cpg-rs
| Crates.io | cpg-rs |
| lib.rs | cpg-rs |
| version | 0.1.0 |
| created_at | 2025-03-17 19:10:39.46065+00 |
| updated_at | 2025-03-17 19:10:39.46065+00 |
| description | A Rust library for working with Code Property Graphs (CPG) |
| homepage | |
| repository | https://github.com/gbrigandi/cpg-rs |
| max_upload_size | |
| id | 1595817 |
| size | 106,629 |
Gianluca Brigandi (gbrigandi)
documentation
README
CPG-RS: Code Property Graph Library for Rust
A Rust library for working with Code Property Graphs (CPG), a powerful representation of source code that enables advanced static analysis and vulnerability detection.
What are Code Property Graphs?
Code Property Graphs (CPGs) were introduced by Fabian Yamaguchi et al. in their 2014 paper "Modeling and Discovering Vulnerabilities with Code Property Graphs" presented at the IEEE Symposium on Security and Privacy.
CPGs combine multiple program representations into a single unified graph structure:
- Abstract Syntax Trees (AST): Represent the syntactic structure of code
- Control Flow Graphs (CFG): Represent the flow of control between statements
- Program Dependence Graphs (PDG): Represent data dependencies between program elements
By merging these representations, CPGs enable more sophisticated code analysis than any single representation could provide alone. This unified approach allows for complex queries that can identify security vulnerabilities, bugs, and code quality issues that would be difficult to detect with traditional methods.
Notable CPG Implementations
Several open-source projects implement the CPG concept:
- Joern: The original implementation by the authors of the CPG paper
- ShiftLeft CORE: A CPG implementation focused on static analysis
- cpg4j: A Java implementation of Code Property Graphs
This library, cpg-rs, provides a Rust implementation with serialization/deserialization support.
Features
- Serialization and deserialization of CPG structures using serde
- Support for nodes, edges, and properties
- Support for diff graphs to represent changes to CPGs
- Comprehensive type system for CPG elements
Examples
Modifying a CPG
The modify_cpg example demonstrates how to:
- Create a new CPG from scratch
- Save it to a JSON file
- Load it back
- Modify it by adding nodes and edges
- Save the modified CPG
cargo run --example modify_cpg
Finding Methods and Parameters
The find_methods example shows how to:
- Load a CPG from a JSON file
- Find all method nodes and their parameters
- Print a summary of the methods and parameters
cargo run --example find_methods
Working with Diff Graphs
The diff_graph example demonstrates how to:
- Create a diff graph representing changes to a CPG
- Save it to a JSON file
- Load it back
- Print a summary of the changes
cargo run --example diff_graph
Usage
Add this to your Cargo.toml:
[dependencies]
cpg-rs = "0.1.0"
Basic usage:
use cpg_rs::{Cpg, Node, Edge, NodeType, EdgeType};
use std::fs::File;
use std::io::{BufReader, BufWriter};
// Load a CPG
let file = File::open("cpg.json").unwrap();
let reader = BufReader::new(file);
let cpg: Cpg = serde_json::from_reader(reader).unwrap();
// Process the CPG...
// Save the CPG
let file = File::create("modified_cpg.json").unwrap();
let writer = BufWriter::new(file);
serde_json::to_writer_pretty(writer, &cpg).unwrap();
License
Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
Author
Gianluca Brigandi gbrigand@gmail.com