⚠️ This version of Codyze is still under development. If you are looking for a stable version, please use the 2.3.0 release.
Codyze is a static code analyzer that focuses on verifying security compliance in source code, i.e. by inferring the correct use of cryptographic libraries. It operates on code property graphs and is thus able to handle non-compiling or even incomplete code fragments.
A Java SE 17 JDK is a prerequisite. We build and test using Eclipse Temurin but any distribution should work.
To build an executable version of Codyze, use the installDist task in the project's root:
$ ./gradlew :codyze-cli:installDistThis will provide you with an executable Codyze installation under codyze-cli/build/install/codyze-cli.
To run Codyze you can either run this executable or use the run task:
$ ./gradlew runThis will print the help message and return an error.
To actually run Codyze you must specify a subcommand:
$ ./gradlew run --args="--config=config.json runCoko cokoCpg"This will run the runCoko subcommand with the cokoCpg backend using the demo config file ./codyze-cli/config.json.
For more information, please refer to the documentation.
If you are looking for an exciting thesis project or student job in the field of static analysis, we are happy to discuss possible topics. Please contact us at codyze [at] aisec.fraunhofer.de.
We will continue to maintain this project for the foreseeable future on a best-effort basis. That is, if you run into any bugs or find the documentation insufficient, we encourage you to open issues or pull requests. If you are interested in support and development for commercial use, please contact us.