
@xiaotianming triggering an analysis has some ramp-up time, so if you trigger multiple on small inputs, they may end up costing more time than a single large one. If you want to generate a large amount of CPGs using joern, then you might have to set up your own data processing pipeline, maybe using custom scripts (https://docs.joern.io/interpreter)
xiaotianming
@xiaotianming
Thank you !@ursachec
Nikita Mehrotra
@nikitamehrotra12
Hi, I'm a new Joern user. I was exporting the generated CPG14 to a dot file...but while using joern-export command I am getting error -> "command not found"
damaoooo
@damaoooo
Hi, How can i use export Joern CPG into (node.csv, edge.csv) or other file format which neo4j can read it can how can I export the three into python? I found that in old version of joern and neo4j, It is sure that change the data path of neo4j can do that, but in new version of joern or in new version of neo4j, that can't be done. So how can I export the CPG14 in neo4j and python?
m1cm1c
@m1cm1c
according to "Modeling and Discovering Vulnerabilities with Code Property Graphs", control flow edges need to be labeled: "While these edges need not be ordered as in the
case of the abstract syntax trees, it is necessary to assign a label of true, false or ε to each edge." how can these labels be accessed in joern? i assumed that edge labels are modeled as edge properties. but i cannot find a single control flow edge with any properties
sweetchuck8481
@sweetchuck8481
grafik.png
Hey guys, I installed joern today and encountered the same problem as @colorlight while trying the stuff from your documentation.
I am running a VM with Ubuntu 16.04.5
Thanks in advance for looking into it!
Juilia F
@FJuilia_twitter
hey :) i'm just wondering how i can follow data dependency edges. i can see them when i export the DDG via joern-export. but i don't know what types of edges to look for when i'm in joern. can you help me, please?
sweetchuck8481
@sweetchuck8481
Hello again. I checked Version v1.1.55 and with that it worked fine. Maybe that information can help.
Claudiu-Vlad Ursache
@ursachec

hey @FJuilia_twitter! Joern features a step named ddgIn you can use to follow data dependency edges. For example, in the following program:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
  if (argc > 1 && strcmp(argv[1], "42") == 0) {
    fprintf(stderr, "It depends!\n");
    exit(42);
  }
  printf("What is the meaning of life?\n");
  exit(0);
}

you can follow DDG edges for the call to strcmp like so:

joern> cpg.call.name("strcmp").ddgIn.l 
res103: List[nodes.TrackingPoint] = List(
  Literal(
    id -> 1000117L,
    code -> "0",
    order -> 2,
    argumentIndex -> 2,
    typeFullName -> "int",
    dynamicTypeHintFullName -> List(),
    lineNumber -> Some(6),
    columnNumber -> Some(43),
    depthFirstOrder -> None,
    internalFlags -> None
  ),
  MethodParameterIn(
    id -> 1000104L,
    code -> "char *argv[]",
    order -> 2,
    name -> "argv",
    evaluationStrategy -> "BY_VALUE",
    typeFullName -> "char * [ ]",
    dynamicTypeHintFullName -> List(),
    lineNumber -> Some(5),
    columnNumber -> Some(19)
  )
)
Claudiu-Vlad Ursache
@ursachec
Additionally, reachableBy might also help:
joern> cpg.call.name("strcmp").reachableBy(cpg.method.parameter).l 
res105: List[MethodParameterIn] = List(
  MethodParameterIn(
    id -> 1000104L,
    code -> "char *argv[]",
    order -> 2,
    name -> "argv",
    evaluationStrategy -> "BY_VALUE",
    typeFullName -> "char * [ ]",
    dynamicTypeHintFullName -> List(),
    lineNumber -> Some(5),
    columnNumber -> Some(19)
  )
)
Juilia F
@FJuilia_twitter

@ursachec thank you for your answer :) unfortunately, your solution does not seem to work. ddgIn always yields an empty list, including if i try your example. i also noticed that ddgOut does not exist:

joern> cpg.call.name("strcmp").ddgIn.l 
res59: List[nodes.TrackingPoint] = List()

joern> cpg.call.name("strcmp").l 
res60: List[Call] = List(
  Call(
    id -> 1000112L,
    code -> "strcmp(argv[1], \"42\")",
    name -> "strcmp",
    order -> 1,
    methodInstFullName -> None,
    methodFullName -> "strcmp",
    argumentIndex -> 1,
    dispatchType -> "STATIC_DISPATCH",
    signature -> "TODO assignment signature",
    typeFullName -> "ANY",
    dynamicTypeHintFullName -> List(),
    lineNumber -> Some(6),
    columnNumber -> Some(18),
    resolved -> None,
    depthFirstOrder -> None,
    internalFlags -> None
  )
)

joern> cpg.call.name("strcmp").ddgIn.l 
res61: List[nodes.TrackingPoint] = List()

joern> cpg.call.name("strcmp").ddgOut.l 
cmd62.sc:1: value ddgOut is not a member of overflowdb.traversal.Traversal[io.shiftleft.codepropertygraph.generated.nodes.Call]
val res62 = cpg.call.name("strcmp").ddgOut.l
                                    ^
Compilation Failed

if i try reachableBy, i also just get an empty list:

joern> cpg.call.name("strcmp").reachableBy(cpg.method.parameter).l 
res62: List[MethodParameterIn] = List()

is there a command that needs to be called first so that these commands work? like a command to build the DDG?