This article is a brief introduction to Joern Scan, a code scanner built on top of Joern. Joern Scan helps you detect security issues inside programs and can help guide your vulnerability discovery and variant analysis processes. Whether you're looking for the usage of insecure functions like strcpy, instances of use-after-free, or are trying to find methods with a high number of conditionals for a closer inspection, this tool is for you.
Let's start by looking at a simple example. To follow along, install Joern by following these instructions, it comes pre-packaged with Joern Scan.
Given the following simple program written in C:
You can run Joern Scan by providing the filepath as input:
Behind the scenes of this invocation, three things happen:
- The Code Property Graph for
- A set of pre-defined queries are executed against the Code Property Graph
- Finally, the results are printed to stdout
The results are the most visible bit. They follow the format:
Results tell you if a Query matched, and where.
The Queries are the most important bit. At a minimum, they have a unique name, a score, a description, and a traversal. This is an example of how a query is defined:
cpg.method("gets").callIn is the graph traversal of the Query. It is wrapped
withStrRep function for functional purposes, namely to generate a
string representation of it for display.
Joern Scan ships with a default set of queries, the Joern Query Database. This set of queries is constantly updated, and contributions are highly encouraged https://github.com/joernio/query-database.
You can fetch the latest version of the Joern Query Database using the --updatedb flag:
All queries which contain the default tag will be tested against a program under analysis, but you can also selectively choose which ones to run.
You can specify a set of tags, for example:
Or use the tag placeholder
all to choose all queries:
Alternatively, you can choose queries using their names:
One other CLI argument you will find useful is --overwrite. --overwrite forces Joern Scan to regenerate a Code Property Graph for the program under analysis. You will want to use this flag whenever significant changes are introduced into a program which you've scanned before. Keep in mind that regenerating Code Property Graphs for large codebases will take some time.
That concludes everything you need to know about how to use Joern Scan. Happy hunting!