cravex2-reachability: Evaluate atom+chen on a simple end-to-end flow

[pombredanne]

We should evaluate atom+chen on a simple end-to-end flow:

• Install atom+chen
• Select a good CVE to use as a test.
  • Infer Package URL from references and other references issues for "commitish" URLs  #327 may be useful
• Collect the fix patch/commit
• Compute the graph on the vulnerable package with atom+chen
• Query that graph using fix patch/commit symbols (function, etc....)
• Report here about the experience

[ziadhany]

1- Install atom+chen

atom installation is easier than chen, but both can run in Docker according to the docs.
I was able to run atom locally and used Docker to run the chennai cli.

• https://github.com/AppThreat/atom/?tab=readme-ov-file#installation
• https://github.com/AppThreat/chen?tab=readme-ov-file#interactive-console

2- Select a good CVE to use as a test.

I picked CVE-2026-1285 because it is straightforward.

3- Collect the fix patch/commit
django/django@a33540b we can easily identify the affected and fixed function: handle_endtag.

4- Compute the graph on the vulnerable package with atom+chen:

$ git clone https://github.com/django/django/
$ cd django
$ git checkout 6.0
Previous HEAD position was 16ae193550 [6.0.x] Bumped version for 6.0 alpha 1 release.
HEAD is now at 36b5f39d93 [6.0.x] Bumped version for 6.0 release.

run atom to compute the call graph (note: generate atom file take some times around 10 minutes or more depend on project complexity )

$ nvm use v24.0.2 # Make sure you use a valid Node.js version.
$ atom -o app.atom -l python .
$ atom usages -l language -o app.atom -s usages.json .
$ cdxgen -t python --deep -o bom.json .
$ atom reachables -o app.atom -s reachables.json -l python .

5- Query that graph

chennai> importAtom("/tmp/app1.atom")

chennai> imports
│           │ django.template.TemplateDoesNotExist                                       │
├───────────┼────────────────────────────────────────────────────────────────────────────┤
│           │ django.template.loader                                                     │
├───────────┼────────────────────────────────────────────────────────────────────────────┤
│           │ django.utils._os.safe_join                                                 │
├───────────┼────────────────────────────────────────────────────────────────────────────┤
│           │ django.utils.http.http_date                                                │
├───────────┼────────────────────────────────────────────────────────────────────────────┤
│           │ django.utils.http.parse_http_date                                          │
├───────────┼────────────────────────────────────────────────────────────────────────────┤
│           │ django.utils.translation.gettext                                           │
├───────────┼────────────────────────────────────────────────────────────────────────────┤
│           │ django.utils.translation.gettext_lazy                                      │
└───────────┴────────────────────────────────────────────────────────────────────────────┘

chennai> atom.method(".*handle_endtag.*").name.l
val res31: List[String] = List(
  "handle_endtag",
  "handle_endtag<metaClassAdapter>",
  "handle_endtag",
  "handle_endtag<metaClassAdapter>",
  "handle_endtag"
)

chennai> atom.method(".*handle_endtag.*").caller.name.l
val res47: List[String] = List(
  "handle_endtag<metaClassAdapter>",
  "handle_endtag<metaClassAdapter>",
  "handle_startendtag",
  "handle_startendtag"
)

5- Report here about the experience:

• By using the app.atom, usage.json, and reachables.json files, we can see exactly how the code works and find every path a function takes.
• Chennai for queries is great, but it is difficult to test because the documentation is not clear and lacks examples.
• Issues with Small Projects:
  I tested the tool with a single simple function CVE-2020-22083 to see how it performs in different situations. Sometimes the reachables.json file is empty when testing small projects, possibly because there isn't enough information to map but we still have the usage.json file and it can be very helpful for finding the information we need.