Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Code Hierarchy Exploration Net (chen) is an advanced exploration toolkit for your application source code and its dependency hierarchy. This repo contains the source code for chen library and an advanced REPL console called chennai (chen not AI).
chen container image has everything needed to get started.
Use the docker compose from this repo to try chennai with Jupyter Notebook.
git clone https://github.com/AppThreat/chen
cd chen
docker compose up
getting-started.ipynb
Use the controls in Jupyter to interact with the cells. For a preview via github click here
To start the interactive console, run chennai
command.
docker run --rm -v /tmp:/tmp -v $HOME:$HOME -v $(pwd):/app:rw -it ghcr.io/appthreat/chen chennai
chennai
could also be run as an HTTP server.
docker run --rm -v /tmp:/tmp -v $HOME:$HOME -v $(pwd):/app:rw -p 8080:8080 -it ghcr.io/appthreat/chen chennai --server
Defaults:
# Install atom and cdxgen
sudo npm install -g @appthreat/atom @cyclonedx/cdxgen --omit=optional
# Install chen from pypi
pip install appthreat-chen
To download the chen distribution.
chen --download
To generate custom graphs and models with atom for data science, download the scientific pack which installs support for the PyTorch ecosystem. conda is recommended for the best experience.
chen --download --with-science
Once the download finishes, the command will display the download location along with the environment variables that need to be set to invoke chennai
console. Example output below:
[21:53:36] INFO To run chennai console, add the following environment variables to your .zshrc or .bashrc:
export JAVA_OPTS="-Xmx16G"
export JAVA_TOOL_OPTIONS="-Dfile.encoding=UTF-8 -Djna.library.path=<lib dir>"
export SCALAPY_PYTHON_LIBRARY=python3.12
export CHEN_HOME=/home/user/.local/share/chen
export PATH=$PATH:/home/user/.local/share/chen/platform:/home/user/.local/share/chen/platform/bin:
It is important to set these environment variables without which the console commands would fail with errors.
Type chennai
to launch the console.
chennai
_ _ _ _ _ __
/ |_ _ ._ ._ _. o |_ / \ / \ / \ / |_|_
\_ | | (/_ | | | | (_| | |_) \_/ \_/ \_/ / |
Version: 0.0.7
Type `help` to begin
chennai>
chennai> help
val res0: Helper = Welcome to the interactive help system. Below you find a table of all available
top-level commands. To get more detailed help on a specific command, just type
`help.<command>`.
Try `help.importCode` to begin with.
_______________________________________________________________________________________________________________________________________________________________
command | description | example |
=============================================================================================================================================================|
annotations | List annotations | annotations |
callTree | Show call tree for the given method | callTree(method full name) |
close | Close project by name | close(projectName) |
declarations | List declarations | declarations |
distance | Show graph edit distance from the source method to the comparison methods | distance(source method iterator, comparison method iterators) |
exit | Exit the REPL | |
files | List files | files |
importAtom | Create new project from existing atom | importAtom("app.atom") |
importCode | Create new project from code | importCode("example.jar") |
imports | List imports | imports |
methods | List methods | methods('Methods', includeCalls=true, tree=true) |
sensitive | List sensitive literals | sensitive |
showSimilar | Show methods similar to the given method | showSimilar(method full name) |
summary | Display summary information | summary |
reachables | Show reachable flows from a source to sink. Default source: framework-input and sink: framework-output | reachables |
cryptos | Show reachable flows from a source to sink. Default source: crypto-algorithm and sink: crypto-generate | cryptos |
Refer to the documentation site to learn more about the commands.
ANDROID_HOME
)You might see errors like this in chennai console.
chennai> help
-- [E006] Not Found Error: -----------------------------------------------------
1 |help
|^^^^
|Not found: help
|-----------------------------------------------------------------------------
| Explanation (enabled by `-explain`)
|- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| The identifier for `help` is not bound, that is,
| no declaration for this identifier can be found.
| That can happen, for example, if `help` or its declaration has either been
| misspelt or if an import is missing.
-----------------------------------------------------------------------------
1 error found
This error is mostly due to missing python .so (linux), .dll (windows) or .dylib (mac) file. Ensure the environment variables below are set correctly.
chen is a fork of the popular joern project. We deviate from the joern project in the following ways:
We don't intend for bug-to-bug compatibility and often rewrite patches to suit our needs. We also do not bring features and passes that do not add value for hierarchical analysis.
Apache-2.0
Enterprise support including custom language development and integration services is available via AppThreat Ltd.
YourKit supports open source projects with innovative and intelligent tools for monitoring and profiling Java and .NET applications. YourKit is the creator of YourKit Java Profiler, YourKit .NET Profiler, and YourKit YouMonitor.
FAQs
Code Hierarchy Exploration Net (chen)
We found that appthreat-chen demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.