Tailoring Code Property Graphs to Jimple

The increased complexity of modern software has led to much more sophisticated attack vectors. As a result, we require newer vulnerability detection methods to ensure software security without compromising efficiency. The Code Property Graph (CPG) is a program representation that provides a comprehensive overview of program behavior, combining abstract syntax trees, control flow graphs, and program dependence graphs. With such a detailed data structure, we can detect patterns that characterize known vulnerabilities and identify various security threats. Querying the combined data structure instead of the individual graphs enables the detection of multidimensional scenarios. This work aims to integrate the advantages of CPGs into software systems that utilize the Jimple intermediate representation. We introduce JimNode, a novel approach for generating CPGs specifically tailored to Jimple. Despite the model incompatibility, our evaluation, which covered approximately 50,800 methods, reveals an 88.07% similarity of the inter-statement edges compared to Joern, the state-of-the-art tool for CPG generation. We provide a detailed analysis of our methodology and discuss why it is better suited for Jimple programs than Joern’s language-agnostic approach.