The Code Property Graph (CPG) is a multi-layered representation of each unique code version of your application. The most important layers are the
base layer, the two default layers
tagging, and the
You work with layers in your workspace. Layers are frequently referred to as "overlays".
Additional information on CPG layers is provided in the API.
For each language supported by ShiftLeft Ocular, the language frontend component translates code written in that language into a CPG through the
base layer. For example, the JavaLanguageFrontend translates a JAR into a CPG.
base layer is the foundation of the CPG, but is not sufficiently expressive for the purpose of examining data flows and vulnerabilities.
The default layers are automatically created and loaded into memory when you create a CPG, or load an existing CPG.
semanticcpg layer links together the methods and type declaration. Using the
base layer and semantic information, the
introduces additional information based on framework specific passes.
adds data flow semantics to the CPG as specified by Policies.
tagging layer identifies possible attacker-controlled data sources and interesting sinks as specified by Policies.
securityprofile layer is dervied from Policies and the CPG, and summarizes the vulnerabilities and data leaks present in your code. Specifically, it describes:
Security-relevant data flows
base and default layers, because the Security Profile is so expensive at runtime, it must be explicitly created and loaded.