diff --git a/README.md b/README.md index 628c87a..9258760 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,12 @@ Atom is a novel intermediate representation for applications and a standalone tool powered by the [chen](https://github.com/AppThreat/chen) library. The intermediate representation is optimized for operations typically used for application analytics and machine learning, including [slicing](./specification/docs/slices.md) and [vectoring](./specification/docs/vectors.md). -Our vision is to make atom useful for a number of use cases such as: +Our vision is to make atom useful for many use cases such as: - **Supply-chain analysis:** Generate evidence of external library usage including the flow of data from sources to sinks. Atom is used by [OWASP cdxgen](https://github.com/CycloneDX/cdxgen) to improve the precision and comprehensiveness of the generated CycloneDX document. - **Vulnerability analysis:** Describe vulnerabilities with evidence of affected symbols, call paths, and data-flows. Enable variant and [reachability analysis](https://github.com/AppThreat/atom/blob/main/specification/docs/slices.md#reachables-slice) at scale. - **Exploit prediction:** Predict exploits using precise representations of vulnerabilities, libraries, and applications. -- **Threat-model and attack vectors generation:** Generate precise threat-models and attack vectors for applications at scale. +- **Threat-model and attack vectors generation:** Generate precise threat models and attack vectors for applications at scale. - **Application context detection:** Generate context useful for summarization and risk-profile generation (e.g. services, endpoints, and data attributes). - **Mind-maps for applications:** Automate summarization of large and complex applications as a developer tool. @@ -157,7 +157,7 @@ Apache-2.0 ## Developing / Contributing -Install Java 17 or 19 (Recommended) +Install Java 17 or 21 (Recommended) ```shell sbt clean stage scalafmt test createDistribution @@ -175,18 +175,6 @@ Loading base CPG from: /home/almalinux/workspace/app.atom1/cpg.bin.tmp res1: Option[Cpg] = Some(value = Cpg (Graph [122094 nodes])) ``` -## Using atom with joern - -At present, atom files are compatible with joern 2.x. However, atom files have specific overlays and enhancements and therefore must be imported with `enhance=false` as shown: - -```shell -joern> importCpg("/home/almalinux/work/sandbox/apollo/app.atom", enhance=false) -Creating project `app.atom1` for CPG at `/home/almalinux/work/sandbox/apollo/app.atom` -Creating working copy of CPG to be safe -Loading base CPG from: /home/almalinux/workspace/app.atom1/cpg.bin.tmp -res1: Option[Cpg] = Some(value = Cpg (Graph [122094 nodes])) -``` - ## Enterprise support -Enterprise support including custom language development and integration services are available via AppThreat Ltd. Free community support is also available via [discord](https://discord.gg/tmmtjCEHNV). +Enterprise support including custom language development and integration services is available via AppThreat Ltd. Free community support is also available via [discord](https://discord.gg/tmmtjCEHNV). diff --git a/contrib/README.md b/contrib/README.md new file mode 100644 index 0000000..e9fb13a --- /dev/null +++ b/contrib/README.md @@ -0,0 +1,8 @@ +# Introduction + +Atom works better under Java 21 with virtual threads. Use the provided patch for Java 21. + +```shell +git apply --ignore-space-change --ignore-whitespace contrib/java21.patch +sbt clean stage createDistribution +``` diff --git a/contrib/java21.patch b/contrib/java21.patch new file mode 100644 index 0000000..c790bb9 --- /dev/null +++ b/contrib/java21.patch @@ -0,0 +1,64 @@ +diff --git a/build.sbt b/build.sbt +index 271d8ed..25e6a8f 100644 +--- a/build.sbt ++++ b/build.sbt +@@ -35,17 +35,17 @@ Compile / doc / scalacOptions ++= Seq("-doc-title", "atom apidocs", "-doc-versio + ThisBuild / scalacOptions ++= Seq( + "-deprecation", // Emit warning and location for usages of deprecated APIs. + "--release", +- "17", ++ "21", + ) + + ThisBuild / compile / javacOptions ++= Seq( + "-g", // debug symbols + "-Xlint", +- "--release=17" ++ "--release=21" + ) ++ { + // fail early if users with JDK11 try to run this + val javaVersion = sys.props("java.specification.version").toFloat +- assert(javaVersion.toInt >= 17, s"this build requires JDK17+ - you're using $javaVersion") ++ assert(javaVersion.toInt >= 21, s"this build requires JDK21+ - you're using $javaVersion") + Nil + } + +diff --git a/src/main/scala/io/appthreat/atom/dataflows/DataFlowGraph.scala b/src/main/scala/io/appthreat/atom/dataflows/DataFlowGraph.scala +index 9d1f9bb..52ff6fe 100644 +--- a/src/main/scala/io/appthreat/atom/dataflows/DataFlowGraph.scala ++++ b/src/main/scala/io/appthreat/atom/dataflows/DataFlowGraph.scala +@@ -65,7 +65,7 @@ object DataFlowGraph: + private def DF_EDGES = + Set(EdgeTypes.REACHING_DEF, EdgeTypes.CALL, EdgeTypes.REF) + val exec: ExecutorService = +- Executors.newWorkStealingPool(Runtime.getRuntime.availableProcessors / 2) ++ Executors.newVirtualThreadPerTaskExecutor() + + def buildFromSlice(slice: DataFlowSlice): DataFlowGraph = + val dfNodes = slice.nodes +diff --git a/src/main/scala/io/appthreat/atom/slicing/DataFlowSlicing.scala b/src/main/scala/io/appthreat/atom/slicing/DataFlowSlicing.scala +index 7b39fb9..0a5855b 100644 +--- a/src/main/scala/io/appthreat/atom/slicing/DataFlowSlicing.scala ++++ b/src/main/scala/io/appthreat/atom/slicing/DataFlowSlicing.scala +@@ -14,7 +14,7 @@ class DataFlowSlicing: + + implicit val resolver: ICallResolver = NoResolve + protected val exec: ExecutorService = +- Executors.newWorkStealingPool(Runtime.getRuntime.availableProcessors() / 2) ++ Executors.newVirtualThreadPerTaskExecutor() + private val excludeOperatorCalls = new AtomicBoolean(true) + private val nodeCache = new TrieMap[Long, SliceNode]() + private var language: Option[String] = _ +diff --git a/src/main/scala/io/appthreat/atom/slicing/UsageSlicing.scala b/src/main/scala/io/appthreat/atom/slicing/UsageSlicing.scala +index 75803d1..61f538b 100644 +--- a/src/main/scala/io/appthreat/atom/slicing/UsageSlicing.scala ++++ b/src/main/scala/io/appthreat/atom/slicing/UsageSlicing.scala +@@ -20,7 +20,7 @@ object UsageSlicing: + + private val resolver = NoResolve + val exec: ExecutorService = +- Executors.newWorkStealingPool(Runtime.getRuntime.availableProcessors() / 2) ++ Executors.newVirtualThreadPerTaskExecutor() + private val constructorTypeMatcher = Pattern.compile(".*new (\\w+)\\(.*") + private val excludeOperatorCalls = new AtomicBoolean(true) + private val FRAMEWORK_ROUTE = "framework-route"