Merge pull request #3 from secure-software-engineering/develop

Develop into Master

de.fraunhofer.iem.secucheck.analysis.sample/src/main/java/de/fraunhofer/iem/secucheck/analysis/sample/Main.java

@@ -143,9 +143,9 @@ private static void runDemoSet3(SecucheckAnalysis secucheckAnalysis,
 						getTaintFlowQuery4()));
 
 		runAnalysisQuery(secucheckAnalysis, compositeOfFirst, 1, null);
-		runAnalysisQuery(secucheckAnalysis, compositeOfFirstTwo, 2, null);
-		runAnalysisQuery(secucheckAnalysis, compositeOfFirstThree, 3, null);
-		runAnalysisQuery(secucheckAnalysis, compositeOfAll, 4, null);
+		runAnalysisQuery(secucheckAnalysis, compositeOfFirstTwo, 12, null);
+		runAnalysisQuery(secucheckAnalysis, compositeOfFirstThree, 13, null);
+		runAnalysisQuery(secucheckAnalysis, compositeOfAll, 14, null);
 	}
 
 	private static void runAnalysisQuery(SecucheckAnalysis secucheckAnalysis, 

de.fraunhofer.iem.secucheck.analysis/pom.xml

@@ -21,31 +21,47 @@
 	</properties>
 
 	<dependencies>
+
+		<!-- 
+		
 		<dependency>
 			<groupId>de.fraunhofer.iem</groupId>
 			<artifactId>boomerangPDS</artifactId>
 			<version>2.2</version>
 		</dependency>
+		
+		-->
+
 		<dependency>
 			<groupId>ca.mcgill.sable</groupId>
 			<artifactId>soot</artifactId>
 			<version>3.2.0</version>
 		</dependency>
+
+		<!-- 
+		
 		<dependency>
 			<groupId>heros</groupId>
 			<artifactId>heros</artifactId>
 			<version>1.1.0</version>
 		</dependency>
+		
+		-->
+
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<version>2.11.0</version>
 			<artifactId>log4j-api</artifactId>
 		</dependency>
+
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<version>2.11.0</version>
 			<artifactId>log4j-core</artifactId>
 		</dependency>
+
+		<!-- 
+		
 		<dependency>
 			<groupId>de.fraunhofer.iem</groupId>
 			<artifactId>synchronizedPDS</artifactId>
@@ -66,6 +82,23 @@
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
 		</dependency>
+		
+		-->
+
+		 <!-- New tags for migration -->
+
+		<dependency>
+		  <groupId>de.fraunhofer.iem</groupId>
+		  <artifactId>boomerangScope</artifactId>
+		  <version>3.1.1</version>
+		</dependency>
+
+		<dependency>
+		  <groupId>de.fraunhofer.iem</groupId>
+		  <artifactId>boomerangPDS</artifactId>
+		  <version>3.1.1</version>
+		</dependency>
+
 	</dependencies>
 
 	<repositories>
@@ -85,10 +118,18 @@
 				<enabled>false</enabled>
 			</snapshots>
 		</repository>
+
+		<!-- New tags for migration -->
+		<repository>
+		  <id>github</id>
+		  <name>CodeShield-Security</name>
+		  <url>https://maven.pkg.github.com/CodeShield-Security/SPDS/</url>
+		</repository>
+
 	</repositories>
 
 	<build>
-		<sourceDirectory>../de.fraunhofer.iem.secucheck.analysis/src</sourceDirectory>
+		<!-- <sourceDirectory>../de.fraunhofer.iem.secucheck.analysis/src</sourceDirectory>  -->
 		<plugins>
 			<plugin>
 				<artifactId>maven-compiler-plugin</artifactId>

de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/SecucheckTaintAnalysisBase.java

@@ -1,14 +1,26 @@
 package de.fraunhofer.iem.secucheck.analysis;
 
 import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.locks.ReentrantLock;
 
-import boomerang.preanalysis.BoomerangPretransformer;
+import boomerang.BackwardQuery;
+import boomerang.Boomerang;
+import boomerang.DefaultBoomerangOptions;
+import boomerang.Query;
+import boomerang.results.BackwardBoomerangResults;
+import boomerang.scene.AnalysisScope;
+import boomerang.scene.SootDataFlowScope;
+import boomerang.scene.Statement;
+import boomerang.scene.Val;
+import boomerang.scene.jimple.BoomerangPretransformer;
+import boomerang.scene.jimple.SootCallGraph;
 import de.fraunhofer.iem.secucheck.analysis.internal.CompositeTaintFlowAnalysis;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQueryImpl;
 import de.fraunhofer.iem.secucheck.analysis.query.EntryPoint;
@@ -32,13 +44,13 @@
 import soot.util.cfgcmd.CFGToDotGraph;
 import soot.util.dot.DotGraph;
 import test.core.selfrunning.ImprecisionException;
+import wpds.impl.Weight;
 
 public abstract class SecucheckTaintAnalysisBase implements SecucheckAnalysis {
 
 	protected final ReentrantLock lock;  
 
 	protected long analysisTime;
-	protected BiDiInterproceduralCFG<Unit, SootMethod> icfg;
 
 	private OS os;
 	private String appClassPath;
@@ -180,6 +192,8 @@ private SecucheckTaintAnalysisResult analyze() {
 		Transform transform = new Transform("wjtp.ifds", createAnalysisTransformer());
 		PackManager.v().getPack("wjtp").add(transform);
 		PackManager.v().getPack("cg").apply();
+
+		BoomerangPretransformer.v().apply();
 		PackManager.v().getPack("wjtp").apply();
 		if (resultListener != null) {
 			resultListener.reportCompleteResult(this.result);
@@ -189,18 +203,17 @@ private SecucheckTaintAnalysisResult analyze() {
 
 	private SceneTransformer createAnalysisTransformer() throws ImprecisionException {
 		return new SceneTransformer() {
-			protected void internalTransform(String phaseName, Map options) {
-				BoomerangPretransformer.v().apply();
-				icfg = new JimpleBasedInterproceduralCFG(true);
+			protected void internalTransform(String phaseName, 
+					@SuppressWarnings("rawtypes") Map options) {
+
 				try {
 					executeAnalysis();
 				} catch (Exception ex) {
 					ex.printStackTrace();
 				}
 			}
 		};
-	}
-
+	}	
 
 	private static void drawCallGraph(CallGraph callGraph){
         DotGraph dot = new DotGraph("callgraph");
@@ -218,16 +231,24 @@ private static void drawCallGraph(CallGraph callGraph){
 
 	private void executeAnalysis() throws Exception {
 
+		SootCallGraph sootCallGraph = new SootCallGraph();
+
 		// For dumping the call graph for debugging purposes.
 		//drawCallGraph(Scene.v().getCallGraph());
 
 		for (CompositeTaintFlowQueryImpl flowQuery : this.flowQueries) {
+
 			if (resultListener != null && resultListener.isCancelled()) {
 				break;
 			}
-			Analysis analysis = new CompositeTaintFlowAnalysis(icfg, flowQuery, resultListener);
+
+			Analysis analysis = new CompositeTaintFlowAnalysis(sootCallGraph, flowQuery, resultListener);
 			CompositeTaintFlowQueryResult singleResult = (CompositeTaintFlowQueryResult) analysis.run();
-			this.result.addResult(flowQuery, singleResult);
+
+			if (singleResult.size() != 0) {
+				this.result.addResult(flowQuery, singleResult);
+			}
+
 			if (resultListener != null) {
 				resultListener.reportCompositeFlowResult((CompositeTaintFlowQueryResult) singleResult);
 			}

de.fraunhofer.iem.secucheck.analysis/src/main/java/de/fraunhofer/iem/secucheck/analysis/internal/CompositeTaintFlowAnalysis.java

@@ -4,6 +4,7 @@
 
 import boomerang.callgraph.ObservableICFG;
 import boomerang.callgraph.ObservableStaticICFG;
+import boomerang.scene.jimple.SootCallGraph;
 import de.fraunhofer.iem.secucheck.analysis.Analysis;
 import de.fraunhofer.iem.secucheck.analysis.query.CompositeTaintFlowQuery;
 import de.fraunhofer.iem.secucheck.analysis.query.Method;
@@ -20,14 +21,14 @@
 public class CompositeTaintFlowAnalysis implements Analysis {
 
 	private final CompositeTaintFlowQuery flowQuery;
-	private final ObservableICFG<Unit, SootMethod> icfg;
+	private final SootCallGraph sootCallGraph;
 	private final AnalysisResultListener resultListener;
 
-	public CompositeTaintFlowAnalysis(BiDiInterproceduralCFG<Unit, SootMethod> icfg, 
+	public CompositeTaintFlowAnalysis(SootCallGraph sootCallGraph, 
 			CompositeTaintFlowQuery flowQuery, AnalysisResultListener resultListener) 
 					throws Exception {
 		this.flowQuery = flowQuery;
-		this.icfg = new ObservableStaticICFG(icfg);
+		this.sootCallGraph = sootCallGraph;
 		this.resultListener = resultListener;
 		// Resolve all methods. This is necessary if a flow participant is not part of
 		// the user code...
@@ -45,7 +46,7 @@ public AnalysisResult run() {
 			if (this.resultListener != null && this.resultListener.isCancelled()) {
 				break;
 			}
-			Analysis analysis = new SingleFlowAnalysis(originalFlow, icfg, this.resultListener);
+			Analysis analysis = new SingleFlowAnalysis(originalFlow, sootCallGraph, this.resultListener);
 			TaintFlowQueryResult retResult = (TaintFlowQueryResult) analysis.run();
 			if (retResult.size() == 0) {
 				result.clear();