- Notifications
You must be signed in to change notification settings - Fork1
Python library for code analysis with CPG and Joern
License
AppThreat/joern-lib
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This project offers a high level python library to perform code analysis with CPG and Joernserver. Several API methods including integration withNetworkX andPyTorch Geometric are offered to perform code analysis and research on complex code bases in a pythonic manner from cli and from notebooks.
pip install joern-lib# To install the optional science pack, clone this repo and use poetry > 1.5 to install the science grouppoetry install --with science# cpupoetry install --with science-cu117# cuda 11.7poetry install --with science-cu118# cuda 11.8
The repository includes docker compose configuration to interactively query the joern server with polynote notebooks.
Run joern server and polynote locally.
git clone https://github.com/appthreat/joern-lib.git# Edit docker-compose.yml to set sources directorydocker compose up -d# podman-compose up --buildNavigate tohttp://localhost:8192 for an interactive polynote notebook. You could open one of the sample notebooks from thecontrib directory to learn about Joern server and this library.
Refer to theAPI documentation for programmatic usage.
python -m asyncioExecute single query
from joern_lib import client, workspace, utilsfrom joern_lib.detectors import common as cpgconnection = await client.get("http://localhost:9000", "http://localhost:7072", "admin", "admin")# connection = await client.get("http://localhost:9000")res = await client.q(connection, "val a=1");# {'response': 'a: Int = 1\n'}Execute bulk query
res = await client.bulk_query(connection, ["val a=1", "val b=2", "val c=a+b"]);# [{'response': 'a: Int = 1\n'}, {'response': 'b: Int = 2\n'}, {'response': 'c: Int = 3\n'}]List workspaces
res = await workspace.ls(connection)Get workspace path
res = await workspace.get_path(connection)# /workspace (Response would be parsed)Check if cpg exists
await workspace.cpg_exists(connection, "NodeGoat")Import code for analysis
res = await workspace.import_code(connection, "/app", "NodeGoat")# TrueImport an existing CPG for analysis
res = await workspace.import_cpg(connection, "/app/sandbox/crAPI/cpg_out/crAPI-python-cpg.bin.zip", "crAPI-python")Create a CPG with a remote cpggen server
res = await workspace.create_cpg(connection, "/app/sandbox/crAPI", out_dir="/app/sandbox/crAPI/cpg_out", languages="python", project_name="crAPI-python")List files
res = await cpg.list_files(connection)# list of filesPrint call tree
res = await cpg.get_call_tree(connection, "com.example.vulnspring.WebController.issue:java.lang.String(org.springframework.ui.Model,java.lang.String)")utils.print_tree(res)from joern_lib.detectors import javaList http routes
await java.list_http_routes(connection)from joern_lib.detectors import jsList http routes
await js.list_http_routes(connection)Name of the variable containing express()
await js.get_express_appvar(connection)List of require statements
await js.list_requires(connection)List of import statements
await js.list_imports(connection)List of NoSQL DB collection names
await js.list_nosql_collections(connection)Get HTTP sources
await js.get_http_sources(connection)await js.get_http_sinks(connection)Requires TypeScript project
await js.list_aws_modules(connection)If Joern server stops responding after a while restart docker.
docker compose downdocker compose up -dAdding asyncio.sleep(0) seems to fix such errors.
# Workaround to fix websockets.exceptions.ConnectionClosedErrorawait asyncio.sleep(0)Alternatively, use the sync api.
pygraphviz/graphviz_wrap.c:2711:10: fatal error: graphviz/cgraph.h: No such file or directory 2711 | #include "graphviz/cgraph.h" | ^~~~~~~~~~~~~~~~~~~ compilation terminated. error: command '/usr/bin/gcc' failed with exit code 1Installgraphviz-devel orgraphviz-dev package for your OS. Seehere
About
Python library for code analysis with CPG and Joern