appthreat / cpggen Goto Github PK

• Parse .csproj files to determine if the project requires a Windows OS for successful CPG conversion. Applicable to projects using .Net framework and the legacy .Net core
• Recommend appropriate .Net version by looking for RollForward property

Would appreciate any help testing cpggen on Windows and M1 Mac.

The OSS version used the atom distribution but was incorrectly called cpggen. To correct these error, I am renaming things as below:

The OCI image ghcr.io/appthreat/cpggen-oss uses joern so isn't affected.

PR to follow:

https://github.com/AppThreat/cpggen/pull/29/files

A detailed writeup on atom vs cpg would become available at some point. Please let me know if you think you might be affected by these changes or have further questions.

Once this PR gets merged we need to change here to use bin_ext instead of only_bat_ext

After detailed discussion with joern developers, I am using scala 3 branch of joern to bring some new features and bug fixes

https://github.com/AppThreat/joern2

After some exhaustive testing, I'm confident this approach is working well for the use cases and projects I am aware of. I will raise another ticket once the project is ready to switch back to the upstream version which might be in a few weeks time.

Working on a slimmer cli distribution called atom which will replace joern that gets bundled with cpggen.

Hello,

After installing the "cpggen" package with the command "pip install cpggen", I was able to generate cpg, it is stored in a ".bin.zip" file. I'm wondering how I can convert the graph into a different format, such as ".dot", which I can then use as inputs for my tool.

Why does the progress stop at 20% when I generate a CPG?

As we do not pass any arguments in the workflow for cpggen, how do we work on the scan recommendations provided by 'Bestfix' ?
As an example, I used cpggen for the app 'Fineract' and then executed bestfix for this app. The scan recommendation were as below.
How do we work on those scan recommendations?

AT tools such as cpggen must support reading configuration values from a toml file called .at.toml. This ticket will be updated to show examples for this file.

Executed the cpggen for windows. Errors out with proper messages, but shows a successful scan and submission towards the end.

[WinError 1314WinError 1314[]1314]WinError A required privilege is not held by the client: ] A required privilege is not held by the client:
.
.
INFO Error: Unable to access jarfile /usr/local/bin/java2cpg.jar
.
.

       INFO     shiftleft-java-demo-java uploaded successfully

Complete logs attached
cpggen-error-log.docx

Please consider upgrading to atom which is a modern lightweight implementation.

https://github.com/AppThreat/atom

The following packages are temporarily unavailable:

• cpggen
• cpggen-bin
• cpggen-windows-bin

These would be republished without any binary plugins later this week.

Atom 1.2.0 has breaking changes to the directory structure.

https://github.com/AppThreat/cpggen/blob/main/cpggen/executor.py#L39
https://github.com/AppThreat/cpggen/blob/main/cpggen/executor.py#L66

In the CI, it errors with "line too long error". On desktop, it exits silently after extracting atom without any messages.

With the v9 branch, cdxgen uses caxa for sae

CycloneDX/cdxgen#363

Cpggen failing to generate cpg for a js app on windows. Screenshot attached:

cpggen to support generating a graph per module or package. The module would be based on the directory structure and configurable via the toml config files.

#44