After installing NDepend and writing a first simple CQL query, it was time to try something more interesting, namely a query that could help me write rules to find security vulnerabilities like SQL Injection.
So I decided to write a rule to find out the call flows into/from a particular method, ie ‘Who calls this method and who it calls?’
With NDepend enabled on the source code of TeamMentor/Master , I opened a class and chose this option:
... which opened this Dependency Graph
If I now select a method, an helper tab will appear below:
... which for example, explains how to generate a call graph:
As per the instructions above, to create a call-graph, I select the direct/indirect callers
... which creates a (custom) CQL rule and executes it:
Following the 2nd step of the instructions, I clicked on the ‘Export to Graph’ button, and I got this nice graph:
Changing the query a little bit (from m.DepthOfIsUsing to m.DepthOfIsUsedBy )
Gives us a recursive mapping of all methods called by the original method, ie the call-flow FROM the current method (the first graph gave us the call-flow INTO the current method):
And I got this script right (see below), this is how we get both graphs together:
.... which will create this graph:
Now think of a similar view the attack surface at the top and the vulnerable APIs (like SQL execute) at the bottom :)
And although this would just be a call-flow analysis (vs taint analysis) my experience in doing similar analysis with the O2 Platform has shown that we can find A LOT of vulnerabilities this way (i.e. without needing the full taint analysis engine).