At ShiftLeft we believe strongly in the power of the open source community. We’ve benefited greatly in building ShiftLeft’s products by leveraging open source software in order to focus our own efforts on building our own differentiated features. As part of giving back to the community, we seek to contribute meaningful code back to the community, whether it be through new projects that we’ve started or by contributing to existing projects.
Joern the genesis of the ShiftLeft Code Property Graph (CPG) analyzes a code base using a robust parser for C/C++ and represents the entire code base into a single property graph stored in a Neo4J graph database. This allows code to be mined using complex queries formulated in the graph traversal languages.
The Code Property Graph Schema is an open standard for language-agnostic representation of program code designed for incremental and distributed code analysis. The CPG schema is made available to foster an open standard for the exchange of code in intermediate representations along with analysis results. The standard consists of a minimal base schema that can be augmented via extension schemas to enable storage of application-specific data.
Sbt is an open source plugin for fully automated releases, without SNAPSHOT and git sha's in the version. Sbt represents a remix of the best ideas from sbt-ci-release and sbt-release-early. Sbt detects the last version from git (e.g. v1.0.0) and increments the last digit, i.e. the next release is automatically inferred as v1.0.1
HelloShiftLeft is a demo application built on the Spring Framework to provide a real world representation of a REST service that uses a mix of convention and configuration and simulates a common set of vulnerabilities found in code.The tool also exposes a series of endpoints and APIs for queries and simulating exploits.
TraceLeft is a library to trace applications as well as a small CLI tool (traceleft) which acts as a reference implementation of the framework. It uses Linux eBPF and Kprobes to install probes on Linux function calls (both APIs and other internal functions) in order to receive callbacks for syscalls, file and network events of a traced process.