Entry points are now specifiable on method level and analysis API made more user friendly.

arktt · arktt · commit ce6b667153f1 · 2020-08-12T12:24:47.000+02:00
diff --git a/de.fraunhofer.iem.secucheck.analysis.process.client/src/main/java/de/fraunhofer/iem/secucheck/analysis/client/SecuCheckTaintAnalysisOutOfProcess.java b/de.fraunhofer.iem.secucheck.analysis.process.client/src/main/java/de/fraunhofer/iem/secucheck/analysis/client/SecuCheckTaintAnalysisOutOfProcess.java
@@ -2,24 +2,23 @@
 
 import java.io.BufferedReader;
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.lang.ProcessBuilder.Redirect;
 import java.net.URISyntaxException;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.locks.ReentrantLock;
 
 import org.apache.commons.io.FileUtils;
 
+import de.fraunhofer.iem.secucheck.analysis.OS;
 import de.fraunhofer.iem.secucheck.analysis.SecucheckAnalysis;
 import de.fraunhofer.iem.secucheck.analysis.Utility;
-import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQueryImpl;
+import de.fraunhofer.iem.secucheck.analysis.query.EntryPoint;
 import de.fraunhofer.iem.secucheck.analysis.result.AnalysisResultListener;
 import de.fraunhofer.iem.secucheck.analysis.result.SecucheckTaintAnalysisResult;
 import de.fraunhofer.iem.secucheck.analysis.serializable.ProcessMessage;
@@ -32,8 +31,10 @@ public final class SecuCheckTaintAnalysisOutOfProcess implements SecucheckAnalys
 	
 	private final ReentrantLock lock;
 	
+	private OS os;
+	private String appClassPath;
 	private String sootClassPath;
-	private List<String> canonicalClasses;
+	private List<EntryPoint> entryPoints;
 	private AnalysisResultListener resultListener;
 	private SecucheckTaintAnalysisResult result;
 	
@@ -44,20 +45,35 @@ public SecuCheckTaintAnalysisOutOfProcess() {
 		this.lock = new ReentrantLock();
 	}
 	
-	public SecuCheckTaintAnalysisOutOfProcess(String sootClassPath, List<String> canonicalClassNames,
+	public SecuCheckTaintAnalysisOutOfProcess(OS os, String appClassPath, 
+			String sootClassPath, List<EntryPoint> entryPoints,
 				AnalysisResultListener resultListener) {
 		this();
+		this.os = os;
+		this.appClassPath = appClassPath;
 		this.sootClassPath = sootClassPath;
-		this.canonicalClasses = canonicalClassNames;
+		this.entryPoints = entryPoints;
 		this.resultListener = resultListener;
 	}
 	
+	public void setOs(OS os) {
+		this.os = os;
+	}
+
+	public void setSootClassPathJars(String sootClassPath) {
+		this.sootClassPath = sootClassPath;
+	}
+
+	public void setApplicationClassPath(String appClassPath) {
+		this.appClassPath = appClassPath;	
+	}
+	
 	public void setSootClassPath(String sootClassPath) {
 		this.sootClassPath = sootClassPath;
 	}
 	
-	public void setAnalysisClasses(List<String> canonicalClassNames) {
-		this.canonicalClasses = canonicalClassNames;
+	public void setAnalysisEntryPoints(List<EntryPoint> entryPoints) {
+		this.entryPoints = entryPoints;
 	}
 	
 	public void setListener(AnalysisResultListener resultListener) {
@@ -86,8 +102,8 @@ public SecucheckTaintAnalysisResult run(List<CompositeTaintFlowQueryImpl> flowQu
 			// PrintStream pw = System.out;
 			PrintWriter pw = new PrintWriter(process.getOutputStream());
 			
-			CompleteQuery analysisQuery = new CompleteQuery(sootClassPath, canonicalClasses,
-					flowQueries, resultListener != null);
+			CompleteQuery analysisQuery = new CompleteQuery(os, appClassPath, sootClassPath,
+					entryPoints, flowQueries, resultListener != null);
 
 			pw.println(ProcessMessageSerializer.serializeToJsonString(analysisQuery));
 			pw.flush();
diff --git a/de.fraunhofer.iem.secucheck.analysis.process/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecuCheckAnalysisServer.java b/de.fraunhofer.iem.secucheck.analysis.process/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecuCheckAnalysisServer.java
@@ -2,20 +2,13 @@
 
 import java.io.BufferedReader;
 import java.io.ByteArrayOutputStream;
-import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.PrintStream;
-import java.util.ArrayList;
-import java.util.List;
 
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-
-import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery;
-import de.fraunhofer.iem.secucheck.analysis.result.AnalysisResult;
 import de.fraunhofer.iem.secucheck.analysis.result.AnalysisResultListener;
 import de.fraunhofer.iem.secucheck.analysis.result.CompositeTaintFlowQueryResult;
 import de.fraunhofer.iem.secucheck.analysis.result.SecucheckTaintAnalysisResult;
@@ -58,9 +51,13 @@ private void run() throws Exception {
 					CompleteQuery queryDetails = (CompleteQuery)message;
 					this.resultListener = queryDetails.hasResultListener() ? 
 							new SimpleResultListener() : null;
+					
 					SecucheckAnalysis analysis = new SecucheckTaintAnalysis(
+							queryDetails.getOs(),
+							queryDetails.getAppClassPath(),
 							queryDetails.getSootClassPath(), 
-							queryDetails.getCanonicalClasses(), resultListener);	
+							queryDetails.getAnalysisEntryPoints(), resultListener);	
+					
 					SecucheckTaintAnalysisResult result = analysis.run(queryDetails.getFlowQueries());
 					CompleteResult completeResult = new CompleteResult(result);
 					systemOut.println(ProcessMessageSerializer.serializeToJsonString(completeResult));
diff --git a/de.fraunhofer.iem.secucheck.analysis.process/src/main/java/de/fraunhofer/iem/secucheck/analysis/serializable/query/CompleteQuery.java b/de.fraunhofer.iem.secucheck.analysis.process/src/main/java/de/fraunhofer/iem/secucheck/analysis/serializable/query/CompleteQuery.java
@@ -4,35 +4,42 @@
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
+import de.fraunhofer.iem.secucheck.analysis.OS;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQueryImpl;
+import de.fraunhofer.iem.secucheck.analysis.query.EntryPoint;
 import de.fraunhofer.iem.secucheck.analysis.serializable.AnalysisMessage;
 import de.fraunhofer.iem.secucheck.analysis.serializable.MessageType;
 import de.fraunhofer.iem.secucheck.analysis.serializable.ProcessMessage;
 
 public final class CompleteQuery extends ProcessMessage implements AnalysisMessage {
 	
+	private OS os;
 	private boolean hasResultListener;
+	private String appClassPath;
 	private String sootClassPath;
-	private List<String> canonicalClasses;
+	private List<EntryPoint> entryPoints;
 	private List<CompositeTaintFlowQueryImpl> flowQueries;
 	
 	public CompleteQuery() { }
 	
-	public CompleteQuery(String sootClassPath, List<String> canonicalClassNames,
-			List<CompositeTaintFlowQueryImpl> flowQueries, boolean hasResultListener) {
+	public CompleteQuery(OS os, String appClassPath, String sootClassPath,
+			List<EntryPoint> entryPoints, List<CompositeTaintFlowQueryImpl> flowQueries,
+			boolean hasResultListener) {
 		super.messageType = getMessageType();
+		this.os = os;
+		this.appClassPath = appClassPath;
 		this.sootClassPath = sootClassPath;
 		this.flowQueries = flowQueries;
-		this.canonicalClasses = canonicalClassNames;
+		this.entryPoints = entryPoints;
 		this.hasResultListener = hasResultListener;
 	}
 	
 	public MessageType getMessageType() {
 		return MessageType.CompleteQuery;
 	}
 	
-	public List<String> getCanonicalClasses() {
-		return canonicalClasses;
+	public List<EntryPoint> getAnalysisEntryPoints() {
+		return entryPoints;
 	}
 	
 	public List<CompositeTaintFlowQueryImpl> getFlowQueries() {
@@ -44,12 +51,20 @@ public boolean hasResultListener() {
 		return hasResultListener;
 	}
 	
+	public OS getOs() {
+		return os;
+	}
+	
+	public String getAppClassPath() {
+		return appClassPath;
+	}
+	
 	public String getSootClassPath() {
 		return sootClassPath;
 	}
 	
-	public void setCanonicalClasses(List<String> canonicalClasses) {
-		this.canonicalClasses = canonicalClasses;
+	public void setAnalysisEntryPoints(List<EntryPoint> entryPoints) {
+		this.entryPoints = entryPoints;
 	}
 	
 	public void setFlowQueries(List<CompositeTaintFlowQueryImpl> flowQueries) {
@@ -60,7 +75,19 @@ public void setHasResultListener(boolean hasResultListener) {
 		this.hasResultListener = hasResultListener;
 	}
 	
+	public void setOs(OS os) {
+		this.os = os;
+	}
+	
+	public void setAppClassPath(String appClassPath) {
+		this.appClassPath = appClassPath;
+	}
+	
 	public void setSootClassPath(String sootClassPath) {
 		this.sootClassPath = sootClassPath;
-	}	
+	}
+	
+	public void setEntryPoints(List<EntryPoint> entryPoints) {
+		this.entryPoints = entryPoints;
+	}
 }
diff --git a/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/AnalyzeMe.java b/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/AnalyzeMe.java
@@ -1,13 +1,36 @@
 public class AnalyzeMe {
-	public void work() {
+	
+	public void workNoIssue() {
 		int secret = getSecret();
-		//secret = sanatizer(secret);
-		//secret = propogator(secret);
+		publish(10);
+	}
+	
+	public void workNoIssueSanitizer() {
+		int secret = getSecret();
+		secret = sanatizer(secret);
+		publish(secret);
+	}
+	
+	public void workNoIssueSanitizerProgator() {
+		int secret = getSecret();
+		secret = sanatizer(secret);
+		secret = propogator(secret);
+		publish(secret);
+	}
+	
+	public void workWithIssue() {
+		int secret = getSecret();
+		publish(secret);
+	}
+	
+	public void workWithIssueProgator() {
+		int secret = getSecret();
+		secret = propogator(secret);
 		publish(secret);
 	}
 
 	public int getSecret() { return 42; }
-	public void publish(int number) { }  	
+	public void publish(int number) { System.out.print(number); }  	
 	public int sanatizer(int number) { return number = 0; }
 	public int propogator(int number) { return number; }
 }
diff --git a/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/de/fraunhofer/iem/secucheck/analysis/sample/Main.java b/de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/de/fraunhofer/iem/secucheck/analysis/sample/Main.java
@@ -6,9 +6,11 @@
 import java.util.List;
 
 import de.fraunhofer.iem.secucheck.analysis.client.SecuCheckTaintAnalysisOutOfProcess;
+import de.fraunhofer.iem.secucheck.analysis.OS;
 import de.fraunhofer.iem.secucheck.analysis.SecucheckAnalysis;
 import de.fraunhofer.iem.secucheck.analysis.SecucheckTaintAnalysis;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQueryImpl;
+import de.fraunhofer.iem.secucheck.analysis.query.EntryPoint;
 import de.fraunhofer.iem.secucheck.analysis.query.InputParameter;
 import de.fraunhofer.iem.secucheck.analysis.query.MethodImpl;
 import de.fraunhofer.iem.secucheck.analysis.query.OutputParameter;
@@ -21,8 +23,6 @@
 import de.fraunhofer.iem.secucheck.analysis.result.TaintFlowQueryResult;
 
 public class Main {
-
-	enum OS { Windows, LinuxOrMac }
 	
 	public static void main(String[] args) {
 		try {
@@ -56,12 +56,12 @@ private static void runSecucheckAnalysis(SecucheckAnalysis secucheckAnalysis)
 						getTaintFlowQuery2(), getTaintFlowQuery3(),
 						getTaintFlowQuery4()));
 		
-		List<String> classesToAnalyse = Arrays.asList(getClassesToAnalyze().split(";"));
-		String sootClassPath = getSootClassPath(OS.LinuxOrMac);
 		AnalysisResultListener resultListener = getConsoleResultListener();
 		
-		secucheckAnalysis.setAnalysisClasses(classesToAnalyse);
-		secucheckAnalysis.setSootClassPath(sootClassPath);
+		secucheckAnalysis.setOs(OS.Linux);
+		secucheckAnalysis.setAnalysisEntryPoints(getEntryPoints());
+		secucheckAnalysis.setApplicationClassPath(getAppClassPath());
+		secucheckAnalysis.setSootClassPathJars(getSootClassPath());
 		secucheckAnalysis.setListener(resultListener);
 		
 		SecucheckTaintAnalysisResult result1 = secucheckAnalysis.run(compositeOfFirst);
@@ -207,17 +207,23 @@ private static <T> List<T> getInList(T ... ts){
 		}
 		return list;
 	}
-		
-	private static String getSootClassPath(OS os) {		
-		// Use ';' for Windows and ':' for Linux or Mac.
-		String pathSeparator= os == OS.Windows ? ";" : ":";
-		return 	System.getProperty("java.home") + File.separator + "lib" + File.separator +"rt.jar" + 
-				pathSeparator +
-				System.getProperty("user.dir") + File.separator + "target" + File.separator + "classes";
+	
+	private static String getAppClassPath() {
+		return System.getProperty("user.dir") + File.separator + "target" + File.separator + "classes";
 	}
-			
-	private static String getClassesToAnalyze() {
-		return "AnalyzeMe";
+	
+	private static String getSootClassPath() {		
+		return 	System.getProperty("java.home") + File.separator + "lib" + File.separator +"rt.jar" ;
+				
+	}
+	
+	private static List<EntryPoint> getEntryPoints(){
+		List<EntryPoint> entryPoints = new ArrayList<EntryPoint>();
+		EntryPoint entryPoint = new EntryPoint();
+		entryPoint.setCanonicalClassName("AnalyzeMe");
+		entryPoint.setAllMethods(true);
+		entryPoints.add(entryPoint);
+		return entryPoints;
 	}
 	
 	private static AnalysisResultListener getConsoleResultListener() {
diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/OS.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/OS.java
@@ -0,0 +1,5 @@
+package de.fraunhofer.iem.secucheck.analysis;
+
+public enum OS {
+	Windows, Linux, MacOS
+}
diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckAnalysis.java
@@ -4,21 +4,20 @@
 
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQueryImpl;
+import de.fraunhofer.iem.secucheck.analysis.query.EntryPoint;
 import de.fraunhofer.iem.secucheck.analysis.result.AnalysisResultListener;
 import de.fraunhofer.iem.secucheck.analysis.result.SecucheckTaintAnalysisResult;
 
 public interface SecucheckAnalysis {	
 	
-	// Maybe split setting soot class path into
-	// 1. Set the needed jars call.
-	// 2. Set the needed classes' binary call.
-
-	void setSootClassPath(String sootClassPath);
-	void setAnalysisClasses(List<String> canonicalClassNames);
+	void setOs(OS os);
+	void setSootClassPathJars(String sootClassPath);
+	void setApplicationClassPath(String appClassPath);
+	
+	void setAnalysisEntryPoints(List<EntryPoint> entryPoints);
 	void setListener(AnalysisResultListener resultListener);
 	
 	SecucheckTaintAnalysisResult run
 		(List<CompositeTaintFlowQueryImpl> flowQueries) 
 				throws Exception;
-
 }
diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysis.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysis.java
@@ -5,6 +5,7 @@
 
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQueryImpl;
+import de.fraunhofer.iem.secucheck.analysis.query.EntryPoint;
 import de.fraunhofer.iem.secucheck.analysis.result.AnalysisResult;
 import de.fraunhofer.iem.secucheck.analysis.result.AnalysisResultListener;
 import de.fraunhofer.iem.secucheck.analysis.result.SecucheckTaintAnalysisResult;
@@ -15,9 +16,11 @@ public SecucheckTaintAnalysis() {
 		super();
 	}
 		
-	public SecucheckTaintAnalysis(String sootClassPath, 
-			List<String> canonicalClassNames, AnalysisResultListener resultListener) {
-		super(sootClassPath, canonicalClassNames, resultListener);	
+	public SecucheckTaintAnalysis(OS os, String appClassPath, 
+			String sootClassPath, List<EntryPoint> entryPoints,
+			AnalysisResultListener resultListener) {
+		super(os, appClassPath, sootClassPath, entryPoints,
+				resultListener);	
 	}
 	
 	@Override
diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java
diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/Utility.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/Utility.java
diff --git a/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/query/EntryPoint.java b/de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/query/EntryPoint.java
