release Joern SBT Github All Releases Gitter
Joern is a platform for analyzing source code, bytecode, and binary executables. It generates code property graphs (CPGs), a graph representation of code for cross-language code analysis. Code property graphs are stored in a custom graph database. This allows code to be mined using search queries formulated in a Scala-based domain-specific query language. Joern is developed with the goal of providing a useful tool for vulnerability discovery and research in static program analysis.
Website: https://joern.io
Documentation: https://docs.joern.io/
Specification: https://cpg.joern.io
- JDK 11 (newer versions might work, but have not been properly tested)
- optional: gcc and g++ (for auto-discovery of C/C++ system header files if included/used in your C/C++ code)
wget https://github.com/joernio/joern/releases/latest/download/joern-install.sh
chmod +x ./joern-install.sh
sudo ./joern-install.sh
joern
Compiling (synthetic)/ammonite/predef/interpBridge.sc
Compiling (synthetic)/ammonite/predef/replBridge.sc
Compiling (synthetic)/ammonite/predef/DefaultPredef.sc
Compiling /home/tmp/shiftleft/joern/(console)
██╗ ██████╗ ███████╗██████╗ ███╗ ██╗
██║██╔═══██╗██╔════╝██╔══██╗████╗ ██║
██║██║ ██║█████╗ ██████╔╝██╔██╗ ██║
██ ██║██║ ██║██╔══╝ ██╔══██╗██║╚██╗██║
╚█████╔╝╚██████╔╝███████╗██║ ██║██║ ╚████║
╚════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝
joern>
If the installation script fails for any reason, try
./joern-install --interactive
Quick way to develop and test QueryDB:
sbt stage
./querydb-install.sh
./joern-scan --list-query-names
The last command prints all available queries - add your own in querydb, run the above commands again to see that your query got deployed. More details in the separate querydb readme
Various static analysis benchmarks that measure Joern are contained under the benchmarks. The benchmarks are
implemented in ScalaTest and can be run using the joern-benchmarks script. The benchmark results can be found on
the benchmarks subproject's README. The currently implemented benchmarks along with the language frontends tested
are:
- Securibench Micro [
javasrc2cpg,jimple2cpg] - IFSpec (paper) [
javasrc2cpg,jimple2cpg] - JInfoFlow (paper) [
javasrc2cpg,jimple2cpg]
For more instructions on how to run benchmarks individually head over to the benchmarks subproject. If you would
like the benchmark results to be written to a file instead of printed to STDOUT, set the path to the environment
variable JOERN_BENCHMARK_RESULT_FILE.
Step1:切换到dot文件所在的目录
$ cd /target path
Step2:通过dot文件生成png格式结果
$ dot -Tpng [target].dot -o [target].png