The Joern project provides the original implementation of the Code Property Graph , based on the 2014 IEEE Security & Privacy paper Modeling and Discovering Vulnerabilities with Code Property Graphs . Published as open-source under the Apache 2 License, it has made this representation accessible to the broader research community, accelerating innovation in automated vulnerability discovery and code analysis. In recognition of its long lasting impact, the paper received the IEEE Test-of-Time Award in 2024.

A 2024 literature review conducted by Harzevili et al. found that Joern is by far the most popular tool for code analysis/compilation in the context of automated software vulnerability detection using machine learning - as shown in the following table.

The following is an overview of research, articles, and videos that make use of Joern and code property graphs. If you would like your work to be included on this page, please feel free to reach out .

Papers (Last Updated: May 2025)

• Nong et al. – APPATCH: Automated Adaptive Prompting Large Language Models for Real-World Software Vulnerability Patching (USENIX Security 2025)

• Thimmaiah et al. – FIXX: FInding eXploits from eXamples (USENIX Security 2025)

• Scholtes et al. – CHARON: Polyglot Code Analysis for Detecting Vulnerabilities in Scripting Languages Native Extensions (EURO S&P 2025)

• Zhou et al. – ReGraph: A Tool for Binary Similarity Identification (ISSTA 2025)

• Lin et al. – Uncovering the Iceberg from the Tip: Generating API Specifications for Bug Detection via Specification Propagation Analysis (NDSS 2025)

• Khodayari et al. – Do (Not) Follow the White Rabbit: Challenging the Myth of Harmless Open Redirection (NDSS 2025)

• Yang and Cai – Dissecting Real-World Cross-Language Bugs (FSE 2025)

• Wu – Identifying software vulnerabilities via code representation learning (PhD Thesis 2025)

• David et al. – QUACK: Hindering Deserialization Attacks via Static Duck Typing (NDSS 2024)

• Amour and Tilevich – Toward Declarative Auditing of Java Software for Graceful Exception Handling (MPLR 2024)

• Shao and Ding – FVD-DPM: Fine-Grained Vulnerability Detection via Conditional Diffusion Probabilistic Models (USENIX Security 2024)

• Ferreira et al. – Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs (PLDI 2024)

• Basque et al. – Ahoy SAILR! There is No Need to DREAM of C: A Compiler-Aware Structuring Algorithm for Binary Decompilation (USENIX Security 2024)

• Wang et al. – Combining Structured Static Code Information and Dynamic Symbolic Traces for Software Vulnerability Prediction (ICSE 2024)

• Hussain et al. – Vulnerability detection in Java source code using a quantum convolutional neural network with self-attentive pool ing, deep sequence, and graph-based hybrid feature extraction (Nature 2024)

• Wang et al. – OSmart: Whitebox Program Option Fuzzing (CCS 2024)

• Liang et al. – A Source Code Vulnerability Detection Method Based on Adaptive Graph Neural Networks (ASEW 2024)

• Rozi et al. – Securing Code With Context: Enhancing Vulnerability Detection Through Contextualized Graph Representations (IEEE Access Vol.2 2024)

• Nguyen et al. – Code-centric learning-based just-in-time vulnerability detection (Systems & Software 2024)

• de Oliveira Brito – Applying Code Property Graphs On Modern Web Languages For Security and Privacy Analysis (PhD Thesis 2024)

• Lee and Son – AdCPG: Classifying JavaScript Code Property Graphs with Explanations for Ad and Tracker Blocking (CCS 2023).

• Lin et al. – Detecting API Post-Handling Bugs Using Code and Description in Patches (USENIX Security 2023)

• Chen et al. – DiverseVul: A New Vulnerable Source Code Dataset for Deep Learning Based Vulnerability Detection (RAID 2023)

• Seidel et al. – Learning Type Inference for Enhanced Dataflow Analysis (ESORICS 2023)

• Sun et al. – Exploring Security Commits in Python (ICSME 2023)

• Wang et al. – GraphSPD: Graph-Based Security Patch Detection with Enriched Code Semantics (S&P 2023)

• Staicu et al. – Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages (USENIX Security 2023).

• Woo et al. – V1SCAN: Discovering 1-day Vulnerabilities in Reused C/C++ OSS Components (USENIX Security 2023)

• Shezan et al. – CHKPLUG: Checking GDPR Compliance of WordPress Plugins via Cross-language Code Property Graph (NDSS 2023)

• Han et al. – QueryX: symbolic query on decompiled code for finding bugs in COTS binaries (S&P 2023)

• Hu et al. – Interpreters for GNN-Based Vulnerability Detection: Are We There Yet? (ISSTA 2023)

• Al Kassar – Testability Tarpits: the Impact of Code Patterns on the Security Testing of Web Applications (NDSS 2022)

• Deng et al. – On the (In) Security of Secure ROS2 (CCS 2022)

• Shi et al. – Backporting security patches of web applications: A prototype design and implementation on injection vulnerability patches (USENIX Security 2022)

• Ding et al. – VELVET: a noVel Ensemble Learning approach to automatically locate VulnErable sTatements (SANER 2022)

• Hin et al. – LineVD: Statement-level vulnerability detection using graph neural networks (MSR 2022)

• Cheng et al. – Path-Sensitive Code Embedding via Contrastive Learning for Software Vulnerability Detection (ISSTA 2022)

• Nong et al. – Generating Realistic Vulnerabilities via Neural Code Editing: An Empirical Study (FSE 2022)

• Mantovani et al. – The Convergence of Source Code and Binary Vulnerability Discovery – A Case Study (ASIACCS 2022)

• Wi et al. - HiddenCPG: Large-Scale Vulnerable Clone Detection Using Subgraph Isomorphism of Code Property Graphs (WWW 2022)

• Deep Learning Based Vulnerability Detection: Are We There Yet? (TSE Vol. 48, 2022)

• Xu – Semantic Driven Vulnerability Detection and Patch Analysis (PhD Thesis 2020)

• Du et al. – LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment Through Program Metrics (ICSE 2019)

• Zhou et al. – Devign: Effective Vulnerability Identification by Learning Comprehensive Program Semantics via Graph Neural Networks (NeurIPS 2019)

• Caliskan et al. – When Coding Style Survices Compilation: De-anonymizing Programmers from Executable Binaries (NDSS 2018)

• Alhuzali et al. – NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications (USENIX Security 2018)

• Xiaomeng et al. – CPGVA: Code Property Graph based Vulnerability Analysis by Deep Learning (ICAIT 2018)

• Backes et al. – Efficient and Flexible Discovery of PHP Application Vulnerabilities (EURO S&P 2017)

• Yakdan et al. – No More Gotos: Decompilation Using Pattern-Independent Control-Flow Structuring and Semantic-Preserving Transformations (NDSS 2015)

• Yamaguchi et al. – Automatic Inference of Search Patterns for Taint-Style Vulnerabilities (S&P 2015)

• Perl et al. – VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits (CCS 2015)

Articles and Presentations

• Bastide - An Intro to the Code Property Graph

• Denissov - LLVM meets Code Property Graph

• Shukla – Code Representation for Machine Learning: Code as Graph

• CyberJutsu - The Joern-ey of Static Code Analysis

• Verma - https://jaiverma.github.io/blog/joern-intro

• TutorialBoy - Joern for Beginners: A How-To Guide for Source Code Analysis

• Mahendra - SAST: Joern 101

• Ursache - Code Property Graphs and Joern – simple, precise static code analysis

• Convisio - Finding classes for exploiting Unsafe Reflection / Unchecked Class Instantiation vulnerabilities in Java with Joern

• dos Santos and Oberman - The Cost of Complexity: Different Vulnerabilities While Implementing the Same RFC

• Fluid Attacks - Exploiting Code Graphs

Videos

• LiveOverflow - Using joern to Find GraphQL Authorization Issue

• Sharma - Discovering Privacy Violations at Scale

• Ganz - Graph-Based Vulnerability Discovery

• Ursache/Yamaguchi/Schmidt - Ghidra2cpg: From graph queries to vulnerabilities in Binary Code

• Li/Sharma - How to Analyze Code for Vulnerabilities using Joern

• Yamaguchi - Mining for Bugs with Graph Database Queries