tabby: A Java Code Analysis Tool
Tabby
Tabby has been recognized by the academic community and accepted for publication in The 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2023).
Tabby is a Java Code Analysis Tool based on Soot. This powerful automated ecosystem simplifies complex analysis, enabling security researchers to identify and address critical security flaws with ease.
The ecosystem consists of four main components:
- Tabby Core: The heart of Tabby, this component leverages a taint analysis engine to transform code into graph data. It supports custom plugins, allowing users to inject their own logic into processes such as function identification and call edge creation, enabling precise recognition of specific code patterns.
- Tabby-Path-Finder: Utilizes Neo4j’s powerful graph traversal capabilities to perform inter-procedural taint analysis on graph databases.
- Tabby-Vul-Finder: Imports tainted data into the graph database and supports configurable automated vulnerability discovery, streamlining the detection process.
- Tabby-Intellij-Plugin: Integrates with IntelliJ IDEA to provide quick navigation from graph data to code, significantly improving the efficiency of vulnerability analysis.
It can parse JAR/WAR/CLASS files to CPG (Code Property Graph) based on Neo4j.
Achievements
- CVE-2021-21346
- CVE-2021-21351
- CVE-2021-39147
- CVE-2021-39148
- CVE-2021-39152
- CVE-2021-43297
- CVE-2022-39198
- CVE-2023-23638
