Code auditors and vulnerability researchers practice their art largely using grep, because code analysis tools are too inflexible and dated.
ShiftLeft’s Ocular enables the detailed, complex mining of ShiftLeft’s Code Property Graph (CPG). The CPG includes syntax trees, control flow graphs, call graphs, data dependencies, and directory structures, to name a few, and an easy to use query language.
Ocular, and its predecessor, Joern, have been used by several organizations to find zero-day vulnerabilities in large complex code bases, such as the Linux kernel.
Ocular converts programs for each supported programming language into an intermediate representation, adhering to the CPG specification. This allows the same query to be run across code bases written in multiple programming languages. Hence, Ocular queries can be used to apply and confirm standards quickly across the entire environment, regardless of the programming language.
Custom queries written for Ocular can be submitted to ShiftLeft’s Code Analysis Solution, which integrates into DevOps pipelines. This allows code auditors and vulnerability researchers to scale their expertise across the organization.
The ShiftLeft platform integrates with build tools and code repositories so that Ocular queries can be run upon pull request, commit, or build. Furthermore, the results of queries can be seamlessly exported and integrated into the developer workflow toolchain (JIRA, GitHub, etc).