About Code Pathfinder, the open-source alternative to CodeQL. Designed for precise flow analysis and advanced structural search, it identifies vulnerabilities in source code. Currently, it only supports Java language.
$ npm install -g codepathfinder
$ pathfinder --help
Download the latest release from GitHub releases and choose the binary that matches your operating system.
$ chmod u+x pathfinder
$ pathfinder --help
Read the official documentation, or run pathfinder --help
.
- Basic queries (Similar to CodeQL)
- Source Sink Analysis
- Taint Analysis
- Data Flow Analysis with Control Flow Graph
$ cd sourcecode-parser
$ gradle buildGo (or) npm install -g codepathfinder
$ ./pathfinder query --project <path_to_project> --stdin
2024/06/30 21:35:29 Graph built successfully
Path-Finder Query Console:
>FIND method_declaration WHERE throwstype = "ClassCastException"
Executing query: FIND method_declaration WHERE throwstype = "ClassCastException"
┌───┬──────────────────────────────────────────┬─────────────┬────────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ # │ FILE │ LINE NUMBER │ TYPE │ NAME │ CODE SNIPPET │
├───┼──────────────────────────────────────────┼─────────────┼────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ 1 │ /Users/shiva/src/code-pathfinder/test-sr │ 148 │ method_declaration │ getPaneChanges │ protected void getPaneChanges() throws ClassCastException { │
│ │ c/android/app/src/main/java/com/ivb/udac │ │ │ │ mTwoPane = findViewById(R.id.movie_detail_container) │
│ │ ity/movieListActivity.java │ │ │ │ != null; │
│ │ │ │ │ │ } │
└───┴──────────────────────────────────────────┴─────────────┴────────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
Path-Finder Query Console:
>:quit
Okay, Bye!
Code Pathfinder uses tree-sitter for all language parsers.