# CPG Generator
```
██████╗██████╗ ██████╗
██╔════╝██╔══██╗██╔════╝
██║ ██████╔╝██║ ███╗
██║ ██╔═══╝ ██║ ██║
╚██████╗██║ ╚██████╔╝
╚═════╝╚═╝ ╚═════╝
```
CPG Generator is a python cli tool to generate [Code Property Graph](https://cpg.joern.io), a novel intermediate representation, for code and threat analysis. The generated CPG can be directly imported to [Joern](https://joern.io) for analysis.
[](https://github.com/appthreat/cpggen/actions/workflows/pythonpublish.yml)
[](https://pepy.tech/project/cpggen)
[](https://discord.gg/tmmtjCEHNV)
## Pre-requisites
- JDK 11 or above
- Python 3.10
- Docker or podman (Windows, Linux or Mac) or
- [Atom ⚛](https://github.com/AppThreat/atom#installation) or [Joern](https://docs.joern.io/installation)
## Installation
cpggen is available as a single executable binary, [PyPI package](https://pypi.org/project/cpggen/) or as a [container image](https://github.com/AppThreat/cpggen/pkgs/container/cpggen).
### Single executable binaries
Download the executable binary for your operating system from the [releases page](https://github.com/appthreat/cpggen/releases). These binary bundle the following:
- [Atom ⚛](https://github.com/AppThreat/atom#installation)
- cpggen with Python 3.10
- cdxgen with Node.js 18 - Generates SBoM
```bash
curl -LO https://github.com/AppThreat/cpggen/releases/latest/download/cpggen-linux-amd64
chmod +x cpggen-linux-amd64
./cpggen-linux-amd64 --help
```
Atom based frontend.
```bash
curl -LO https://github.com/AppThreat/cpggen/releases/latest/download/atomgen
chmod +x atomgen
./atomgen --help
```
On Windows,
```powershell
curl -LO https://github.com/appthreat/cpggen/releases/latest/download/cpggen.exe
.\cpggen.exe --help
```
NOTE: On Windows, antivirus and antimalware could prevent this single executable from functioning properly. Depending on the system, administrative privileges might also be required. Use container-based execution as a fallback.
### OCI Artifacts via ORAS cli
Use [ORAS cli](https://oras.land/docs/cli/installation/) to download the cpggen binary on Linux and Windows.
```bash
VERSION="1.0.0"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_${VERSION}_*.tar.gz oras-install/
```
```bash
oras pull ghcr.io/appthreat/cpggen-bin:v1
chmod +x cpggen-linux-amd64
./cpggen-linux-amd64 --help
```
On Windows
```powershell
set VERSION="1.0.0"
curl.exe -sLO "https://github.com/oras-project/oras/releases/download/v%VERSION%/oras_%VERSION%_windows_amd64.zip"
tar.exe -xvzf oras_%VERSION%_windows_amd64.zip
mkdir -p %USERPROFILE%\bin\
copy oras.exe %USERPROFILE%\bin\
set PATH=%USERPROFILE%\bin\;%PATH%
```
```powershell
Invoke-WebRequest -Uri https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_windows_amd64.zip -UseBasicParsing -OutFile oras_1.0.0_windows_amd64.zip
Expand-Archive -Path oras_1.0.0_windows_amd64.zip -DestinationPath .
oras.exe pull ghcr.io/appthreat/cpggen-windows-bin:v1
```
### PyPI package
This would install the python cli tool with bundled [atom](https://github.com/AppThreat/atom) distribution.
```
pip install cpggen
```
With atom, CPG can be generated for the following languages:
- C/C++
- Java
- Jars
- JavaScript/TypeScript
- Python
Install joern and set the `JOERN_HOME` environment variable if you would like support for additional languages and binaries.
### Bundled container image
```
docker pull ghcr.io/appthreat/cpggen
# podman pull ghcr.io/appthreat/cpggen
```
Use the AWS Public ECR mirror for those T days when ghcr becomes unavailable.
```
docker pull public.ecr.aws/appthreat/cpggen:latest
# podman pull public.ecr.aws/appthreat/cpggen:latest
```
Almalinux 9 requires the CPU to support SSE4.2. For kvm64 VM use the Almalinux 8 version instead.
```
docker pull ghcr.io/appthreat/cpggen-alma8
# podman pull ghcr.io/appthreat/cpggen-alma8
```
Or use the nightly to always get the latest joern and tools.
```
docker pull ghcr.io/appthreat/cpggen:nightly
# podman pull ghcr.io/appthreat/cpggen:nightly
```
Finally, a slimmer image based on atom distribution.
```
docker pull ghcr.io/appthreat/atomgen
# podman pull ghcr.io/appthreat/atomgen
```
## Usage
To auto detect the language from the current directory and generate CPG.
```
cpggen
```
To specify input and output directory.
```
cpggen -i <src directory> -o <CPG directory or file name>
```
You can even pass a git or a package url or CVE id as source
```
cpggen -i https://github.com/HooliCorp/vulnerable-aws-koa-app -o /tmp/cpg
```
```
cpggen -i "pkg:maven/org.apache.commons/commons-io@1.3.2" -o /tmp/cpg
```
```
export GITHUB_TOKEN=<token with read:packages scope>
cpggen -i CVE-2023-32681 -o /tmp/cpg
cpggen -i GHSA-j8r2-6x86-q33q -o /tmp/cpg
```
To specify language type.
```
cpggen -i <src directory> -o <CPG directory or file name> -l java
# Comma separated values are accepted for multiple languages
cpggen -i <src directory> -o <CPG directory or file name> -l java,js,python
```
Container-based invocation
```
docker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw --cpus=4 --memory=16g -t ghcr.io/appthreat/cpggen cpggen -i <src directory> -o <CPG directory or file name>
```
### Export graphs
By passing `--export`, cpggen can export the various graphs to many formats using [joern-export](https://docs.joern.io/exporting/)
Example to export `cpg14` graphs in `dot` format
```bash
cpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --build --export --export-out-dir ~/work/sandbox/crAPI/cpg_export
```
To export `cpg` in `neo4jcsv` format
```bash
cpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --build --export --export-out-dir ~/work/sandbox/crAPI/cpg_export --export-repr cpg --export-format neo4jcsv
```
### Slicing graphs
Pass `--slice` argument to extract intra-procedural slices from the CPG. By default, slices would be based on `Usages`. Pass `--slice-mode DataFlow` to create a sliced CPG based on `DataFlow`.
```bash
cpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --slice
```
### Creating vectors
Pass `--vectors` argument to extract vector representations of code from CPG in json format.
```bash
cpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --vectors
```
### Artifacts produced
Upon successful completion, cpggen would produce the following artifacts in the directory specified under `out_dir`
- {name}-{lang}.cpg.bin - Code Property Graph for the given language type
- {name}-{lang}.bom.xml - SBoM in CycloneDX XML format
- {name}-{lang}.bom.json - SBoM in CycloneDX json format
- {name}-{lang}.manifest.json - A json file listing the generated artifacts and the invocation commands
## Server mode
cpggen can run in server mode.
```
cpggen --server
```
You can invoke the endpoint `/cpg` to generate CPG from a path, http or package url. Parameters can be passed using GET or POST request.
```
curl "http://127.0.0.1:7072/cpg?src=/Volumes/Work/sandbox/vulnerable-aws-koa-app&out_dir=/tmp/cpg_out&lang=js"
```
```
curl "http://127.0.0.1:7072/cpg?url=https://github.com/HooliCorp/vulnerable-aws-koa-app&out_dir=/tmp/cpg_out&lang=js"
```
Package url with slicing.
```
curl "http://127.0.0.1:7072/cpg?url=pkg:maven/org.apache.commons/commons-io@1.3.2&out_dir=/tmp/cpg_out&slice=true"
```
## Languages supported
| Language | Requires build | Maturity |
| ---------- | -------------- | -------- |
| C | No | High |
| C++ | No | High |
| Java | No (\*) | Medium |
| Scala | Yes | High |
| JavaScript | No | Medium |
| TypeScript | No | Medium |
| Kotlin | No (\*) | Low |
| Php | No | Low |
| Python | No | Low |
(\*) - Precision could be improved with dependencies
EXPERIMENTAL: Use the provided [protobuf bindings](./contrib/bindings/) to build new language frontends.
## Full list of options
```
cpggen --help
usage: cpggen [-h] [-i SRC] [-o CPG_OUT_DIR] [-l LANGUAGE] [--use-container] [--build] [--joern-home JOERN_HOME] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--export]
[--export-repr {ast,cfg,cdg,ddg,pdg,cpg,cpg14,all}] [--export-format {neo4jcsv,graphml,graphson,dot}] [--export-out-dir EXPORT_OUT_DIR] [--verbose] [--skip-sbom] [--slice] [--slice-mode {Usages,DataFlow}] [--use-parse]
CPG Generator
optional arguments:
-h, --help show this help message and exit
-i SRC, --src SRC Source directory or url or CVE or GHSA id
-o CPG_OUT_DIR, --out-dir CPG_OUT_DIR
CPG output directory
-l LANGUAGE, --lang LANGUAGE
Optional. CPG language frontend to use. Auto-detects by default.
--use-container Use cpggen docker image
--build Attempt to build the project automatically
--joern-home JOERN_HOME
Joern installation directory
--server Run cpggen as a server
--server-host SERVER_HOST
cpggen server host
--server-port SERVER_PORT
cpggen server port
--export Export CPG as a graph
--export-repr {ast,cfg,cdg,ddg,pdg,cpg,cpg14,all}
Graph representation to export
--export-format {neo4jcsv,graphml,graphson,dot}
Export format
--export-out-dir EXPORT_OUT_DIR
Export output directory
--verbose Run cpggen in verbose mode
--skip-sbom Do not generate SBoM
--slice Extract intra-procedural slices from the CPG
--slice-mode {Usages,DataFlow}
Mode used for CPG slicing
--use-atom Use atom toolkit
--vectors Extract vector representations of code from CPG
```
## Environment variables
| Name | Purpose |
| ----------------------- | ---------------------------------------------------------------------------------------------------- |
| JOERN_HOME | Optional when using atom. Joern installation directory |
| CPGGEN_HOST | cpggen server host. Default 127.0.0.1 |
| CPGGEN_PORT | cpggen server port. Default 7072 |
| CPGGEN_CONTAINER_CPU | CPU units to use in container execution mode. Default computed |
| CPGGEN_CONTAINER_MEMORY | Memory units to use in container execution mode. Default computed |
| CPGGEN_MEMORY | Heap memory to use for frontends. Default computed |
| AT_DEBUG_MODE | Set to debug to enable debug logging |
| CPG_EXPORT | Set to true to export CPG graphs in dot format |
| CPG_EXPORT_REPR | Graph to export. Default all |
| CPG_EXPORT_FORMAT | Export format. Default dot |
| CPG_SLICE | Set to true to slice CPG |
| CPG_SLICE_MODE | Slice mode. Default Usages |
| CPG_VECTORS | Set to true to generate vector representations of code from CPG |
| CDXGEN_ARGS | Extra arguments to pass to cdxgen |
| ENABLE_SBOM | Enable SBoM generation using cdxgen |
| JIMPLE_ANDROID_JAR | Optional when using atom. Path to android.jar for use with jimple for .apk or .dex to CPG conversion |
| GITHUB_TOKEN | Token with read:packages scope to analyze CVE or GitHub Advisory |
| USE_ATOM | Use AppThreat atom instead of joern frontends. atomgen would default to this mode. |
## GitHub actions
Use the marketplace [action](https://github.com/marketplace/actions/cpggen) to generate CPGs using GitHub actions. Optionally, the upload the generated CPGs as build artifacts use the below step.
```
- name: Upload cpg
uses: actions/upload-artifact@v1.0.0
with:
name: cpg
path: cpg_out
```
## License
Apache-2.0
## Developing / Contributing
```
git clone git@github.com:AppThreat/cpggen.git
cd cpggen
python -m pip install --upgrade pip
python -m pip install poetry
# Add poetry to the PATH environment variable
poetry install
poetry run cpggen -i <src directory>
```
Raw data
{
"_id": null,
"home_page": "https://github.com/AppThreat/cpggen",
"name": "cpggen",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8.1,<3.12",
"maintainer_email": "",
"keywords": "joern,code analysis,static analysis,cpg,code property graph,atom,threat analysis",
"author": "Team AppThreat",
"author_email": "cloud@appthreat.com",
"download_url": "https://files.pythonhosted.org/packages/36/24/bbdbe45d944cf1ec37446bc1f13b517f1610b4dddac2dbdd8f0e0dee1399/cpggen-1.8.3.tar.gz",
"platform": null,
"description": "# CPG Generator\n\n```\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557\n\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\n\u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2588\u2557\n\u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u2550\u255d \u2588\u2588\u2551 \u2588\u2588\u2551\n\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\n \u255a\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d\n```\n\nCPG Generator is a python cli tool to generate [Code Property Graph](https://cpg.joern.io), a novel intermediate representation, for code and threat analysis. The generated CPG can be directly imported to [Joern](https://joern.io) for analysis.\n\n[](https://github.com/appthreat/cpggen/actions/workflows/pythonpublish.yml)\n[](https://pepy.tech/project/cpggen)\n[](https://discord.gg/tmmtjCEHNV)\n\n## Pre-requisites\n\n- JDK 11 or above\n- Python 3.10\n- Docker or podman (Windows, Linux or Mac) or\n- [Atom \u269b](https://github.com/AppThreat/atom#installation) or [Joern](https://docs.joern.io/installation)\n\n## Installation\n\ncpggen is available as a single executable binary, [PyPI package](https://pypi.org/project/cpggen/) or as a [container image](https://github.com/AppThreat/cpggen/pkgs/container/cpggen).\n\n### Single executable binaries\n\nDownload the executable binary for your operating system from the [releases page](https://github.com/appthreat/cpggen/releases). These binary bundle the following:\n\n- [Atom \u269b](https://github.com/AppThreat/atom#installation)\n- cpggen with Python 3.10\n- cdxgen with Node.js 18 - Generates SBoM\n\n```bash\ncurl -LO https://github.com/AppThreat/cpggen/releases/latest/download/cpggen-linux-amd64\nchmod +x cpggen-linux-amd64\n./cpggen-linux-amd64 --help\n```\n\nAtom based frontend.\n\n```bash\ncurl -LO https://github.com/AppThreat/cpggen/releases/latest/download/atomgen\nchmod +x atomgen\n./atomgen --help\n```\n\nOn Windows,\n\n```powershell\ncurl -LO https://github.com/appthreat/cpggen/releases/latest/download/cpggen.exe\n.\\cpggen.exe --help\n```\n\nNOTE: On Windows, antivirus and antimalware could prevent this single executable from functioning properly. Depending on the system, administrative privileges might also be required. Use container-based execution as a fallback.\n\n### OCI Artifacts via ORAS cli\n\nUse [ORAS cli](https://oras.land/docs/cli/installation/) to download the cpggen binary on Linux and Windows.\n\n```bash\nVERSION=\"1.0.0\"\ncurl -LO \"https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz\"\nmkdir -p oras-install/\ntar -zxf oras_${VERSION}_*.tar.gz -C oras-install/\nsudo mv oras-install/oras /usr/local/bin/\nrm -rf oras_${VERSION}_*.tar.gz oras-install/\n```\n\n```bash\noras pull ghcr.io/appthreat/cpggen-bin:v1\nchmod +x cpggen-linux-amd64\n./cpggen-linux-amd64 --help\n```\n\nOn Windows\n\n```powershell\nset VERSION=\"1.0.0\"\ncurl.exe -sLO \"https://github.com/oras-project/oras/releases/download/v%VERSION%/oras_%VERSION%_windows_amd64.zip\"\ntar.exe -xvzf oras_%VERSION%_windows_amd64.zip\nmkdir -p %USERPROFILE%\\bin\\\ncopy oras.exe %USERPROFILE%\\bin\\\nset PATH=%USERPROFILE%\\bin\\;%PATH%\n```\n\n```powershell\nInvoke-WebRequest -Uri https://github.com/oras-project/oras/releases/download/v1.0.0/oras_1.0.0_windows_amd64.zip -UseBasicParsing -OutFile oras_1.0.0_windows_amd64.zip\nExpand-Archive -Path oras_1.0.0_windows_amd64.zip -DestinationPath .\noras.exe pull ghcr.io/appthreat/cpggen-windows-bin:v1\n```\n\n### PyPI package\n\nThis would install the python cli tool with bundled [atom](https://github.com/AppThreat/atom) distribution.\n\n```\npip install cpggen\n```\n\nWith atom, CPG can be generated for the following languages:\n\n- C/C++\n- Java\n- Jars\n- JavaScript/TypeScript\n- Python\n\nInstall joern and set the `JOERN_HOME` environment variable if you would like support for additional languages and binaries.\n\n### Bundled container image\n\n```\ndocker pull ghcr.io/appthreat/cpggen\n# podman pull ghcr.io/appthreat/cpggen\n```\n\nUse the AWS Public ECR mirror for those T days when ghcr becomes unavailable.\n\n```\ndocker pull public.ecr.aws/appthreat/cpggen:latest\n# podman pull public.ecr.aws/appthreat/cpggen:latest\n```\n\nAlmalinux 9 requires the CPU to support SSE4.2. For kvm64 VM use the Almalinux 8 version instead.\n\n```\ndocker pull ghcr.io/appthreat/cpggen-alma8\n# podman pull ghcr.io/appthreat/cpggen-alma8\n```\n\nOr use the nightly to always get the latest joern and tools.\n\n```\ndocker pull ghcr.io/appthreat/cpggen:nightly\n# podman pull ghcr.io/appthreat/cpggen:nightly\n```\n\nFinally, a slimmer image based on atom distribution.\n\n```\ndocker pull ghcr.io/appthreat/atomgen\n# podman pull ghcr.io/appthreat/atomgen\n```\n\n## Usage\n\nTo auto detect the language from the current directory and generate CPG.\n\n```\ncpggen\n```\n\nTo specify input and output directory.\n\n```\ncpggen -i <src directory> -o <CPG directory or file name>\n```\n\nYou can even pass a git or a package url or CVE id as source\n\n```\ncpggen -i https://github.com/HooliCorp/vulnerable-aws-koa-app -o /tmp/cpg\n```\n\n```\ncpggen -i \"pkg:maven/org.apache.commons/commons-io@1.3.2\" -o /tmp/cpg\n```\n\n```\nexport GITHUB_TOKEN=<token with read:packages scope>\ncpggen -i CVE-2023-32681 -o /tmp/cpg\n\ncpggen -i GHSA-j8r2-6x86-q33q -o /tmp/cpg\n```\n\nTo specify language type.\n\n```\ncpggen -i <src directory> -o <CPG directory or file name> -l java\n\n# Comma separated values are accepted for multiple languages\ncpggen -i <src directory> -o <CPG directory or file name> -l java,js,python\n```\n\nContainer-based invocation\n\n```\ndocker run --rm -it -v /tmp:/tmp -v $(pwd):/app:rw --cpus=4 --memory=16g -t ghcr.io/appthreat/cpggen cpggen -i <src directory> -o <CPG directory or file name>\n```\n\n### Export graphs\n\nBy passing `--export`, cpggen can export the various graphs to many formats using [joern-export](https://docs.joern.io/exporting/)\n\nExample to export `cpg14` graphs in `dot` format\n\n```bash\ncpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --build --export --export-out-dir ~/work/sandbox/crAPI/cpg_export\n```\n\nTo export `cpg` in `neo4jcsv` format\n\n```bash\ncpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --build --export --export-out-dir ~/work/sandbox/crAPI/cpg_export --export-repr cpg --export-format neo4jcsv\n```\n\n### Slicing graphs\n\nPass `--slice` argument to extract intra-procedural slices from the CPG. By default, slices would be based on `Usages`. Pass `--slice-mode DataFlow` to create a sliced CPG based on `DataFlow`.\n\n```bash\ncpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --slice\n```\n\n### Creating vectors\n\nPass `--vectors` argument to extract vector representations of code from CPG in json format.\n\n```bash\ncpggen -i ~/work/sandbox/crAPI -o ~/work/sandbox/crAPI/cpg_out --vectors\n```\n\n### Artifacts produced\n\nUpon successful completion, cpggen would produce the following artifacts in the directory specified under `out_dir`\n\n- {name}-{lang}.cpg.bin - Code Property Graph for the given language type\n- {name}-{lang}.bom.xml - SBoM in CycloneDX XML format\n- {name}-{lang}.bom.json - SBoM in CycloneDX json format\n- {name}-{lang}.manifest.json - A json file listing the generated artifacts and the invocation commands\n\n## Server mode\n\ncpggen can run in server mode.\n\n```\ncpggen --server\n```\n\nYou can invoke the endpoint `/cpg` to generate CPG from a path, http or package url. Parameters can be passed using GET or POST request.\n\n```\ncurl \"http://127.0.0.1:7072/cpg?src=/Volumes/Work/sandbox/vulnerable-aws-koa-app&out_dir=/tmp/cpg_out&lang=js\"\n```\n\n```\ncurl \"http://127.0.0.1:7072/cpg?url=https://github.com/HooliCorp/vulnerable-aws-koa-app&out_dir=/tmp/cpg_out&lang=js\"\n```\n\nPackage url with slicing.\n\n```\ncurl \"http://127.0.0.1:7072/cpg?url=pkg:maven/org.apache.commons/commons-io@1.3.2&out_dir=/tmp/cpg_out&slice=true\"\n```\n\n## Languages supported\n\n| Language | Requires build | Maturity |\n| ---------- | -------------- | -------- |\n| C | No | High |\n| C++ | No | High |\n| Java | No (\\*) | Medium |\n| Scala | Yes | High |\n| JavaScript | No | Medium |\n| TypeScript | No | Medium |\n| Kotlin | No (\\*) | Low |\n| Php | No | Low |\n| Python | No | Low |\n\n(\\*) - Precision could be improved with dependencies\n\nEXPERIMENTAL: Use the provided [protobuf bindings](./contrib/bindings/) to build new language frontends.\n\n## Full list of options\n\n```\ncpggen --help\nusage: cpggen [-h] [-i SRC] [-o CPG_OUT_DIR] [-l LANGUAGE] [--use-container] [--build] [--joern-home JOERN_HOME] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT] [--export]\n [--export-repr {ast,cfg,cdg,ddg,pdg,cpg,cpg14,all}] [--export-format {neo4jcsv,graphml,graphson,dot}] [--export-out-dir EXPORT_OUT_DIR] [--verbose] [--skip-sbom] [--slice] [--slice-mode {Usages,DataFlow}] [--use-parse]\n\nCPG Generator\n\noptional arguments:\n -h, --help show this help message and exit\n -i SRC, --src SRC Source directory or url or CVE or GHSA id\n -o CPG_OUT_DIR, --out-dir CPG_OUT_DIR\n CPG output directory\n -l LANGUAGE, --lang LANGUAGE\n Optional. CPG language frontend to use. Auto-detects by default.\n --use-container Use cpggen docker image\n --build Attempt to build the project automatically\n --joern-home JOERN_HOME\n Joern installation directory\n --server Run cpggen as a server\n --server-host SERVER_HOST\n cpggen server host\n --server-port SERVER_PORT\n cpggen server port\n --export Export CPG as a graph\n --export-repr {ast,cfg,cdg,ddg,pdg,cpg,cpg14,all}\n Graph representation to export\n --export-format {neo4jcsv,graphml,graphson,dot}\n Export format\n --export-out-dir EXPORT_OUT_DIR\n Export output directory\n --verbose Run cpggen in verbose mode\n --skip-sbom Do not generate SBoM\n --slice Extract intra-procedural slices from the CPG\n --slice-mode {Usages,DataFlow}\n Mode used for CPG slicing\n --use-atom Use atom toolkit\n --vectors Extract vector representations of code from CPG\n```\n\n## Environment variables\n\n| Name | Purpose |\n| ----------------------- | ---------------------------------------------------------------------------------------------------- |\n| JOERN_HOME | Optional when using atom. Joern installation directory |\n| CPGGEN_HOST | cpggen server host. Default 127.0.0.1 |\n| CPGGEN_PORT | cpggen server port. Default 7072 |\n| CPGGEN_CONTAINER_CPU | CPU units to use in container execution mode. Default computed |\n| CPGGEN_CONTAINER_MEMORY | Memory units to use in container execution mode. Default computed |\n| CPGGEN_MEMORY | Heap memory to use for frontends. Default computed |\n| AT_DEBUG_MODE | Set to debug to enable debug logging |\n| CPG_EXPORT | Set to true to export CPG graphs in dot format |\n| CPG_EXPORT_REPR | Graph to export. Default all |\n| CPG_EXPORT_FORMAT | Export format. Default dot |\n| CPG_SLICE | Set to true to slice CPG |\n| CPG_SLICE_MODE | Slice mode. Default Usages |\n| CPG_VECTORS | Set to true to generate vector representations of code from CPG |\n| CDXGEN_ARGS | Extra arguments to pass to cdxgen |\n| ENABLE_SBOM | Enable SBoM generation using cdxgen |\n| JIMPLE_ANDROID_JAR | Optional when using atom. Path to android.jar for use with jimple for .apk or .dex to CPG conversion |\n| GITHUB_TOKEN | Token with read:packages scope to analyze CVE or GitHub Advisory |\n| USE_ATOM | Use AppThreat atom instead of joern frontends. atomgen would default to this mode. |\n\n## GitHub actions\n\nUse the marketplace [action](https://github.com/marketplace/actions/cpggen) to generate CPGs using GitHub actions. Optionally, the upload the generated CPGs as build artifacts use the below step.\n\n```\n- name: Upload cpg\n uses: actions/upload-artifact@v1.0.0\n with:\n name: cpg\n path: cpg_out\n```\n\n## License\n\nApache-2.0\n\n## Developing / Contributing\n\n```\ngit clone git@github.com:AppThreat/cpggen.git\ncd cpggen\n\npython -m pip install --upgrade pip\npython -m pip install poetry\n# Add poetry to the PATH environment variable\npoetry install\n\npoetry run cpggen -i <src directory>\n```\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "Generate CPG for multiple languages for code and threat analysis",
"version": "1.8.3",
"project_urls": {
"Homepage": "https://github.com/AppThreat/cpggen",
"Repository": "https://github.com/AppThreat/cpggen"
},
"split_keywords": [
"joern",
"code analysis",
"static analysis",
"cpg",
"code property graph",
"atom",
"threat analysis"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "f321c69219d7bda6a9611b8b9c38e63158fc3234594764c8985d200fb362c459",
"md5": "17b86b3ab7780a4bad1f2ce07955cb4c",
"sha256": "5dcd6b0d7620d000e2398f39732af1a489eab72d158ca18abbc9bde6797ea2ac"
},
"downloads": -1,
"filename": "cpggen-1.8.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "17b86b3ab7780a4bad1f2ce07955cb4c",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8.1,<3.12",
"size": 72485545,
"upload_time": "2023-07-02T16:34:59",
"upload_time_iso_8601": "2023-07-02T16:34:59.386525Z",
"url": "https://files.pythonhosted.org/packages/f3/21/c69219d7bda6a9611b8b9c38e63158fc3234594764c8985d200fb362c459/cpggen-1.8.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "3624bbdbe45d944cf1ec37446bc1f13b517f1610b4dddac2dbdd8f0e0dee1399",
"md5": "3468512d32a1d62b37df6457c66496d0",
"sha256": "9c9bd982c1aab2bb65c0b8ed9b750c1f5bac33b3ff77f3a7ae60e2a12a3c6502"
},
"downloads": -1,
"filename": "cpggen-1.8.3.tar.gz",
"has_sig": false,
"md5_digest": "3468512d32a1d62b37df6457c66496d0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8.1,<3.12",
"size": 72488517,
"upload_time": "2023-07-02T16:35:06",
"upload_time_iso_8601": "2023-07-02T16:35:06.736707Z",
"url": "https://files.pythonhosted.org/packages/36/24/bbdbe45d944cf1ec37446bc1f13b517f1610b4dddac2dbdd8f0e0dee1399/cpggen-1.8.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-07-02 16:35:06",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "AppThreat",
"github_project": "cpggen",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "cpggen"
}
JSON
