June 2019

ShiftLeft Ocular

  • On-Disk Code Property Graph (CPG) Support. (Introduced in ShiftLeft Ocular version 0.3.38) Disk overflow is automatically enabled for CPGs. Disk overflow moves parts of the CPG to disk only when the number of entries in memory reach 80% of the maximum memory allocation. Based on the query, ShiftLeft Ocular automatically identifies the parts of the CPG needed, which are loaded into RAM. The following (example) information is displayed by ShiftLeft Ocular when disk overflow is enabled

    INFO heap usage (after GC) was 0.87 -> scheduled to clear 100000 references (asynchronously)
    INFO attempting to clear 100000 references

    The result is that larger CPGs are now supported, though at a performance cost.

  • Recommendations on Memory Size. (Introduced in ShiftLeft Ocular version 0.3.41) ShiftLeft Ocular now displays information on the amount of memory needed to create or load a CPG, allowing you to optimize performance for large applications, instead of defaulting to disk overflow. For example

    ocular> createCpg("someBigApp.jar")
    ocular> The cpg.bin.zip you are loading is 63MB on disk and requires approximately 12712MB heap,
    but the current maximum heap size is 455MB. It is suggested that you provide a larger
    `-J-Xmx` setting, e.g. `ocular.sh `-J-Xmx14g` to ensure that your machine has sufficient
    free physical memory available. Otherwise, disk overflow is automatically enabled,
    slowing performance.
  • Common Queries. The ShiftLeft Ocular documentation has been improved with information on the most common queries:

ShiftLeft Protect

  • ShiftLeft Protect Event Viewer. From the Vulnerabilities Dashboard, you can now view details on a sampling of security events for a vulnerability. This includes information on an event's headers, payloads, request origin, and whether the event was blocked by ShiftLeft Protect. Such information can help you in remediation, to make precise code fixes and to determine the extent of an attack.

    Note that by default the Event Viewer only displays an event count summary. In order to include the full payloads of attack events, you must turn on the Protect configuration item sec.collect.attack.info. User opt-in is required because collected event information collected potentially sensitive, and consumes more network resources to transmit that data to the ShiftLeft infrastructure.