[joern-scan] Propagate scan defaults into REPL and Scan (#5855)

Author: max-leuthaeuser

console/src/main/scala/io/joern/console/BridgeBase.scala

@@ -37,7 +37,10 @@ case class Config(
   verbose: Boolean = false,
   dependencies: Seq[String] = Seq.empty,
   resolvers: Seq[String] = Seq.empty,
-  maxHeight: Option[Int] = None
+  maxHeight: Option[Int] = None,
+  scanMaxCallDepth: Option[Int] = None,
+  scanScriptNames: Array[String] = Array.empty,
+  scanTagNames: Array[String] = Array.empty
 )
 
 /** Base class for ReplBridge, split by topic into multiple self types.
@@ -250,6 +253,19 @@ trait BridgeBase extends InteractiveShell with ScriptExecution with PluginHandli
       builder += s"""openForInputPath("$path")""".stripMargin
     }
     builder ++= config.runBefore.map(code => escapeForWindows(code, isInteractive))
+
+    if (config.pluginToRun.contains("scan")) {
+      builder += "import io.joern.joerncli.Scan"
+      builder += s"""Scan.defaultOpts.names = Array(${escapeForWindows(
+          config.scanScriptNames.map(n => s""""$n"""").mkString(", "),
+          isInteractive
+        )})"""
+      builder += s"""Scan.defaultOpts.tags = Array(${escapeForWindows(
+          config.scanTagNames.map(n => s""""$n"""").mkString(", "),
+          isInteractive
+        )})"""
+      builder += config.scanMaxCallDepth.map(d => s"Scan.defaultOpts.maxCallDepth = $d").getOrElse("")
+    }
     builder.result()
   }
 

joern-cli/src/main/scala/io/joern/joerncli/JoernScan.scala

@@ -8,7 +8,7 @@ import io.joern.joerncli.JoernScan.getQueriesFromQueryDb
 import io.joern.joerncli.Scan.{allTag, defaultTag}
 import io.joern.joerncli.console.ReplBridge
 import io.shiftleft.codepropertygraph.generated.Languages
-import io.shiftleft.semanticcpg.language.{DefaultNodeExtensionFinder, NodeExtensionFinder, locationCreator}
+import io.shiftleft.semanticcpg.language.locationCreator
 import io.shiftleft.semanticcpg.layers.{LayerCreator, LayerCreatorContext, LayerCreatorOptions}
 import io.shiftleft.semanticcpg.utils.FileUtil
 import io.shiftleft.semanticcpg.utils.FileUtil.*
@@ -174,7 +174,10 @@ object JoernScan extends BridgeBase {
         overwrite = config.overwrite,
         store = config.store,
         language = config.language,
-        frontendArgs = frontendArgs.toArray
+        frontendArgs = frontendArgs.toArray,
+        scanMaxCallDepth = Some(Scan.defaultOpts.maxCallDepth),
+        scanScriptNames = Scan.defaultOpts.names,
+        scanTagNames = Scan.defaultOpts.tags
       )
     run(shellConfig)
     println(s"Run `joern --for-input-path ${config.src}` to explore interactively")
@@ -263,12 +266,17 @@ class Scan(options: ScanOptions)(implicit engineContext: EngineContext) extends
   override val description: String = Scan.description
 
   override def create(context: LayerCreatorContext): Unit = {
-    val allQueries = getQueriesFromQueryDb(new JoernDefaultArgumentProvider(options.maxCallDepth))
+    val maxCallDepth =
+      if (options.maxCallDepth == 2 && Scan.defaultOpts.maxCallDepth != 2) Scan.defaultOpts.maxCallDepth
+      else options.maxCallDepth
+    val allQueries = getQueriesFromQueryDb(new JoernDefaultArgumentProvider(maxCallDepth))
     if (allQueries.isEmpty) {
       println("No queries found, you probably forgot to install a query database.")
       return
     }
-    val queriesAfterFilter = filteredQueries(allQueries, options.names, options.tags)
+    val names              = if (options.names.isEmpty) Scan.defaultOpts.names else options.names
+    val tags               = if (options.tags.isEmpty) Scan.defaultOpts.tags else options.tags
+    val queriesAfterFilter = filteredQueries(allQueries, names, tags)
     if (queriesAfterFilter.isEmpty) {
       println("No queries matched current filter selection (total number of queries: `" + allQueries.length + "`)")
       return

testDistro.py

@@ -211,6 +211,9 @@ def scan_test(self):
 
             # Create test file
             (foo_path / "foo.c").write_text("int foo(int a, int b, int c, int d, int e, int f) {}")
+
+            # Use test file for joern-scan parameter test
+            uaf_c_path = self.script_dir / "tests" / "code" / "c" / "uaf.c"
 
             # Run tests
             self.run_command([self.joern_exe, "--src", str(foo_path), "--run", "scan"],
@@ -222,6 +225,16 @@ def scan_test(self):
             self.run_command([self.joern_scan_exe, "--dump"],
                            "Joern-scan dump")
 
+            # Run scan on real test file to verify functionality
+            proc = self.run_command([self.joern_scan_exe, "--overwrite", "--tags", "all", str(uaf_c_path)],
+                           f"Joern-scan on {uaf_c_path}")
+
+            expected_result = "Result: 5.0 : A value that is free'd is reused without reassignment.: uaf.c:7:bad"
+
+            result_count = sum(1 for line in proc.stdout.splitlines() if expected_result in line)
+            if result_count == 0:
+                raise RuntimeError("Result from joern-scan not found")
+
     @stage
     def slice_test(self):
         """Test slicing functionality"""

tests/code/c/uaf.c

@@ -0,0 +1,19 @@
+#include <stddef.h>
+#include <stdlib.h>
+
+void *bad() {
+	void *x = NULL;
+	free(x);
+	return x;
+}
+
+void *false_positive() {
+    void *x = NULL;
+	free(x);
+	x = NULL;
+	return x;
+}
+
+int main(int argc, char * argv[]){
+    bad();
+}