From 0e7dcb3d7a4da7856d8167e4fcc39b907e7ed322 Mon Sep 17 00:00:00 2001 From: filip Date: Tue, 30 Jan 2024 15:26:04 +0100 Subject: [PATCH 1/3] Adds build info to README --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index faa26bb..fc9febf 100644 --- a/README.md +++ b/README.md @@ -5,3 +5,12 @@ This repo analyses your code to determine what parts of your dependencies you use, and stores this in a file which can be picked up debricked. This, combined with our information about what parts of dependencies are affected by CVEs, allows us to determine whether you use the parts of a dependency affected by a vulnerability, or if its safe to continue using the dependency in spite of the vulnerability. + + +## Setup + +Go to common java directory: `cd java/common/` + +Build SootWrapper: `mvn clean package -X -DskipTests` + +You will now have jar-file in the target directory: `java/common/target`. From 193f6fcbb3d117a197c40fdf2f4b24735b01fdcc Mon Sep 17 00:00:00 2001 From: filip Date: Tue, 30 Jan 2024 16:29:42 +0100 Subject: [PATCH 2/3] Adds path to caller --- java/common/src/main/java/SootWrapper/SootWrapper.java | 9 +++++++-- .../src/main/java/SootWrapper/SourceSignature.java | 9 ++++++++- .../src/test/java/SootWrapper/SootWrapperTest.java | 2 +- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/java/common/src/main/java/SootWrapper/SootWrapper.java b/java/common/src/main/java/SootWrapper/SootWrapper.java index 0f7e9b9..66371e0 100644 --- a/java/common/src/main/java/SootWrapper/SootWrapper.java +++ b/java/common/src/main/java/SootWrapper/SootWrapper.java @@ -127,6 +127,7 @@ private static JSONArray getSignatureJSONArray(SootMethod methodToAnalyse, CallG JSONArray caller = new JSONArray(); caller.put(sourceSignature.getMethod()); caller.put(sourceSignature.getLineNumber()); + caller.put(sourceSignature.getFileName()); callers.put(caller); } callee.put(callers); @@ -136,8 +137,12 @@ private static JSONArray getSignatureJSONArray(SootMethod methodToAnalyse, CallG private static SourceSignature getFormattedSourceSignature(SootMethod method, int lineNumber) { return method == null - ? new SourceSignature("-", -1) - : new SourceSignature(getSignatureString(method), lineNumber); + ? new SourceSignature("-", -1, "-") + : new SourceSignature( + getSignatureString(method), + lineNumber, + getProbableName(method.getDeclaringClass()) + ); } private static TargetSignature getFormattedTargetSignature(SootMethod method) { diff --git a/java/common/src/main/java/SootWrapper/SourceSignature.java b/java/common/src/main/java/SootWrapper/SourceSignature.java index 5a33fcb..90fbc6f 100644 --- a/java/common/src/main/java/SootWrapper/SourceSignature.java +++ b/java/common/src/main/java/SootWrapper/SourceSignature.java @@ -5,9 +5,12 @@ public class SourceSignature { private final int lineNumber; - public SourceSignature(String method, int lineNumber) { + private final String fileName; + + public SourceSignature(String method, int lineNumber, String fileName) { this.method = method; this.lineNumber = lineNumber; + this.fileName = fileName; } public String getMethod() { @@ -17,4 +20,8 @@ public String getMethod() { public int getLineNumber() { return lineNumber; } + + public String getFileName() { + return fileName; + } } diff --git a/java/common/src/test/java/SootWrapper/SootWrapperTest.java b/java/common/src/test/java/SootWrapper/SootWrapperTest.java index 5d65d3e..57876db 100644 --- a/java/common/src/test/java/SootWrapper/SootWrapperTest.java +++ b/java/common/src/test/java/SootWrapper/SootWrapperTest.java @@ -316,7 +316,7 @@ private static Map> getCallGraphMap( JSONArray sourcesJSON = theEntry.getJSONArray(7); for (int j = 0; j < sourcesJSON.length(); j++) { JSONArray theSource = sourcesJSON.getJSONArray(j); - sources.add(new SourceSignature(theSource.getString(0), theSource.getInt(1))); + sources.add(new SourceSignature(theSource.getString(0), theSource.getInt(1), "-")); } calls.put(tar, sources); } From bde0f2592b95918498ba1f5888249f5d47a21959 Mon Sep 17 00:00:00 2001 From: filip Date: Thu, 1 Feb 2024 10:28:56 +0100 Subject: [PATCH 3/3] Adds *real* path to caller by finding the probable path via matching module names --- .../main/java/SootWrapper/SootWrapper.java | 48 +++++++++++++++++-- 1 file changed, 43 insertions(+), 5 deletions(-) diff --git a/java/common/src/main/java/SootWrapper/SootWrapper.java b/java/common/src/main/java/SootWrapper/SootWrapper.java index 66371e0..0b15af5 100644 --- a/java/common/src/main/java/SootWrapper/SootWrapper.java +++ b/java/common/src/main/java/SootWrapper/SootWrapper.java @@ -68,7 +68,7 @@ public static AnalysisResult writeAnalysis(JSONWriter jwriter, Iterable edgesOut = cg.edgesOutOf(methodToAnalyse); while (edgesOut.hasNext()) { @@ -106,7 +106,7 @@ public static AnalysisResult writeAnalysis(JSONWriter jwriter, Iterable pathToClassFiles) { TargetSignature targetSignature = getFormattedTargetSignature(methodToAnalyse); JSONArray callee = new JSONArray(); callee.put(targetSignature.getMethod()); @@ -123,7 +123,11 @@ private static JSONArray getSignatureJSONArray(SootMethod methodToAnalyse, CallG Edge e = edgesInto.next(); MethodOrMethodContext source = e.getSrc(); SootMethod sourceMethod = source instanceof MethodContext ? source.method() : (SootMethod) source; - SourceSignature sourceSignature = getFormattedSourceSignature(sourceMethod, e.srcStmt() == null ? -1 : e.srcStmt().getJavaSourceStartLineNumber()); + SourceSignature sourceSignature = getFormattedSourceSignature( + sourceMethod, + e.srcStmt() == null ? -1 : e.srcStmt().getJavaSourceStartLineNumber(), + pathToClassFiles + ); JSONArray caller = new JSONArray(); caller.put(sourceSignature.getMethod()); caller.put(sourceSignature.getLineNumber()); @@ -135,13 +139,13 @@ private static JSONArray getSignatureJSONArray(SootMethod methodToAnalyse, CallG return callee; } - private static SourceSignature getFormattedSourceSignature(SootMethod method, int lineNumber) { + private static SourceSignature getFormattedSourceSignature(SootMethod method, int lineNumber, Iterable pathToClassFiles) { return method == null ? new SourceSignature("-", -1, "-") : new SourceSignature( getSignatureString(method), lineNumber, - getProbableName(method.getDeclaringClass()) + getProbableSourceName(method, pathToClassFiles) ); } @@ -174,6 +178,26 @@ private static String getSignatureString(SootMethod method) { return sb.toString(); } + private static String getModuleString(SootMethod method) { + StringBuilder sb = new StringBuilder(); + String classString = method.getDeclaringClass().toString(); + boolean foundDot = false; + for (int i = 0; i < classString.length(); i++) { + char c = classString.charAt(i); + if (c != '.') { + sb.append(c); + } else { + foundDot = true; + break; + } + } + if (!foundDot) { + return ""; + } + return sb.toString(); + } + + private static String getProbableName(SootClass c) { if (c.isJavaLibraryClass()) { return "-"; @@ -188,6 +212,20 @@ private static String getProbableName(SootClass c) { return className; } + private static String getProbableSourceName(SootMethod method, Iterable pathToClassFiles) { + String moduleName = getModuleString(method); + String onlyDeclaringClassName = method.getDeclaringClass().getName().replaceFirst(moduleName + ".", "/"); + if (moduleName.length() == 0) { + return ""; + } + for (Path path : pathToClassFiles) { + if (path.toString().endsWith(moduleName)) { + return path.toString() + onlyDeclaringClassName + ".java"; + } + } + return "-"; + } + private static String getParameterClass(Type parameter) { String[] paramType = parameter.toString().split("\\."); return paramType[paramType.length-1];