Taint analysis

Author: Lipen

.gitignore

@@ -3,3 +3,7 @@
 build/
 idea-community
 *.db
+*.sarif
+*.html
+*.jfr
+*.csv

build.gradle.kts

@@ -188,7 +188,7 @@ if (!repoUrl.isNullOrEmpty()) {
                 register<MavenPublication>("jar") {
                     from(components["java"])
                     artifact(tasks.named("sourcesJar"))
-                    artifact(tasks.named("dokkaJavadocJar"))
+                    // artifact(tasks.named("dokkaJavadocJar"))
 
                     groupId = "org.jacodb"
                     artifactId = project.name

buildSrc/src/main/kotlin/Dependencies.kt

@@ -2,14 +2,13 @@
 
 import org.gradle.plugin.use.PluginDependenciesSpec
 
-
 object Versions {
     const val asm = "9.5"
     const val dokka = "1.7.20"
     const val gradle_download = "5.3.0"
     const val gradle_versions = "0.47.0"
-    const val hikaricp = "5.0.1"
     const val guava = "31.1-jre"
+    const val hikaricp = "5.0.1"
     const val javax_activation = "1.1"
     const val javax_mail = "1.4.7"
     const val javax_servlet_api = "2.5"
@@ -22,6 +21,7 @@ object Versions {
     const val junit = "5.9.2"
     const val kotlin = "1.7.21"
     const val kotlin_logging = "1.8.3"
+    const val kotlin_logging5 = "5.1.0"
     const val kotlinx_benchmark = "0.4.4"
     const val kotlinx_cli = "0.3.5"
     const val kotlinx_collections_immutable = "0.3.5"
@@ -66,6 +66,13 @@ object Libs {
         version = Versions.kotlin_logging
     )
 
+    // https://github.com/oshai/kotlin-logging
+    val kotlin_logging5 = dep(
+        group = "io.github.oshai",
+        name = "kotlin-logging",
+        version = Versions.kotlin_logging5
+    )
+
     // https://github.com/qos-ch/slf4j
     val slf4j_simple = dep(
         group = "org.slf4j",
@@ -100,7 +107,7 @@ object Libs {
     // https://github.com/Kotlin/kotlinx.collections.immutable
     val kotlinx_collections_immutable = dep(
         group = "org.jetbrains.kotlinx",
-        name = "kotlinx-collections-immutable-jvm",
+        name = "kotlinx-collections-immutable",
         version = Versions.kotlinx_collections_immutable
     )
 
@@ -134,6 +141,11 @@ object Libs {
     )
 
     // https://github.com/Kotlin/kotlinx.serialization
+    val kotlinx_serialization_core = dep(
+        group = "org.jetbrains.kotlinx",
+        name = "kotlinx-serialization-core",
+        version = Versions.kotlinx_serialization
+    )
     val kotlinx_serialization_json = dep(
         group = "org.jetbrains.kotlinx",
         name = "kotlinx-serialization-json",
@@ -278,46 +290,48 @@ object Libs {
 }
 
 object Plugins {
-
-    abstract class ProjectPlugin(val version: String, val id: String)
+    abstract class Plugin(
+        val version: String,
+        val id: String,
+    )
 
     // https://github.com/Kotlin/dokka
-    object Dokka: ProjectPlugin(
+    object Dokka : Plugin(
         version = Versions.dokka,
         id = "org.jetbrains.dokka"
     )
 
     // https://github.com/michel-kraemer/gradle-download-task
-    object GradleDownload: ProjectPlugin(
+    object GradleDownload : Plugin(
         version = Versions.gradle_download,
         id = "de.undercouch.download"
     )
 
     // https://github.com/ben-manes/gradle-versions-plugin
-    object GradleVersions: ProjectPlugin(
+    object GradleVersions : Plugin(
         version = Versions.gradle_versions,
         id = "com.github.ben-manes.versions"
     )
 
     // https://github.com/Kotlin/kotlinx-benchmark
-    object KotlinxBenchmark : ProjectPlugin(
+    object KotlinxBenchmark : Plugin(
         version = Versions.kotlinx_benchmark,
         id = "org.jetbrains.kotlinx.benchmark"
     )
 
     // https://github.com/CadixDev/licenser
-    object Licenser : ProjectPlugin(
+    object Licenser : Plugin(
         version = Versions.licenser,
         id = "org.cadixdev.licenser"
     )
 
     // https://github.com/johnrengelman/shadow
-    object Shadow : ProjectPlugin(
+    object Shadow : Plugin(
         version = Versions.shadow,
         id = "com.github.johnrengelman.shadow"
     )
 }
 
-fun PluginDependenciesSpec.id(plugin: Plugins.ProjectPlugin) {
+fun PluginDependenciesSpec.id(plugin: Plugins.Plugin) {
     id(plugin.id).version(plugin.version)
-}
+}

buildSrc/src/main/kotlin/Tests.kt

@@ -1,5 +1,6 @@
 import org.gradle.api.tasks.TaskProvider
 import org.gradle.api.tasks.testing.Test
+import org.gradle.api.tasks.testing.logging.TestExceptionFormat
 
 object Tests {
     val lifecycleTag = "lifecycle"
@@ -9,6 +10,7 @@ object Tests {
 fun Test.setup(jacocoTestReport: TaskProvider<*>) {
     testLogging {
         events("passed", "skipped", "failed")
+        exceptionFormat = TestExceptionFormat.FULL
     }
     finalizedBy(jacocoTestReport) // report is always generated after tests run
     jvmArgs = listOf("-Xmx2g", "-XX:+HeapDumpOnOutOfMemoryError", "-XX:HeapDumpPath=heapdump.hprof")

jacodb-analysis/.gitignore

@@ -0,0 +1,3 @@
+webgoat/
+owasp/
+shopizer/

jacodb-analysis/README.md

@@ -1,4 +1,4 @@
-# Module `jacodb-analysis` 
+# The `jacodb-analysis` module
 
 The `jacodb-analysis` module allows launching application dataflow analyses.
 It contains an API to write custom analyses, and several ready-to-use analyses.

jacodb-analysis/build.gradle.kts

@@ -6,11 +6,14 @@ plugins {
 dependencies {
     api(project(":jacodb-core"))
     api(project(":jacodb-api"))
+    api(project(":jacodb-taint-configuration"))
 
     implementation(Libs.kotlin_logging)
+    implementation(Libs.kotlin_logging5)
     implementation(Libs.slf4j_simple)
     implementation(Libs.kotlinx_coroutines_core)
     implementation(Libs.kotlinx_serialization_json)
+    implementation(Libs.jdot)
 
     testImplementation(testFixtures(project(":jacodb-core")))
     testImplementation(project(":jacodb-api"))

jacodb-analysis/src/main/kotlin/org/jacodb/analysis/AnalysisMain.kt

@@ -15,10 +15,10 @@
  */
 
 @file:JvmName("AnalysisMain")
+
 package org.jacodb.analysis
 
 import kotlinx.serialization.Serializable
-import mu.KLogging
 import org.jacodb.analysis.engine.IfdsUnitRunnerFactory
 import org.jacodb.analysis.engine.MainIfdsUnitManager
 import org.jacodb.analysis.engine.SummaryStorage
@@ -28,14 +28,11 @@ import org.jacodb.analysis.graph.newApplicationGraphForAnalysis
 import org.jacodb.api.JcMethod
 import org.jacodb.api.analysis.JcApplicationGraph
 
-internal val logger = object : KLogging() {}.logger
-
 typealias AnalysesOptions = Map<String, String>
 
 @Serializable
 data class AnalysisConfig(val analyses: Map<String, AnalysesOptions>)
 
-
 /**
  * This is the entry point for every analysis.
  * Calling this function will find all vulnerabilities reachable from [methods].
@@ -65,10 +62,10 @@ data class AnalysisConfig(val analyses: Map<String, AnalysesOptions>)
  */
 fun runAnalysis(
     graph: JcApplicationGraph,
-    unitResolver: UnitResolver<*>,
+    unitResolver: UnitResolver,
     ifdsUnitRunnerFactory: IfdsUnitRunnerFactory,
     methods: List<JcMethod>,
-    timeoutMillis: Long = Long.MAX_VALUE
+    timeoutMillis: Long = Long.MAX_VALUE,
 ): List<VulnerabilityInstance> {
     return MainIfdsUnitManager(graph, unitResolver, ifdsUnitRunnerFactory, methods, timeoutMillis).analyze()
-}
+}