#Vulnerability reachability analysis

Johnny CLI agent can analyze whether vulnerabilities are reachable from source code. To use this feature, you need to set two parameters:

• cg-path — path to the call graph file: for java, python, go, kotlin, and csharp (C#), use the Svace format; for javascript, use JSON produced by Joern (see below);
• cg-lang — programming language for which the call graph was built. Supported values are java, python, go, kotlin, csharp (C#), and javascript.

#Building the call graph

#Using Svace

1. Download the Svace module https://REGISTRY_USERNAME:REGISTRY_PASSWORD@REGISTRY_URL/#browse/browse:files:codescoring%2Fsvace-callgraph

2. Obtain a user token in CodeScoring (/cabinet/profile)

3. Run Svace on the project's source code. This step is best performed within or after the build stage in your CI/CD pipeline.

   1. Initialization

      svace init
   2. Instrumented build

      svace build <build command>
      Example of building Java project:

      svace build mvn clean package
      Example for Go:

      svace build go build -a main.go
      Example for Python:

      svace build --python .
      Example for Kotlin:

      svace build ./gradlew clean build
      Example for C#:

      svace build dotnet build
   3. Analyze results and generate the call graph

      svace analyze --build-call-graph-only --license-server-url "http(s)://<codescoring_host>" --license-server-token "<token from step 2>"

4. Upon successful completion of all steps, a file named .svace-dir/analyze-res/call-graph-results/<project_name>-graph-order.json containing the call graph will appear in the project directory.

   Saving a file

   Prior to Svace version 5.0.260311, the call graph file was saved to the folder .svace-dir/analyze-res/call-graph

5. Launch the scan using Johnny, for example:

   johnny-linux-amd64 scan dir . --api_url "http(s)://<codescoring_host>" --api_token "<token from step 2>"  --cg-path .svace-dir/analyze-res/call-graph-results/<project_name>-graph-order.json  --cg-lang java

#Using Joern (JavaScript)

For JavaScript, the reachability call graph is built with Joern. Run the following in the directory that contains your project source code:

joern-parse .
joern-slice usages cpg.bin

The joern-parse command creates a CPG in cpg.bin. The joern-slice usages command writes JSON output. By default the file is slices.json in the current folder. Pass the path to that file in Johnny’s --cg-path argument. You can set the output file explicitly with joern-slice’s -o option; see Joern CPG slicing documentation.

Example scan invocation:

johnny-linux-amd64 scan dir . --api_url "http(s)://<codescoring_host>" --api_token "<token from profile>" --cg-path <path_to_joern_json> --cg-lang javascript

#Remote analysis

In Svace 5.0.260311, it is now possible to use a remote analysis server. This allows you to take the construction of the call graph beyond the CI/CD pipeline, reduce the load on the assembly servers and optimize the continuous integration process.

#Server configuration steps

1. Specify environment variables

SVACE_LIC_SERVER_URL=http(s)://<codescoring_host>
SVACE_LIC_SERVER_TOKEN=<токен CodeScoring>

2. Initialization

svace server init

3. Start the server

svace server start

4. Submit the project for analysis. After configuring the server, you do not need to specify the --license-server-url and --license-server-token license parameters.

   svace remote --host <server address> analyze --build-call-graph-only

   If necessary, you can add the parameters: --port, --login, --pass, etc.

For more information about the remote analysis server settings, see the Svace documentation.

#Viewing results

In the vulnerabilities table, vulnerabilities with identified reachable call paths will be marked in the corresponding column:

Additionally, at the end of the report, another table listing the call trees for vulnerabilities will be available:

Example for a larger project:

If the --save-results flag was specified, reachability results will appear in the "Reachable" column of the vulnerabilities table: