Skip to content

Joern Skill

Rodolphe G. - RORO! edited this page Jul 2, 2026 · 2 revisions

Static analysis of source code and binaries with Joern and its Code Property Graph (CPG). Use it when a question is structural or data-flow shaped and grep cannot answer it, for example "which untrusted inputs reach system?".

The agent does not run joern directly. It uses the Joern Gateway through the joernctl CLI.

Workflow

  1. Start the gateway (docker compose up -d in joern-gateway), then joernctl health.
  2. Stage the target under joern-gateway/workspace (mounted at /work).
  3. Build the CPG: joernctl import /work/target.
  4. Orient: list methods, external calls, parameters, literals.
  5. Hunt with source-to-sink queries.
  6. Confirm each hit in source before reporting. A Joern hit is a candidate, not a proven bug.

CPGQL basics

CPGQL is a Scala DSL. A query starts at cpg, chains steps, and ends with a terminal step (.l, .p, .toJson).

cpg.method.name.l                 // all method names
cpg.call.name("system").l         // calls to system
cpg.metaData.language.l           // language of the CPG

Taint tracking

The main reason to use Joern. Define a source and a sink, then check reachability.

def source = cpg.method.name("main").parameter
def sink   = cpg.call.name("system").argument
sink.reachableByFlows(source).p   // full source-to-sink paths

Common sinks: SQL builders, HTML writers, system/exec, file and URL functions. See the CPGQL reference and query database.

Clone this wiki locally