Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question about reachables-slices.json result #152

Open
0x456de opened this issue Aug 14, 2024 · 4 comments
Open

Question about reachables-slices.json result #152

0x456de opened this issue Aug 14, 2024 · 4 comments

Comments

@0x456de
Copy link

0x456de commented Aug 14, 2024

Hi!
I try to understand how exactly reachables slices are created.
So, I use following dummy sample code.

import fs from 'fs';
import path from 'path';
import http from 'http';

let server;

function pipeFileToMyResponse(res, file, type) {
  fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res);
}

server = http.createServer(function (req, res) { 
  //url.parse(req.url,
  pipeFileToMyResponse(res, './client.html'); 
});

Next, I generate bom.json in deep mode within cdxgen and get reachables.
Result for my sample code:

{
    "reachables": [
        {
            "flows": [
                {
                    "id": 93,
                    "label": "IDENTIFIER",
                    "name": "http",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "http.createServer(function (req, res) { \n  //url.parse(req.url,\n  pipeFileToMyResponse(res, './client.html'); \n})",
                    "typeFullName": "",
                    "parentMethodName": ":program",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 9,
                    "tags": "pkg:npm/http@0.0.1-security"
                },
                {
                    "id": 54,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 42,
                    "tags": ""
                },
                {
                    "id": 59,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "pipeFileToMyResponse(res, './client.html')",
                    "typeFullName": "",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 13,
                    "columnNumber": 23,
                    "tags": ""
                },
                {
                    "id": 17,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 7,
                    "columnNumber": 30,
                    "tags": ""
                },
                {
                    "id": 44,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res)",
                    "typeFullName": "",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 8,
                    "columnNumber": 70,
                    "tags": "pkg:npm/fs@0.0.1-security, pkg:npm/path@0.12.7"
                }
            ],
            "purls": [
                "pkg:npm/path@0.12.7",
                "pkg:npm/http@0.0.1-security",
                "pkg:npm/fs@0.0.1-security"
            ]
        },
        {
            "flows": [
                {
                    "id": 93,
                    "label": "IDENTIFIER",
                    "name": "http",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "http.createServer(function (req, res) { \n  //url.parse(req.url,\n  pipeFileToMyResponse(res, './client.html'); \n})",
                    "typeFullName": "",
                    "parentMethodName": ":program",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 9,
                    "tags": "pkg:npm/http@0.0.1-security"
                },
                {
                    "id": 54,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 11,
                    "columnNumber": 42,
                    "tags": ""
                },
                {
                    "id": 59,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "pipeFileToMyResponse(res, './client.html')",
                    "typeFullName": "",
                    "parentMethodName": "anonymous",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 13,
                    "columnNumber": 23,
                    "tags": ""
                },
                {
                    "id": 17,
                    "label": "METHOD_PARAMETER_IN",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "res",
                    "typeFullName": "ANY",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 7,
                    "columnNumber": 30,
                    "tags": ""
                },
                {
                    "id": 44,
                    "label": "IDENTIFIER",
                    "name": "res",
                    "fullName": "",
                    "signature": "",
                    "isExternal": false,
                    "code": "fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res)",
                    "typeFullName": "",
                    "parentMethodName": "pipeFileToMyResponse",
                    "parentMethodSignature": "",
                    "parentFileName": "main.mjs",
                    "parentPackageName": "<global>",
                    "parentClassName": "main.mjs::program",
                    "lineNumber": 8,
                    "columnNumber": 70,
                    "tags": "pkg:npm/fs@0.0.1-security, pkg:npm/path@0.12.7"
                }
            ],
            "purls": [
                "pkg:npm/path@0.12.7",
                "pkg:npm/http@0.0.1-security",
                "pkg:npm/fs@0.0.1-security"
            ]
        }
    ]
}

However, when I change code to this one:

import fs from 'fs';
import path from 'path';
import http from 'http';

let server;

function pipeFileToMyResponse(res, file, type) {
  fs.createReadStream(path.join(path.resolve(), 'sandbo', file)).pipe(res);
}

server = http.createServer(function (req, res) { 
  pipeFileToMyResponse(res, './client.html'); 
});

I have empty results. It's strange behaviour as for me. And I can't understands reasons of it. Could u explain, please?

@prabhu
Copy link
Contributor

prabhu commented Aug 14, 2024

Reachables slicing requires a valid application. So there must be a package.json, lock file, and deep mode bom.json file to be present in the same directory. Can you check if all these exists?

@0x456de
Copy link
Author

0x456de commented Aug 14, 2024

So, I spend some hours for deep diving in it

I have this js-code

import http from 'http';

let server;

function myfunc(u) {
  sandbox(u); 
}

server = http.createServer(function (req, res) 
{ 
  myfunc(req.url); 
});

And, I notice that "url" and "sanbox" identediers are maked as framework-in and framework-our correspondanly. As I understand, algorightma use this tags for building full paths.

If u know, why exactly this identifiers, please, explain me :)

By the way, all attempts (last one and this one) were made whith deep bom.json, package, package-lock files. And, I removed before operation last *.atom file.

@prabhu
Copy link
Contributor

prabhu commented Aug 15, 2024

It's a lengthy explanation. Can you join one of our office hour? It will resume in September.

@0x456de
Copy link
Author

0x456de commented Aug 19, 2024

Do you mean return to this question in September?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants