Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Reachables slice #82

Merged
merged 3 commits into from
Oct 17, 2023
Merged

Reachables slice #82

merged 3 commits into from
Oct 17, 2023

Conversation

prabhu
Copy link
Contributor

@prabhu prabhu commented Oct 11, 2023
edited
Loading

This PR adds support for creating reachables slices for Java applications.

Prerequisites

Steps

  • Run cdxgen with --deep and -o bom.json argument. The bom file must be called bom.json and must be present in the target repo.
npm install -g @cyclonedx/cdxgen
cd <path to java repo>
cdxgen -t java -o bom.json --deep .
  • Run atom using reachables command. The resulting slice would have a property called "reachables", which is an array of flows and purls as shown.
git clone https://github.com/AppThreat/atom
cd atom
git checkout feature/reachable-slice
sbt stage
./atom.sh reachables -o app.atom -l java --slice-outfile reachables.json .

Sample invocation:

https://github.com/AppThreat/atom/blob/feature/reachable-slice/.github/workflows/repotests.yml#L77

  • The performance for this slicing must be in between usages and data-flow slicing.
  • The line number and purl information must be correct

Known issues

  • A small number of line numbers for method parameters and methods nodes are incorrect due to bugs in javaparser when dealing with comments that include HTML tags.

Sample test results

https://github.com/HooliCorp/java-sec-code
reachables.json.txt

https://github.com/OWASP-Benchmark/BenchmarkJava
reachables.tar.gz

@prabhu prabhu requested a review from cerrussell October 11, 2023 16:26
@prabhu
Reachables slice
44b14e4 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu prabhu force-pushed the feature/reachable-slice branch from 240404a to 44b14e4 Compare October 13, 2023 15:37
prabhu added 2 commits October 13, 2023 17:14
@prabhu
api based flows for benchmark
8d59ff2 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu
Update readme
d0726ec 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu prabhu merged commit fc432c3 into main Oct 17, 2023
@prabhu prabhu deleted the feature/reachable-slice branch October 17, 2023 06:41
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@cerrussell cerrussell cerrussell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@prabhu @cerrussell