codepropertygraph icon indicating copy to clipboard operation
codepropertygraph copied to clipboard

Published 20 hours ago verified publisher icon ShiftLeftSecurity

CONTAINS edges incomplete

Open m1cm1c opened this issue 4 years ago • 1 comments

I am very confused about CONTAINS edges. I did not find any documentation on them. However, I did find a file called EdgeTypes.java in this repo which contains this:

 /** Shortcut over multiple AST edges */
 public static final String CONTAINS = "CONTAINS";

Given that that's all I know about these edges, I'd assume that ... well ... CONTAINS edges are the transitive closure of AST edges. I'm assuming that the transitive closure is meant by "shortcut". However, this is not the case in the implementation.

Take the graph that is created for this code:

void calculateWinner() {
  int hash = getHashOfBlock();
  if(hash < 27) {
	int receiver = 0;
	send(15);
  }
}

If we count the number of nodes connected to the method node via CONTAINS edges, we get 14:

joern> cpg.method.name("calculateWinner").outE(EdgeTypes.CONTAINS).inV.l.size 
res124: Int = 14

Now lets tally up the nodes in the transitive closure of AST edges:

joern> cpg.method.name("calculateWinner").astChildren.l.size 
res125: Int = 2

joern> cpg.method.name("calculateWinner").astChildren.astChildren.l.size 
res126: Int = 3

joern> cpg.method.name("calculateWinner").astChildren.astChildren.astChildren.l.size 
res127: Int = 4

joern> 
cpg.method.name("calculateWinner").astChildren.astChildren.astChildren.astChildren.l.size 
res128: Int = 5

joern> 
cpg.method.name("calculateWinner").astChildren.astChildren.astChildren.astChildren.astChildren.l.size 
res129: Int = 3

joern> 
cpg.method.name("calculateWinner").astChildren.astChildren.astChildren.astChildren.astChildren.astChildren.l.size 
res130: Int = 0

They sum up to 17, not 14.

This is not because of duplicate nodes (not that that would make sense in an abstract syntax tree) because after deduplication, we're still at 17:

joern> 
Traversal(cpg.method.name("calculateWinner").astChildren.astChildren.astChildren.astChildren.astChildren.l.concat(cpg.method.name("calculateWinner").astChildren.astChildren.astChildren.astChildren.l).concat(cpg.method.name("calculateWinner").astChildren.astChildren.astChildren.l).concat(cpg.method.name("calculateWinner").astChildren.astChildren.l).concat(cpg.method.name("calculateWinner").astChildren.l)).dedup.size 
res139: Int = 17

I have no idea how to best diff traversals in Joern, so I diffed them externally. In this particular case, the METHOD_RETURN node and the LOCAL nodes are missing. But I have no idea what nodes are missing in general.

m1cm1c avatar Jan 07 '21 13:01 m1cm1c

In general you can look up the code in ContainsEdgePass.scala.

I agree that this behavior is weird -- one would naively expect this to be set for all AST nodes. It's not a bug, though -- other components know about this quirk and work with it.

Do we want to change this?

To me it looks like this behavior is just due to the coding patterns we used in 2018, and not consciously intended. But maybe there is an actual reason?

cc @mpollmeier @ml86 , because the furthest back I could track this behavior is https://github.com/ShiftLeftSecurity/codepropertygraph/pull/71

bbrehm avatar Jul 19 '21 07:07 bbrehm