---
id: wiki-2026-0508-joern
title: Joern
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [joern-cpg, code-property-graph-tool]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, sast, cpg, static-analysis, vulnerability]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: Scala
  framework: ShiftLeft/Joern
---

# Joern

## 매 한 줄
> **"매 Code Property Graph (CPG)를 query 하는 SAST 플랫폼 — 매 AST + CFG + DDG 통합 graph"**. 매 Yamaguchi 박사 논문에서 출발 — 매 ShiftLeft가 사실상의 사업화 — 매 2026 기준 매 C/C++/Java/Python/JS/Go 매 multi-language 매 OSS SAST 의 reference.

## 매 핵심

### 매 CPG 란
- AST (syntax) + CFG (control flow) + DDG (data dependence) 통합 단일 graph.
- Node: function, identifier, literal, call, parameter, …
- Edge: AST_PARENT, CFG, REACHING_DEF, CALL, …

### 매 query language
- 매 CPGQL — Scala-based DSL.
- 매 example: `cpg.call("strcpy").argument(2).reachableBy(cpg.parameter).p`

### 매 응용
1. 매 vulnerability hunting — taint trace src→sink.
2. 매 code review automation — pattern grep 보다 더 deep.
3. 매 SBOM/SCA 보완 — first-party code의 weakness.

## 💻 패턴

### 매 install + import
```bash
brew install joern  # 매 macOS
joern
joern> importCode(inputPath="/path/to/repo", projectName="myapp")
joern> open("myapp")
```

### 매 dangerous call 매 query
```scala
cpg.call.name("strcpy|gets|sprintf").l
// 매 location 매 method 매 list
cpg.call.name("strcpy").map(c => (c.method.name, c.lineNumber)).l
```

### 매 taint flow (SQL injection)
```scala
def src = cpg.call.name("getParameter")
def sink = cpg.call.name("executeQuery")
sink.reachableByFlows(src).p
```

### 매 custom rule (XSS)
```scala
def userInput = cpg.call.name(".*request.*get.*Param.*")
def htmlSink = cpg.call.name(".*innerHTML.*|.*document\\.write.*")
htmlSink.reachableByFlows(userInput).p
```

### 매 method-level metric
```scala
cpg.method.where(_.numberOfLines.gt(100)).name.l
cpg.method.controlStructure.size  // 매 cyclomatic 근사
```

### 매 export
```scala
cpg.runScript("exportCpg.sc", Map("outFile" -> "/tmp/cpg.bin.zip"))
// 매 GraphML/dot 도 가능
```

### 매 CI integration
```yaml
- name: Joern scan
  run: |
    joern-parse src/
    joern-scan --dump cpg.bin.zip > findings.json
```

### 매 ocular (commercial fork)
```scala
// 매 ShiftLeft Ocular = Joern + secrets + IaC
// 매 enterprise 매 secrets/license/SBOM 통합
```

## 매 결정 기준
| 상황 | Approach |
|---|---|
| 매 quick grep | semgrep/CodeQL |
| 매 deep taint multi-lang OSS | Joern |
| 매 enterprise + secret + SBOM | ShiftLeft / Snyk Code |
| 매 binary | Ghidra + plugin |

**기본값**: OSS multi-language SAST — Joern.

## 🔗 Graph
- 부모: [[SAST]] · [[Code_Property_Graph]]
- 변형: [[CodeQL]] · [[Semgrep]]
- 응용: [[보안_및_시스템_신뢰성_표준|OWASP Top 10]]
- Adjacent: [[보안_및_시스템_신뢰성_표준|DAST]] · [[SCA_Fundamentals|SCA]]

## 🤖 LLM 활용
**언제**: 매 cross-function taint trace 필요 — string-grep 매 부족할 때.
**언제 X**: 매 single-line pattern — semgrep 매 빠르고 충분.

## ❌ 안티패턴
- **CPG 매 too large 매 RAM**: 매 module 단위 분리 import.
- **regex 매 method name 매 over-broad**: 매 false positive 폭발.
- **flow 매 결과 매 그대로 trust**: 매 sanitizer 매 modeling 안 됐을 수도.

## 🧪 검증 / 중복
- Verified (Joern 4.x, joern.io 2026).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — CPG/CPGQL 기반 SAST 패턴 정리 |