Is there any way to build call graph path?#7531

Answeredbyintrigus-lgtm

ox1234 asked this question inQ&A

ox1234

Jan 7, 2022

· 2 comments· 4 replies

Answeredbyintrigus-lgtmReturn to top

Discussion options

ox1234
Jan 7, 2022

The codeql document only shows how to generate path query through DataFlow problem.Now i just want to generate call graph path from source to sink and don't want to do any data flow track.Is there a way to do so?

You must be logged in to vote

Answered by intrigus-lgtm

Jan 10, 2022

Have a look at this discussion:#5353 (comment)
Also look at the additional comments from@Marcono1234.

Ithink this is what you want :)

(Quote from the above discussion also copied and pasted below)

Yes, this is possible!
The site you linked to mentions ithere andhere although it's easy too miss or easy to underestimate its potential.
When you use taint or data-flow theedges predicate is defined by thePathGraph module. But you can also define your ownedges query-predicate.
A self-defined query-predicate is used in@agustingianni'sblog post. It's relatively easy to port the code to "Java CodeQL".
Here's my code thatonly creates a path for methods itself and not for the (control fl…

View full answer

Replies: 2 comments 4 replies

Comment options

smowton
Jan 10, 2022
Maintainer

So you've got aDataFlow::PathNode source, DataFlow::PathNode sink but you want something different to the usual dataflow path? Could you given an example of what you do want?

You must be logged in to vote

1 reply

Comment options

ox1234 Jan 10, 2022
Author

Now i have one source method and one sink method. I want to know the call graph path from source to sink such as: source() -> func1() -> func2() -> sink(). I don't want to do any data flow tracking. All i just want to get is the call method path from source to sink. So is there any way to do that?

Comment options

intrigus-lgtm
Jan 10, 2022

Have a look at this discussion:#5353 (comment)
Also look at the additional comments from@Marcono1234.

Ithink this is what you want :)

(Quote from the above discussion also copied and pasted below)

Yes, this is possible!
The site you linked to mentions ithere andhere although it's easy too miss or easy to underestimate its potential.
When you use taint or data-flow theedges predicate is defined by thePathGraph module. But you can also define your ownedges query-predicate.
A self-defined query-predicate is used in@agustingianni'sblog post. It's relatively easy to port the code to "Java CodeQL".
Here's my code thatonly creates a path for methods itself and not for the (control flow) basic-blocks.Link to query
/** * @kind path-problem */import javaclassStartMethodextendsMethod{StartMethod(){getName()="validateExpression"}}classTargetMethodextendsMethod{TargetMethod(){getName()="findValue"}}querypredicateedges(Methoda,Methodb){a.calls(b)}fromTargetMethodend,StartMethodentryPointwhereedges+(entryPoint,end)selectend,entryPoint,end,"Found a path from start to target."