fraunhofer-aisec / codyze Goto Github PK
View Code? Open in Web Editor NEWCodyze is a static analyzer for Java, C, C++ based on code property graphs
Home Page: https://www.codyze.io
License: Apache License 2.0
Codyze is a static analyzer for Java, C, C++ based on code property graphs
Home Page: https://www.codyze.io
License: Apache License 2.0
Fraunhofer-AISEC/cpg#179 will introduce an ELEMENT_TYPE edge between pointer types and element types. The in-memory field has always been there, the only new thing is an actual @Relationship
node. Do I need to register this somehow in the codyze ogm mapper?
java.util.concurrent.ExecutionException: java.lang.RuntimeException: Edge of type ELEMENT_TYPE with direction OUT not supported by class
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2093)
at de.fraunhofer.aisec.analysis.Main.call(Main.java:87)
at de.fraunhofer.aisec.analysis.Main.call(Main.java:29)
at picocli.CommandLine.executeUserObject(CommandLine.java:1783)
at picocli.CommandLine.access$900(CommandLine.java:145)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2141)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2108)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:1975)
at picocli.CommandLine.execute(CommandLine.java:1904)
at de.fraunhofer.aisec.analysis.Main.main(Main.java:59)
Caused by: java.lang.RuntimeException: Edge of type ELEMENT_TYPE with direction OUT not supported by class
at io.shiftleft.overflowdb.OdbNode.storeAdjacentNode(OdbNode.java:429)
at io.shiftleft.overflowdb.OdbNode.storeAdjacentNode(OdbNode.java:411)
at io.shiftleft.overflowdb.OdbNode.addEdge(OdbNode.java:254)
at io.shiftleft.overflowdb.NodeRef.addEdge(NodeRef.java:113)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connect(OverflowDatabase.java:665)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createEdges(OverflowDatabase.java:631)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createVertex(OverflowDatabase.java:483)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connect(OverflowDatabase.java:652)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createEdges(OverflowDatabase.java:631)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createVertex(OverflowDatabase.java:483)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connect(OverflowDatabase.java:652)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connectAll(OverflowDatabase.java:674)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createEdges(OverflowDatabase.java:626)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createVertex(OverflowDatabase.java:483)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connect(OverflowDatabase.java:652)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connectAll(OverflowDatabase.java:674)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createEdges(OverflowDatabase.java:626)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createVertex(OverflowDatabase.java:483)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.save(OverflowDatabase.java:253)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.saveAll(OverflowDatabase.java:230)
at de.fraunhofer.aisec.analysis.server.AnalysisServer.persistToODB(AnalysisServer.java:455)
at de.fraunhofer.aisec.analysis.server.AnalysisServer.lambda$analyze$0(AnalysisServer.java:200)
at java.base/java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:642)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1776)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1763)
at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1016)
at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1665)
at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1598)
at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:177)
Codyze does not seem to start up:
java.lang.NoClassDefFoundError: Could not initialize class org.codehaus.groovy.vmplugin.v7.Java7
at org.codehaus.groovy.vmplugin.VMPluginFactory.<clinit>(VMPluginFactory.java:43)
at org.codehaus.groovy.reflection.GroovyClassValueFactory.<clinit>(GroovyClassValueFactory.java:35)
at org.codehaus.groovy.reflection.ClassInfo.<clinit>(ClassInfo.java:107)
at org.codehaus.groovy.reflection.ReflectionCache.getCachedClass(ReflectionCache.java:95)
at org.codehaus.groovy.reflection.ReflectionCache.<clinit>(ReflectionCache.java:39)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.registerMethods(MetaClassRegistryImpl.java:209)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:107)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:85)
at groovy.lang.GroovySystem.<clinit>(GroovySystem.java:36)
at org.codehaus.groovy.runtime.InvokerHelper.<clinit>(InvokerHelper.java:86)
at groovy.lang.GroovyObjectSupport.getDefaultMetaClass(GroovyObjectSupport.java:59)
at groovy.lang.GroovyObjectSupport.<init>(GroovyObjectSupport.java:32)
at groovy.lang.Closure.<init>(Closure.java:211)
at groovy.lang.Closure.<init>(Closure.java:228)
at groovy.lang.Closure$1.<init>(Closure.java:193)
at groovy.lang.Closure.<clinit>(Closure.java:193)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:377)
at picocli.CommandLine$DefaultFactory.loadClosureClass(CommandLine.java:5455)
at picocli.CommandLine$DefaultFactory.<clinit>(CommandLine.java:5453)
at picocli.CommandLine.<init>(CommandLine.java:196)
at de.fraunhofer.aisec.analysis.Main.main(Main.java:61)
Exception in thread "main" java.lang.NoClassDefFoundError: Could not initialize class org.codehaus.groovy.reflection.ReflectionCache
at org.codehaus.groovy.runtime.dgmimpl.NumberNumberMetaMethod.<clinit>(NumberNumberMetaMethod.java:33)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:64)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.ReflectAccess.newInstance(ReflectAccess.java:128)
at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(ReflectionFactory.java:350)
at java.base/java.lang.Class.newInstance(Class.java:645)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.createMetaMethodFromClass(MetaClassRegistryImpl.java:257)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:110)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:85)
at groovy.lang.GroovySystem.<clinit>(GroovySystem.java:36)
at org.codehaus.groovy.runtime.InvokerHelper.<clinit>(InvokerHelper.java:86)
at groovy.lang.GroovyObjectSupport.getDefaultMetaClass(GroovyObjectSupport.java:59)
at groovy.lang.GroovyObjectSupport.<init>(GroovyObjectSupport.java:32)
at groovy.lang.Closure.<init>(Closure.java:211)
at groovy.lang.Closure.<init>(Closure.java:228)
at groovy.lang.Closure$1.<init>(Closure.java:193)
at groovy.lang.Closure.<clinit>(Closure.java:193)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:377)
at picocli.CommandLine$DefaultFactory.loadClosureClass(CommandLine.java:5455)
at picocli.CommandLine$DefaultFactory.<clinit>(CommandLine.java:5453)
at picocli.CommandLine.<init>(CommandLine.java:196)
at de.fraunhofer.aisec.analysis.Main.main(Main.java:61)
1.4.1 was working fine
Our mark model has a snapshot dependency, which is fetched from the sonatype snapshot repo which has a tendency to fail
2020-07-30T16:10:14.9633068Z 2 actionable tasks: 2 executed
2020-07-30T16:10:14.9655435Z FAILURE: Build failed with an exception.
2020-07-30T16:10:14.9655608Z
2020-07-30T16:10:14.9655781Z * What went wrong:
2020-07-30T16:10:14.9656489Z Execution failed for task ':compileJava'.
2020-07-30T16:10:14.9656829Z > Could not resolve all files for configuration ':compileClasspath'.
2020-07-30T16:10:14.9657200Z > Could not resolve de.fraunhofer.aisec.mark:de.fraunhofer.aisec.mark:1.3.0-SNAPSHOT.
2020-07-30T16:10:14.9657357Z Required by:
2020-07-30T16:10:14.9657482Z project :
2020-07-30T16:10:14.9657829Z > Could not resolve de.fraunhofer.aisec.mark:de.fraunhofer.aisec.mark:1.3.0-SNAPSHOT.
2020-07-30T16:10:14.9658564Z > Unable to load Maven meta-data from https://oss.sonatype.org/content/groups/public/de/fraunhofer/aisec/mark/de.fraunhofer.aisec.mark/1.3.0-SNAPSHOT/maven-metadata.xml.
2020-07-30T16:10:14.9659380Z > Could not get resource 'https://oss.sonatype.org/content/groups/public/de/fraunhofer/aisec/mark/de.fraunhofer.aisec.mark/1.3.0-SNAPSHOT/maven-metadata.xml'.
2020-07-30T16:10:14.9660014Z > Could not GET 'https://oss.sonatype.org/content/groups/public/de/fraunhofer/aisec/mark/de.fraunhofer.aisec.mark/1.3.0-SNAPSHOT/maven-metadata.xml'. Received status code 503 from server: Service Unavailable
We should do a release of MARK instead
Looks like this is still an issue to some degree:
RealBCTest > testSimple() FAILED
java.util.concurrent.ExecutionException at RealBCTest.java:20
Caused by: java.lang.StackOverflowError at Class.java:1550
Originally posted by @oxisto in #32 (comment)
Currently, GitHub Actions almost needs 8m-9m for a simple build. We should try to get that build time down to less annoying times, i.e. 3-5mins. Probably related to the tests, I guess.
Can be flagged as a nice-to-have for now.
Seems to related to the https://github.com/Fraunhofer-AISEC/cpg/blob/master/src/main/java/de/fraunhofer/aisec/cpg/helpers/LocationConverter.java
18:10:37,715 ERROR ReferenceManager error while trying to clear references
org.apache.commons.lang3.NotImplementedException: id type `class java.net.URI` not yet supported
at overflowdb.storage.NodeSerializer.packTypedValue(NodeSerializer.java:111) ~[overflowdb-tinkerpop3-0.128.jar:0.128]
at overflowdb.storage.NodeSerializer.packProperties(NodeSerializer.java:46) ~[overflowdb-tinkerpop3-0.128.jar:0.128]
at overflowdb.storage.NodeSerializer.serialize(NodeSerializer.java:29) ~[overflowdb-tinkerpop3-0.128.jar:0.128]
at overflowdb.storage.OdbStorage.serialize(OdbStorage.java:80) ~[overflowdb-tinkerpop3-0.128.jar:0.128]
at overflowdb.NodeRef.serializeWhenDirty(NodeRef.java:70) ~[overflowdb-tinkerpop3-0.128.jar:0.128]
at overflowdb.ReferenceManager.serializeReference(ReferenceManager.java:157) ~[overflowdb-tinkerpop3-0.128.jar:0.128]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195) ~[?:?]
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:177) ~[?:?]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1624) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) ~[?:?]
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:497) ~[?:?]
at overflowdb.ReferenceManager.clearReferences(ReferenceManager.java:133) ~[overflowdb-tinkerpop3-0.128.jar:0.128]
at overflowdb.ReferenceManager.safelyClearReferences(ReferenceManager.java:116) ~[overflowdb-tinkerpop3-0.128.jar:
We should include basic documentation about the CLI mode in the codyze
binary.
codeyz dev:
I am very interested in CPG and codyze. At present, there are not many practical examples in the documentation. Can you provide examples of data flow query? In addition, how to join the codyze community for co-creation development? In terms of theoretical research, are there any outstanding topics? Thank you!
The command-line mode uses annotations to create command-line parameters and options. One of them sets the version printed on the command-line:
We should update this version upon release of a new codyze version to match version numbers.
TestCode:
1 package WeakEncryption.InadequateRSAPadding;
2
3 import javax.crypto.Cipher;
4
5 public class CWE780_WeakEncryption_InadequateRSAPadding_01 {
6 public void bad() throws Exception {
7 /* POTENTIAL FLAW: Not OAEP */
8 Cipher.getInstance("RSA");
9 }
10
11 public void good() throws Exception {
12 Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
13 }
14 }
findings.json:
[{
"problem": false,
"locations": [{
"region": {
"endLine": 7,
"endColumn": 32,
"startColumn": 27,
"startLine": 7
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_2_01 verified",
"onfailIdentifier": "Invalid_TR21021_Cipher"
},{
"problem": false,
"locations": [{
"region": {
"endLine": 11,
"endColumn": 66,
"startColumn": 27,
"startLine": 11
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_2_01 verified",
"onfailIdentifier": "Invalid_TR21021_Cipher"
},{
"problem": true,
"locations": [],
"logMsg": "Rule BouncyCastleProvider_Cipher violated",
"onfailIdentifier": "InvalidProvider_Cipher"
},{
"problem": true,
"locations": [{
"region": {
"endLine": 11,
"endColumn": 66,
"startColumn": 27,
"startLine": 11
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_3_5_01 violated",
"onfailIdentifier": "InvalidRSAPadding"
},{
"problem": true,
"locations": [],
"logMsg": "Rule ID_3_5_01 violated",
"onfailIdentifier": "InvalidRSAPadding"
}]
Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
I think it is a correct scenario, but a defect [InvalidRSAPadding] is also reported [Line Number 11]. The mark rule files shows that the algorithm name is case sensitive. Can it be case-insensitive?
Seems to have been caused by restructuring the overflow Db access. Will provide a detailed log about the error.
Test Code:
`package WeakEncryption.InadequateRSAPadding;
import javax.crypto.Cipher;
public class CWE780_WeakEncryption_InadequateRSAPadding_01 {
public void bad() throws Exception {
/* POTENTIAL FLAW: Not OAEP */
Cipher.getInstance("RSA");
}
public void good() throws Exception {
Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
}
}
`
Checking the fowllwing result of scanning the above code, the row number and column information is missing in some finds.
[{
"problem": false,
"locations": [{
"region": {
"endLine": 7,
"endColumn": 32,
"startColumn": 27,
"startLine": 7
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_2_01 verified",
"onfailIdentifier": "Invalid_TR21021_Cipher"
},{
"problem": false,
"locations": [{
"region": {
"endLine": 11,
"endColumn": 66,
"startColumn": 27,
"startLine": 11
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_2_01 verified",
"onfailIdentifier": "Invalid_TR21021_Cipher"
},{
"problem": true,
"locations": [],
"logMsg": "Rule BouncyCastleProvider_Cipher violated",
"onfailIdentifier": "InvalidProvider_Cipher"
},{
"problem": true,
"locations": [{
"region": {
"endLine": 11,
"endColumn": 66,
"startColumn": 27,
"startLine": 11
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_3_5_01 violated",
"onfailIdentifier": "InvalidRSAPadding"
},{
"problem": true,
"locations": [],
"logMsg": "Rule ID_3_5_01 violated",
"onfailIdentifier": "InvalidRSAPadding"
}]
Spotless v5 has changed its plugin id from com.diffplug.gradle.spotless
to com.diffplug.spotless
. (cf. build log of #59)
It is suggested to update to v4, fix all problems and then update to v5.
Seems to fail sometimes, not sure why exactly...
We generate findings for all checked MARK rules. Findings indicate a rule violation or a successful check. Currently, finding description contains only text for rule violations. These are also shown via LSP on successful checks causing user confusion.
We should add additional descriptions for successful checks.
Test Code
extern void abort(void);
extern void __assert_fail(const char *, const char *, unsigned int, const char *) __attribute__ ((__nothrow__ , __leaf__)) __attribute__ ((__noreturn__));
void reach_error() { __assert_fail("0", "array_doub_access_init_const.c", 3, "reach_error"); }
extern void abort(void);
void assume_abort_if_not(int cond) {
if(!cond) {abort();}
}
void __VERIFIER_assert(int cond) { if(!(cond)) { ERROR: {reach_error();abort();} } }
int main()
{
int i;
int N=100000;
int a[2*N+2];
for(i=0;i<=N;i++) {
a[2*i]=0;
a[2*i+1]=0;
}
for(i=0;i<=2*N;i++)
__VERIFIER_assert(a[i]>=0);
return 0;
}
When I try to register ControlFlowGraphPass, the log shows that CXXLanguageFrontend Transform to CPG can be done, but then a null pointer exception will be thrown.
However when I unregister that Pass, it works.
I am trying to write MARK rules for JCA, and I have tried to install the MARK plugin on Eclipse based on the instruction provided on Codyze webpage, but I get an error. I used Eclipse versions 2019-06, 2020-09, and the latest version. I also tried it on Ubuntu 20.04.1 LTS with Eclipse 2020-09. None of them have worked. I will attach the error message with this issue.
Gradle 6.0.1 seems to have problems on Java 14
➜ codyze git:(master) ✗ ./gradlew --stacktrace build
FAILURE: Build failed with an exception.
* What went wrong:
Could not initialize class org.codehaus.groovy.runtime.InvokerHelper
* Try:
Run with --info or --debug option to get more log output. Run with --scan to get full insights.
* Exception is:
java.lang.NoClassDefFoundError: Could not initialize class org.codehaus.groovy.runtime.InvokerHelper
at org.gradle.internal.extensibility.DefaultExtraPropertiesExtension.<init>(DefaultExtraPropertiesExtension.java:29)
at org.gradle.internal.extensibility.DefaultConvention.<init>(DefaultConvention.java:49)
at org.gradle.internal.extensibility.ExtensibleDynamicObject.<init>(ExtensibleDynamicObject.java:60)
at org.gradle.internal.instantiation.generator.MixInExtensibleDynamicObject.<init>(MixInExtensibleDynamicObject.java:35)
at org.gradle.initialization.DefaultSettings_Decorated.getAsDynamicObject(Unknown Source)
at org.gradle.initialization.SettingsFactory.createSettings(SettingsFactory.java:58)
at org.gradle.initialization.ScriptEvaluatingSettingsProcessor.process(ScriptEvaluatingSettingsProcessor.java:61)
at org.gradle.initialization.PropertiesLoadingSettingsProcessor.process(PropertiesLoadingSettingsProcessor.java:38)
at org.gradle.initialization.SettingsEvaluatedCallbackFiringSettingsProcessor.process(SettingsEvaluatedCallbackFiringSettingsProcessor.java:34)
at org.gradle.initialization.RootBuildCacheControllerSettingsProcessor.process(RootBuildCacheControllerSettingsProcessor.java:36)
at org.gradle.initialization.BuildOperationSettingsProcessor$2.call(BuildOperationSettingsProcessor.java:50)
at org.gradle.initialization.BuildOperationSettingsProcessor$2.call(BuildOperationSettingsProcessor.java:47)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:416)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:406)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:102)
at org.gradle.internal.operations.DelegatingBuildOperationExecutor.call(DelegatingBuildOperationExecutor.java:36)
at org.gradle.initialization.BuildOperationSettingsProcessor.process(BuildOperationSettingsProcessor.java:47)
at org.gradle.initialization.DefaultSettingsLoader.findSettingsAndLoadIfAppropriate(DefaultSettingsLoader.java:102)
at org.gradle.initialization.DefaultSettingsLoader.findAndLoadSettings(DefaultSettingsLoader.java:45)
at org.gradle.initialization.SettingsAttachingSettingsLoader.findAndLoadSettings(SettingsAttachingSettingsLoader.java:35)
at org.gradle.internal.composite.CommandLineIncludedBuildSettingsLoader.findAndLoadSettings(CommandLineIncludedBuildSettingsLoader.java:34)
at org.gradle.internal.composite.ChildBuildRegisteringSettingsLoader.findAndLoadSettings(ChildBuildRegisteringSettingsLoader.java:52)
at org.gradle.internal.composite.CompositeBuildSettingsLoader.findAndLoadSettings(CompositeBuildSettingsLoader.java:35)
at org.gradle.initialization.DefaultSettingsPreparer.prepareSettings(DefaultSettingsPreparer.java:36)
at org.gradle.initialization.BuildOperatingFiringSettingsPreparer$LoadBuild.doLoadBuild(BuildOperatingFiringSettingsPreparer.java:59)
at org.gradle.initialization.BuildOperatingFiringSettingsPreparer$LoadBuild.run(BuildOperatingFiringSettingsPreparer.java:54)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:402)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$RunnableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:394)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:92)
at org.gradle.internal.operations.DelegatingBuildOperationExecutor.run(DelegatingBuildOperationExecutor.java:31)
at org.gradle.initialization.BuildOperatingFiringSettingsPreparer.prepareSettings(BuildOperatingFiringSettingsPreparer.java:42)
at org.gradle.initialization.DefaultGradleLauncher.prepareSettings(DefaultGradleLauncher.java:194)
at org.gradle.initialization.DefaultGradleLauncher.doClassicBuildStages(DefaultGradleLauncher.java:138)
at org.gradle.initialization.DefaultGradleLauncher.doBuildStages(DefaultGradleLauncher.java:130)
at org.gradle.initialization.DefaultGradleLauncher.executeTasks(DefaultGradleLauncher.java:110)
at org.gradle.internal.invocation.GradleBuildController$1.execute(GradleBuildController.java:60)
at org.gradle.internal.invocation.GradleBuildController$1.execute(GradleBuildController.java:57)
at org.gradle.internal.invocation.GradleBuildController$3.create(GradleBuildController.java:85)
at org.gradle.internal.invocation.GradleBuildController$3.create(GradleBuildController.java:78)
at org.gradle.internal.work.DefaultWorkerLeaseService.withLocks(DefaultWorkerLeaseService.java:189)
at org.gradle.internal.work.StopShieldingWorkerLeaseService.withLocks(StopShieldingWorkerLeaseService.java:40)
at org.gradle.internal.invocation.GradleBuildController.doBuild(GradleBuildController.java:78)
at org.gradle.internal.invocation.GradleBuildController.run(GradleBuildController.java:57)
at org.gradle.tooling.internal.provider.ExecuteBuildActionRunner.run(ExecuteBuildActionRunner.java:31)
at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
at org.gradle.launcher.exec.BuildOutcomeReportingBuildActionRunner.run(BuildOutcomeReportingBuildActionRunner.java:63)
at org.gradle.tooling.internal.provider.ValidatingBuildActionRunner.run(ValidatingBuildActionRunner.java:32)
at org.gradle.launcher.exec.BuildCompletionNotifyingBuildActionRunner.run(BuildCompletionNotifyingBuildActionRunner.java:39)
at org.gradle.launcher.exec.RunAsBuildOperationBuildActionRunner$3.call(RunAsBuildOperationBuildActionRunner.java:51)
at org.gradle.launcher.exec.RunAsBuildOperationBuildActionRunner$3.call(RunAsBuildOperationBuildActionRunner.java:45)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:416)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$CallableBuildOperationWorker.execute(DefaultBuildOperationExecutor.java:406)
at org.gradle.internal.operations.DefaultBuildOperationExecutor$1.execute(DefaultBuildOperationExecutor.java:165)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:250)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.execute(DefaultBuildOperationExecutor.java:158)
at org.gradle.internal.operations.DefaultBuildOperationExecutor.call(DefaultBuildOperationExecutor.java:102)
at org.gradle.internal.operations.DelegatingBuildOperationExecutor.call(DelegatingBuildOperationExecutor.java:36)
at org.gradle.launcher.exec.RunAsBuildOperationBuildActionRunner.run(RunAsBuildOperationBuildActionRunner.java:45)
at org.gradle.launcher.exec.InProcessBuildActionExecuter$1.transform(InProcessBuildActionExecuter.java:50)
at org.gradle.launcher.exec.InProcessBuildActionExecuter$1.transform(InProcessBuildActionExecuter.java:47)
at org.gradle.composite.internal.DefaultRootBuildState.run(DefaultRootBuildState.java:78)
at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:47)
at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:31)
at org.gradle.launcher.exec.BuildTreeScopeBuildActionExecuter.execute(BuildTreeScopeBuildActionExecuter.java:42)
at org.gradle.launcher.exec.BuildTreeScopeBuildActionExecuter.execute(BuildTreeScopeBuildActionExecuter.java:28)
at org.gradle.tooling.internal.provider.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:78)
at org.gradle.tooling.internal.provider.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:52)
at org.gradle.tooling.internal.provider.SubscribableBuildActionExecuter.execute(SubscribableBuildActionExecuter.java:59)
at org.gradle.tooling.internal.provider.SubscribableBuildActionExecuter.execute(SubscribableBuildActionExecuter.java:36)
at org.gradle.tooling.internal.provider.SessionScopeBuildActionExecuter.execute(SessionScopeBuildActionExecuter.java:68)
at org.gradle.tooling.internal.provider.SessionScopeBuildActionExecuter.execute(SessionScopeBuildActionExecuter.java:38)
at org.gradle.tooling.internal.provider.GradleThreadBuildActionExecuter.execute(GradleThreadBuildActionExecuter.java:37)
at org.gradle.tooling.internal.provider.GradleThreadBuildActionExecuter.execute(GradleThreadBuildActionExecuter.java:26)
at org.gradle.tooling.internal.provider.ParallelismConfigurationBuildActionExecuter.execute(ParallelismConfigurationBuildActionExecuter.java:43)
at org.gradle.tooling.internal.provider.ParallelismConfigurationBuildActionExecuter.execute(ParallelismConfigurationBuildActionExecuter.java:29)
at org.gradle.tooling.internal.provider.StartParamsValidatingActionExecuter.execute(StartParamsValidatingActionExecuter.java:60)
at org.gradle.tooling.internal.provider.StartParamsValidatingActionExecuter.execute(StartParamsValidatingActionExecuter.java:32)
at org.gradle.tooling.internal.provider.SessionFailureReportingActionExecuter.execute(SessionFailureReportingActionExecuter.java:55)
at org.gradle.tooling.internal.provider.SessionFailureReportingActionExecuter.execute(SessionFailureReportingActionExecuter.java:41)
at org.gradle.tooling.internal.provider.SetupLoggingActionExecuter.execute(SetupLoggingActionExecuter.java:48)
at org.gradle.tooling.internal.provider.SetupLoggingActionExecuter.execute(SetupLoggingActionExecuter.java:32)
at org.gradle.launcher.daemon.server.exec.ExecuteBuild.doBuild(ExecuteBuild.java:68)
at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.WatchForDisconnection.execute(WatchForDisconnection.java:39)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.ResetDeprecationLogger.execute(ResetDeprecationLogger.java:27)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.RequestStopIfSingleUsedDaemon.execute(RequestStopIfSingleUsedDaemon.java:35)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.create(ForwardClientInput.java:78)
at org.gradle.launcher.daemon.server.exec.ForwardClientInput$2.create(ForwardClientInput.java:75)
at org.gradle.util.Swapper.swap(Swapper.java:38)
at org.gradle.launcher.daemon.server.exec.ForwardClientInput.execute(ForwardClientInput.java:75)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.LogAndCheckHealth.execute(LogAndCheckHealth.java:55)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.LogToClient.doBuild(LogToClient.java:63)
at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.EstablishBuildEnvironment.doBuild(EstablishBuildEnvironment.java:82)
at org.gradle.launcher.daemon.server.exec.BuildCommandOnly.execute(BuildCommandOnly.java:37)
at org.gradle.launcher.daemon.server.api.DaemonCommandExecution.proceed(DaemonCommandExecution.java:104)
at org.gradle.launcher.daemon.server.exec.StartBuildOrRespondWithBusy$1.run(StartBuildOrRespondWithBusy.java:52)
at org.gradle.launcher.daemon.server.DaemonStateCoordinator$1.run(DaemonStateCoordinator.java:297)
at org.gradle.internal.concurrent.ExecutorPolicy$CatchAndRecordFailures.onExecute(ExecutorPolicy.java:64)
at org.gradle.internal.concurrent.ManagedExecutorImpl$1.run(ManagedExecutorImpl.java:48)
at org.gradle.internal.concurrent.ThreadFactoryImpl$ManagedThreadRunnable.run(ThreadFactoryImpl.java:56)
TestCode:
1 package WeakEncryption.InadequateRSAPadding;
2
3 import javax.crypto.Cipher;
4
5 public class CWE780_WeakEncryption_InadequateRSAPadding_01 {
6 public void bad() throws Exception {
7 /* POTENTIAL FLAW: Not OAEP */
8 Cipher.getInstance("RSA");
9 }
10
11 public void good() throws Exception {
12 Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
13 }
14 }
findings.json:
[{
"problem": false,
"locations": [{
"region": {
"endLine": 7,
"endColumn": 32,
"startColumn": 27,
"startLine": 7
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_2_01 verified",
"onfailIdentifier": "Invalid_TR21021_Cipher"
},{
"problem": false,
"locations": [{
"region": {
"endLine": 11,
"endColumn": 66,
"startColumn": 27,
"startLine": 11
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_2_01 verified",
"onfailIdentifier": "Invalid_TR21021_Cipher"
},{
"problem": true,
"locations": [],
"logMsg": "Rule BouncyCastleProvider_Cipher violated",
"onfailIdentifier": "InvalidProvider_Cipher"
},{
"problem": true,
"locations": [{
"region": {
"endLine": 11,
"endColumn": 66,
"startColumn": 27,
"startLine": 11
},
"artifactLocation": {"uri": "file:/xxx/InadequateRSAPadding/CWE780_WeakEncryption_InadequateRSAPadding_01.java"}
}],
"logMsg": "Rule ID_3_5_01 violated",
"onfailIdentifier": "InvalidRSAPadding"
},{
"problem": true,
"locations": [],
"logMsg": "Rule ID_3_5_01 violated",
"onfailIdentifier": "InvalidRSAPadding"
}]
For the first finding, the startLine and endLine is number 7, but it is inconsistent with the actual code line number 8.
Is it a bug?
Would be nice.
Currently, there are a LOT of functions that create a TranslationManager
, and they are almost all the same. With CPG 4.0 we have a breaking change and I am currently hunting down all the places where I need to insert defaultLanguages
. We should consolidate all those test functions.
I am trying to parse the CPG using the CPG (albeit with Codyze, so I hope the problem is not related to that) and the following error occurs:
java.util.concurrent.ExecutionException: java.lang.RuntimeException: Unable to calculate the type of a parameter of a method call. Method call: statement.setInitializerStatement(handle(ctx.getInitializerStatement())), Parameter: handle(ctx.getInitializerStatement())
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2086)
at de.fraunhofer.aisec.analysis.Main.call(Main.java:91)
at de.fraunhofer.aisec.analysis.Main.call(Main.java:27)
at picocli.CommandLine.executeUserObject(CommandLine.java:1933)
at picocli.CommandLine.access$1200(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2332)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2326)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2291)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2159)
at picocli.CommandLine.execute(CommandLine.java:2058)
at de.fraunhofer.aisec.analysis.Main.main(Main.java:61)
Caused by: java.lang.RuntimeException: Unable to calculate the type of a parameter of a method call. Method call: statement.setInitializerStatement(handle(ctx.getInitializerStatement())), Parameter: handle(ctx.getInitializerStatement())
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.solveArguments(JavaParserFacade.java:304)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.solve(JavaParserFacade.java:319)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.solve(JavaParserFacade.java:183)
at com.github.javaparser.symbolsolver.JavaSymbolSolver.resolveDeclaration(JavaSymbolSolver.java:161)
at com.github.javaparser.ast.expr.MethodCallExpr.resolve(MethodCallExpr.java:313)
at de.fraunhofer.aisec.cpg.frontends.java.ExpressionHandler.handleMethodCallExpression(ExpressionHandler.java:670)
at de.fraunhofer.aisec.cpg.frontends.Handler.handle(Handler.java:111)
at de.fraunhofer.aisec.cpg.frontends.java.StatementAnalyzer.handleExpressionStatement(StatementAnalyzer.java:88)
at de.fraunhofer.aisec.cpg.frontends.Handler.handle(Handler.java:111)
at de.fraunhofer.aisec.cpg.frontends.java.StatementAnalyzer.handleBlockStatement(StatementAnalyzer.java:385)
at de.fraunhofer.aisec.cpg.frontends.Handler.handle(Handler.java:111)
at de.fraunhofer.aisec.cpg.frontends.java.StatementAnalyzer.handleIfStatement(StatementAnalyzer.java:134)
at de.fraunhofer.aisec.cpg.frontends.Handler.handle(Handler.java:111)
at de.fraunhofer.aisec.cpg.frontends.java.StatementAnalyzer.handleBlockStatement(StatementAnalyzer.java:385)
at de.fraunhofer.aisec.cpg.frontends.Handler.handle(Handler.java:111)
at de.fraunhofer.aisec.cpg.frontends.java.DeclarationHandler.handleMethodDeclaration(DeclarationHandler.java:193)
at de.fraunhofer.aisec.cpg.frontends.java.DeclarationHandler.lambda$new$0(DeclarationHandler.java:56)
at de.fraunhofer.aisec.cpg.frontends.Handler.handle(Handler.java:111)
at de.fraunhofer.aisec.cpg.frontends.java.DeclarationHandler.handleClassOrInterfaceDeclaration(DeclarationHandler.java:253)
at de.fraunhofer.aisec.cpg.frontends.java.DeclarationHandler.lambda$new$2(DeclarationHandler.java:65)
at de.fraunhofer.aisec.cpg.frontends.Handler.handle(Handler.java:111)
at de.fraunhofer.aisec.cpg.frontends.java.JavaLanguageFrontend.parse(JavaLanguageFrontend.java:157)
at de.fraunhofer.aisec.cpg.TranslationManager.runFrontends(TranslationManager.java:241)
at de.fraunhofer.aisec.cpg.TranslationManager.lambda$analyze$0(TranslationManager.java:98)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1764)
at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1756)
at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1016)
at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1665)
at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1598)
at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)
Caused by: java.lang.RuntimeException: Error calculating the type of parameter ctx.getInitializerStatement() of method call handle(ctx.getInitializerStatement())
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.solveMethodAsUsage(JavaParserFacade.java:739)
at com.github.javaparser.symbolsolver.javaparsermodel.TypeExtractor.visit(TypeExtractor.java:320)
at com.github.javaparser.symbolsolver.javaparsermodel.TypeExtractor.visit(TypeExtractor.java:97)
at com.github.javaparser.ast.expr.MethodCallExpr.accept(MethodCallExpr.java:115)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.getTypeConcrete(JavaParserFacade.java:551)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.getType(JavaParserFacade.java:398)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.solveArguments(JavaParserFacade.java:300)
... 30 more
Caused by: UnsolvedSymbolException{context='null', name='CPPASTIfStatement', cause='null'}
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.convertToUsage(JavaParserFacade.java:670)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.convert(JavaParserFacade.java:728)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.convert(JavaParserFacade.java:724)
at com.github.javaparser.symbolsolver.javaparsermodel.declarations.JavaParserParameterDeclaration.getType(JavaParserParameterDeclaration.java:83)
at com.github.javaparser.symbolsolver.model.resolution.Value.from(Value.java:45)
at com.github.javaparser.symbolsolver.core.resolution.Context.solveSymbolAsValue(Context.java:76)
at com.github.javaparser.symbolsolver.javaparsermodel.contexts.StatementContext.solveSymbolAsValue(StatementContext.java:156)
at com.github.javaparser.symbolsolver.javaparsermodel.contexts.MethodCallExprContext.solveSymbolAsValue(MethodCallExprContext.java:166)
at com.github.javaparser.symbolsolver.resolution.SymbolSolver.solveSymbolAsValue(SymbolSolver.java:75)
at com.github.javaparser.symbolsolver.resolution.SymbolSolver.solveSymbolAsValue(SymbolSolver.java:80)
at com.github.javaparser.symbolsolver.javaparsermodel.TypeExtractor.visit(TypeExtractor.java:330)
at com.github.javaparser.symbolsolver.javaparsermodel.TypeExtractor.visit(TypeExtractor.java:97)
at com.github.javaparser.ast.expr.NameExpr.accept(NameExpr.java:79)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.getTypeConcrete(JavaParserFacade.java:551)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.getType(JavaParserFacade.java:398)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.getType(JavaParserFacade.java:380)
at com.github.javaparser.symbolsolver.javaparsermodel.contexts.MethodCallExprContext.solveMethodAsUsage(MethodCallExprContext.java:115)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.solveMethodAsUsage(JavaParserFacade.java:745)
at com.github.javaparser.symbolsolver.javaparsermodel.TypeExtractor.visit(TypeExtractor.java:320)
at com.github.javaparser.symbolsolver.javaparsermodel.TypeExtractor.visit(TypeExtractor.java:97)
at com.github.javaparser.ast.expr.MethodCallExpr.accept(MethodCallExpr.java:115)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.getTypeConcrete(JavaParserFacade.java:551)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.getType(JavaParserFacade.java:428)
at com.github.javaparser.symbolsolver.javaparsermodel.JavaParserFacade.solveMethodAsUsage(JavaParserFacade.java:737)
To reproduce: bin/codyze -s ~/Repositories/cpg/src/main/java -c
Currently, it is not possible to configure CPG options, i.e. whether to parse includes or not or to configure additional include directories.
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: renovate.json
Error type: The renovate configuration file contains some invalid settings
Message: Invalid configuration option: packageRules[2].allowdVersions
Is it possible to model in MARK the caller of a function/operation, i.e. to restrict that a certain function should only be called by a specific other function or better just with a certain class?
Consider the following cpp file:
class MyObject{
public:
void DoSomething(int);
};
int main() {
MyObject* ctx;
ctx = new MyObject();
ctx->DoSomething(0);
}
and the following MARK file:
package test
entity MyObject {
var param: int;
op instantiate {
MyObject();
}
op do {
MyObject::DoSomething(param);
}
}
rule MustBeOne {
using MyObject as ctx
ensure ctx.param == 1
onfail MyFail
}
Codyze will not be able to find the variable with the new
assignment. The analysis will fail and a warning will be displayed:
21:46:49,437 WARN CrymlinQueryWrapper Unexpected: Source of INITIALIZER edge to ConstructExpression is not a VariableDeclaration. Trying to continue anyway
Could be used to annotate that certain MARK rules are tied to controls, e.g. in the BSI TR. Similar to Java: @Control
codyze vision: 1.4.1
scanning folder: [install dir]\bin\codyze.bat -c -s [folder] -m [install dir]\mark
scanning file: [install dir]\bin\codyze.bat -c -s [folder\RSAPadding.java] -m [install dir]\mark
In the folder, there are many java files. but I only get the result findbug.json with file RSAPadding.java.it seems that only one file is scanned when try to scan a directory.
TestCode:
1 package WeakEncryption.InadequateRSAPadding;
2
3 import javax.crypto.Cipher;
4
5 public class CWE780_WeakEncryption_InadequateRSAPadding_01 {
6 public void bad() throws Exception {
7 /* POTENTIAL FLAW: Not OAEP */
8 Cipher.getInstance("RSA");
9 }
10
11 public void good() throws Exception {
12 Cipher.getInstance("RSA/ECB/OAEPWithSHA-512AndMGF1Padding");
13 }
14 }
The findings.json contains false problem (which the problem property is false) and true problem (which the problem property is true). Is there a way to hide the false problem findings? In this way, we check efficiency will be improved.
Currently the output for the findings shown to the user in either the Crymlin console or via the LSP interface is rather cryptic (MarkRuleEvaluationFinding: line xxx ...). All findings should have corresponding descriptions in findingDescriptions.json
which should be used as output.
Feature request from evaluation:
Add a command line switch (e.g. --disable-positive-findings
) to switch off output of "positive" findings that confirm correctness of an implementation.
Fraunhofer-AISEC/cpg#205 changes the creation of nodes in the CPG. Evaluate if the PR causes problems in codyze.
Hello,
I extracted the test cases corresponding to JCA in this repo so it's easier for me to test and load the results into SonarQube/SonarCloud:
When I run Codyze with this command line I'm getting results for AESCBC.java (findings-AESCBC.json.txt)
~/Softwares/codyze-1.4.1/bin/codyze -c -s=src/main/java/jca/AESCBC.java -m=/home/alex/Softwares/codyze-1.4.1/mark/bouncycastle/ --no-good-findings
When I run this command line looking at all the Java files under the directory src/main/java/jca/, I'm getting different results for AESCBC.java (findings-all.json.txt).
~/Softwares/codyze-1.4.1/bin/codyze -c -s=src/main/java/jca/ -m=/home/alex/Softwares/codyze-1.4.1/mark/bouncycastle/ --no-good-findings
I'm getting 21 problems when I target only AESCBC.java, while I'm getting only 13 problems for AESCBC.java when I target the entire folder.
I would expect to see the same quantity of problems because the files under the directory src/main/java/jca/ have no relationship.
The second problem is the inconsistency of the line numbers when targeting a folder.
For example, there is a problem raised on AESGMAC.java on line 17 (so 18 for real), while there is not 66 characters on this line but only 44:
"locations": [
{
"region": {
"endLine": 17,
"endColumn": 66,
"startColumn": 9,
"startLine": 17
},
"artifactLocation": {"uri": "file:/home/alex/Repos/Java_Validation/codyze-java-testcases/src/main/java/jca/AESGMAC.java"}
},
Sometimes, it is necessary to clean src/main/generated
, i.e. if updating gradle versions. The clean task should take care of this, but does not.
OverflowDB has gone through some development iterations. The current version is v1.x. We're using the 0.x build.
Should we invest the work to upgrade to 1.x?
The LSP server only seems to produce a valid result for the first analysis. Every other other analysis run after the server is already started seems to produce erroneous results.
Version 3.x of Fraunhofer-AISEC/cpg is available. We should prepare the migration.
Hi,
I randomly detect a few open source projects, but found that the analysis process is very very slow, and no results have been produced, nor do I know how long it will produce results, whether there are some optimization measures, or command parameters to fast?this is a random project I use the command ,./Codyze -c -s=/root/WebGoat5.0 -m=/root/codyze/src/test/resources/mark_java, at the earliest time./codyze -c --typestate NFA --interproc -s=/ root/WebGoat5.0 -m=/root/codyze/src/test/resources/mark_java, but they are both very slow, have not been completed, the test was initiated at night, and there was no result in the morning,
Problem:
Programms may use hardcoded/static passwords, IVs or salts for cryptographic operations. For example, devices may ship with a default password that is coded into the software/firmware. These information often cause vulnerabilities when users don't change the default values.
Example:
byte[] salt = new byte[] { 0x2b, 0x5f, 0x13, 0x20 };
String masterPass = "Test";
// complain about use of hardcoded/static values
KeySpec pbeKeySpec = new PBEKeySpec(masterPass.toCharArray(), salt, 1000);
Proposed solution:
A MARK rule prohibit the use of hardcoded/static passwords, IVs or salts.
Possible blockers:
May require a new builtin function to recognize a hardcoded/static value.
Would be nice, since both have a greater "market share" than eclipse.
When deserializing a fairly complex project, the OGM deserialization in OverflowDatabase gets into an infinite recursion of creating edges for vertices, leading to a StackOverflowError.
Steps to reproduce:
git clone https://github.com/11112222/WebGoat5_0_32555lines.git webgoat
build/install/codyze/bin/codyze -c -s webgoat/WebGoat5.0/JavaSource/ -m src/dist/mark
Result:
java.util.concurrent.ExecutionException: java.lang.StackOverflowError
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:395)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2093)
at de.fraunhofer.aisec.analysis.Main.call(Main.java:84)
at de.fraunhofer.aisec.analysis.Main.call(Main.java:27)
at picocli.CommandLine.executeUserObject(CommandLine.java:1783)
at picocli.CommandLine.access$900(CommandLine.java:145)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2141)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2108)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:1975)
at picocli.CommandLine.execute(CommandLine.java:1904)
at de.fraunhofer.aisec.analysis.Main.main(Main.java:54)
Caused by: java.lang.StackOverflowError
at java.base/java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:936)
at org.ehcache.sizeof.util.WeakIdentityConcurrentMap.get(WeakIdentityConcurrentMap.java:91)
at org.ehcache.sizeof.ObjectGraphWalker.shouldWalkClass(ObjectGraphWalker.java:248)
at org.ehcache.sizeof.ObjectGraphWalker.walk(ObjectGraphWalker.java:170)
at org.ehcache.sizeof.SizeOf.deepSizeOf(SizeOf.java:71)
at org.ehcache.impl.internal.sizeof.DefaultSizeOfEngine.sizeof(DefaultSizeOfEngine.java:52)
at org.ehcache.impl.internal.store.heap.OnHeapStore.getSizeOfKeyValuePairs(OnHeapStore.java:982)
at org.ehcache.impl.internal.store.heap.OnHeapStore.makeValue(OnHeapStore.java:1527)
at org.ehcache.impl.internal.store.heap.OnHeapStore.makeValue(OnHeapStore.java:1514)
at org.ehcache.impl.internal.store.heap.OnHeapStore.newUpdateValueHolder(OnHeapStore.java:1444)
at org.ehcache.impl.internal.store.heap.OnHeapStore.lambda$put$6(OnHeapStore.java:352)
at org.ehcache.impl.internal.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1958)
at org.ehcache.impl.internal.store.heap.SimpleBackend.compute(SimpleBackend.java:101)
at org.ehcache.impl.internal.store.heap.OnHeapStore.put(OnHeapStore.java:334)
at org.ehcache.core.Ehcache.doPut(Ehcache.java:94)
at org.ehcache.core.EhcacheBase.put(EhcacheBase.java:189)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.getSuperclasses(OverflowDatabase.java:780)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createVertex(OverflowDatabase.java:467)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connect(OverflowDatabase.java:652)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createEdges(OverflowDatabase.java:631)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createVertex(OverflowDatabase.java:483)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connect(OverflowDatabase.java:652)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connectAll(OverflowDatabase.java:674)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createEdges(OverflowDatabase.java:626)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.createVertex(OverflowDatabase.java:483)
at de.fraunhofer.aisec.crymlin.connectors.db.OverflowDatabase.connect(OverflowDatabase.java:652)
...
It would be nice to have "preconditions" of rules, i.e. for different library versions.
With the following Java code, the constant resolver determines the value of the algorithm ("I AM INCORRECT..."):
PK_Verifier sig_verifier = new PK_Verifier(new RSA_PublicKey(id, 123), "I AM INCORRECT EMSA4(SHA-256)");
With C++, similar code cannot be resolved:
Botan::PK_Verifier sig_verifier(Botan::PubKey(id, 123), "I AM INCORRECT EMSA4(SHA-256)");
Depends on Fraunhofer-AISEC/cpg#183 and the resulting implementation specifics, the OverflowDB OGM needs to be updated for this
The OGM wrapper seems to stored internally the type of a list relationship in the property field_name
, to instantiate it later with the correct list/collection-subtype. However, there is an issue, if a collection element, that is considered as a relationship, such as the newly introduced annotations
field of a Node
is null. More specifically, the function vertexToNode
crashes because it will look for the property type here:
However, the createEdges
function only sets this special property, if the value of that property is not null, probably to not save unnecessary properties.
Even this would be caught by an exception, but this exception tries to rely on the fact that the node property is there, which is not mandatory and thus, the caught exception triggers an exception
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.