-
Notifications
You must be signed in to change notification settings - Fork 0
Joern Skill
Rodolphe G. - RORO! edited this page Jul 2, 2026
·
2 revisions
Static analysis of source code and binaries with Joern and its Code Property Graph (CPG). Use it when a question is structural or data-flow shaped and grep cannot answer it, for example "which untrusted inputs reach system?".
The agent does not run joern directly. It uses the Joern Gateway through the joernctl CLI.
- Start the gateway (
docker compose up -dinjoern-gateway), thenjoernctl health. - Stage the target under
joern-gateway/workspace(mounted at/work). - Build the CPG:
joernctl import /work/target. - Orient: list methods, external calls, parameters, literals.
- Hunt with source-to-sink queries.
- Confirm each hit in source before reporting. A Joern hit is a candidate, not a proven bug.
CPGQL is a Scala DSL. A query starts at cpg, chains steps, and ends with a terminal step (.l, .p, .toJson).
cpg.method.name.l // all method names
cpg.call.name("system").l // calls to system
cpg.metaData.language.l // language of the CPGThe main reason to use Joern. Define a source and a sink, then check reachability.
def source = cpg.method.name("main").parameter
def sink = cpg.call.name("system").argument
sink.reachableByFlows(source).p // full source-to-sink pathsCommon sinks: SQL builders, HTML writers, system/exec, file and URL functions. See the CPGQL reference and query database.