Plume is a language front-end to construct an intermediate representation called a code-property graphs from JVM bytecode. Plume is graph database agnosic and can store code-property graphs to multiple graph databases.

Learn More

For more documentation and basic guides, check out the project homepage.

Community

• If you have any questions or want to be involved then check out our discussions page.
• Joern's Gitter.
• Plume is primarily maintained by David Baker Effendi
  • DM on Twitter
  • Email at dbe@sun.ac.za

Adding Plume as a Dependency

Replace X.X.X with the desired version on JitPack.

Maven:

<dependency>
  <groupId>io.github.plume-oss</groupId>
  <artifactId>plume</artifactId>
  <version>X.X.X</version>
  <type>pom</type>
</dependency>

Gradle:

implementation 'io.github.plume-oss:plume:X.X.X'

Don't forget to include the JCenter and JitPack repository in your pom.xml or build.gradle.

Maven:

<project>
  [...]
  <repositories>
    <repository>
      <id>jcenter</id>
      <name>jcenter</name>
      <url>https://jcenter.bintray.com</url>
    </repository>
    <repository>
      <id>jitpack</id>
      <name>jitpack</name>
      <url>https://jitpack.io</url>
    </repository>
  </repositories>
  [...]
</project>

Gradle:

repositories {
    jcenter()
    maven { url "https://jitpack.io" }
}

Building from Source

Plume releases are available on JitPack. If downloading from JitPack is not an option, or you would like to depend on a modified version of Plume, you can build Plume locally and use it as an unmanaged dependency. JDK version 11 or higher is required.

git clone https://github.com/plume-oss/plume.git
cd plume
./gradlew jar

This will build build/libs/plume-X.X.X.jar which can be imported into your local project.

Dependencies

Packages

The following packages used for logging:

implementation 'org.apache.logging.log4j:log4j-core'
implementation 'org.apache.logging.log4j:log4j-slf4j-impl'

The extractor uses the following dependencies:

implementation 'org.soot-oss:soot'
implementation 'org.lz4:lz4-java'

Dependencies per graph database technology:

TinkerGraph

implementation 'org.apache.tinkerpop:gremlin-core'
implementation 'org.apache.tinkerpop:tinkergraph-gremlin'

OverflowDb

implementation 'io.shiftleft:codepropertygraph_2.13'
implementation 'io.shiftleft:semanticcpg_2.13'

JanusGraph

implementation 'org.apache.tinkerpop:gremlin-core'
implementation 'org.janusgraph:janusgraph-driver'

TigerGraph

implementation 'khttp:khttp'
implementation 'com.fasterxml.jackson.core:jackson-databind'
implementation 'com.tigergraph.client:gsql_client'

Amazon Neptune

  implementation 'org.apache.tinkerpop:gremlin-core'
implementation 'org.apache.tinkerpop:gremlin-driver'

Neo4j

implementation 'org.neo4j.driver:neo4j-java-driver'

Note that if you are connecting to Neo4j, for example, you would not need the TinkerGraph, TigerGraph, etc. dependencies.

Logging

Plume uses SLF4J as the fascade with Log4j2 as the implementation.

Note that due to the size of method related operations, there is a CLI loading bar used to indicate progress. This bar is only shown on TRACE, DEBUG, and INFO levels.