This is a CPG frontend based on Javascript source code powered by the GraalJS Parser which is part of the GraalVM JS project.
Requirements:
- >= JDK 8. We recommend OpenJDK 11 or AdoptJDK 11.
- sbt (https://www.scala-sbt.org/)
You can build js2cpg by running the command below.
sbt stageAfter running js2cpg by invoking ./js2cpg.sh you should be able to see the output below.
Error: Missing argument <srcdir> Try --help for more information. ██╗███████╗██████╗ ██████╗██████╗ ██████╗ ██║██╔════╝╚════██╗██╔════╝██╔══██╗██╔════╝ ██║███████╗ █████╔╝██║ ██████╔╝██║ ███╗ ██ ██║╚════██║██╔═══╝ ██║ ██╔═══╝ ██║ ██║ ╚█████╔╝███████║███████╗╚██████╗██║ ╚██████╔╝ ╚════╝ ╚══════╝╚══════╝ ╚═════╝╚═╝ ╚═════╝ js2cpg version "current version number" Usage: js2cpg.sh [options] <srcdir> --help prints this usage text --version print js2cpg version and exit <src> directory containing Javascript code or the path to a *.vsix file --package-json <value> path to the projects package.json (path relative to <src> or absolute path; defaults to '<src>/package.json') --output <value> CPG output file name (defaults to 'cpg.bin.zip') --no-ts disables transpiling Typescript files to Javascript --no-babel disables transpiling Javascript files with Babel --no-vue-js disables transpiling Vue.js files --no-nuxt-js disables Nuxt.js transpiling --no-templates disables transpiling EJS or Pug template files --exclude <file1>,<file2>,... files to exclude during CPG generation (paths relative to <srcdir> or absolute paths) --exclude-regex <value> a regex specifying files to exclude during CPG generation (the absolute file path is matched) --include-minified include minified Javascript files (filename ending with '-min.js', '.min.js', or 'bundle.js') --include-tests include test files --exclude-private-deps excludes private modules/dependencies in 'node_modules/' (defaults to 'false') --private-deps-ns <dep1>,<dep2>,... additional private dependencies to be analyzed from 'node_modules/' --exclude-html excludes HTML files (*.html) --all-dependencies install all project dependencies during transpilation (defaults to 'false') --fixed-transpilation-dependencies install fixed versions of transpilation dependencies during transpilation (defaults to 'true')js2cpg requires at least one argument <srcdir>. srcdir is path to the project directory from which you would like to generate a CPG. The option output parameter describes the location in the file system where the CPG should be stored to.
- Clone the project
- Build the project
sbt stage - Create a CPG
./js2cpg.sh /path/to/your/code -o /path/to/cpg.bin - Download Joern with
wget https://github.com/joernio/joern/releases/latest/download/joern-cli.zip unzip joern-cli.zip cd joern-cli - Copy
cpg.bininto the Joern directory - Start Joern with
./joern.sh - Import the cpg with
importCpg("cpg.bin") - Now you can query the CPG
js2cpg operates in three major steps: Preprocessing, parsing, and CPG-generation which are explained below.
This runs our transpilers/preprocessors if the input project contains at least one element of the targeted language extension or template language (e.g., at least one Typescript file).
- Babel
- EJS
- Nuxt.js
- PUG templates
- Vue.js templates
- Typescript
With this, we ensure to have ES6 compliant JS code before we continue with the actual parsing and CPG-generation.
This is done by the GraalJS Parser. Standard visitor pattern is used to traverse the resulting JS AST afterward for our CPG-generation.
The CPG-generation phase is responsible for actually generating the CPG using various passes. The actual magic happens within the AstCreator.