max-leuthaeuser
commented
1 day ago
- This package cannot neatly return a tree for the CFG such as
cpg.cfgNode.toList. If we want the tree, we need to select a starting node and then perform a DFS/BFS to get a tree on our own;
Joern’s CFG representation is designed to model program flow in a way that aligns with actual control flow in software, which is inherently non-tree-like. CFGs are often directed graphs with cycles due to loops and other control flow constructs, so they naturally resist a strict hierarchical tree structure. Instead, Joern provides flexible traversal methods that gives control over how to walk through the CFG. This includes DFS, BFS, and other traversal methods that suit different analysis goals. Joern’s API is modular, so you can easily build custom traversals based on the specific needs of your analysis.
- The AST representation is too simple. Compared to the Python native AST library, this package only supports limited syntaxes. For instance, if there is an assignment statement, this package cannot return the left and right hand side of the statement.
Joern’s AST representation prioritizes cross-language support and compatibility with its CPG model. This model emphasizes program structure in a way that can generalize across languages, which sometimes requires a trade-off in language-specific AST details. For example, representing assignments as atomic operations is done to normalize operations across languages, especially for cross-language analysis tasks. Joern’s CPG model includes both data flow and control flow edges. This allows you to perform deeper analysis that can distinguish between LHS and RHS in assignments by exploring data dependencies, rather than syntactic parsing. By combining Joern’s AST with data flow and control flow analysis, you can perform rich, multi-level queries that surpass what a traditional AST alone would provide. But also pure AST-based queries / traversals are available.
- The traversal on CPG is not good. this package just dumps all the things without enough logical connection on any representation such as AST, CFG, call graph.
Quite the opposite is true. Joern’s CPG model is intentionally designed as an interconnected graph that combines AST, CFG, call graphs, and data flow into a unified structure. This model is actually one of Joern’s key advantages, as it allows traversing across these different representations in a single query. If you wish to isolate specific components, like only an AST or only a CFG, Joern provides API calls to retrieve each representation individually or combined as required. The flexibility of Joern’s DSL and the modular CPG design means you can perform specific queries across AST, CFG, and data flows, going beyond the capabilities of isolated graphs.
DavidBakerEffendi
Hi folks, I really appreciate your work, and realize Joern highly depends on this package.
However, I find the representation of this CPG is poor. For example, here are my practices,
cpg.cfgNode.toList. If we want the tree, we need to select a starting node and then perform a DFS/BFS to get a tree on our own;I want to implement heavy static analysis based on your work. However, I was stuck in the early stage. If you can give some suggestions, I would really appreciate it! Thank you very much!
Here is the reference: https://github.com/Fraunhofer-AISEC/cpg. They support further static analysis.