Merge pull request #67 from debricked/add-path-to-caller

Add path to caller

Author: ProgHaj

README.md

@@ -5,3 +5,12 @@
 This repo analyses your code to determine what parts of your dependencies you use, and stores this in a file which can be picked up debricked.
 
 This, combined with our information about what parts of dependencies are affected by CVEs, allows us to determine whether you use the parts of a dependency affected by a vulnerability, or if its safe to continue using the dependency in spite of the vulnerability.
+
+
+## Setup
+
+Go to common java directory: `cd java/common/`
+
+Build SootWrapper: `mvn clean package -X -DskipTests`
+
+You will now have jar-file in the target directory: `java/common/target`.

java/common/src/main/java/SootWrapper/SootWrapper.java

@@ -68,7 +68,7 @@ public static AnalysisResult writeAnalysis(JSONWriter jwriter, Iterable<? extend
             }
             analysedMethods.add(methodToAnalyse);
 
-            jwriter.value(getSignatureJSONArray(methodToAnalyse, cg));
+            jwriter.value(getSignatureJSONArray(methodToAnalyse, cg, pathToClassFiles));
 
             Iterator<Edge> edgesOut = cg.edgesOutOf(methodToAnalyse);
             while (edgesOut.hasNext()) {
@@ -106,7 +106,7 @@ public static AnalysisResult writeAnalysis(JSONWriter jwriter, Iterable<? extend
         return new AnalysisResult(phantoms, badPhantoms);
     }
 
-    private static JSONArray getSignatureJSONArray(SootMethod methodToAnalyse, CallGraph cg) {
+    private static JSONArray getSignatureJSONArray(SootMethod methodToAnalyse, CallGraph cg, Iterable<? extends Path> pathToClassFiles) {
         TargetSignature targetSignature = getFormattedTargetSignature(methodToAnalyse);
         JSONArray callee = new JSONArray();
         callee.put(targetSignature.getMethod());
@@ -123,21 +123,30 @@ private static JSONArray getSignatureJSONArray(SootMethod methodToAnalyse, CallG
             Edge e = edgesInto.next();
             MethodOrMethodContext source = e.getSrc();
             SootMethod sourceMethod = source instanceof MethodContext ? source.method() : (SootMethod) source;
-            SourceSignature sourceSignature = getFormattedSourceSignature(sourceMethod, e.srcStmt() == null ? -1 : e.srcStmt().getJavaSourceStartLineNumber());
+            SourceSignature sourceSignature = getFormattedSourceSignature(
+                sourceMethod,
+                e.srcStmt() == null ? -1 : e.srcStmt().getJavaSourceStartLineNumber(),
+                pathToClassFiles
+            );
             JSONArray caller = new JSONArray();
             caller.put(sourceSignature.getMethod());
             caller.put(sourceSignature.getLineNumber());
+            caller.put(sourceSignature.getFileName());
             callers.put(caller);
         }
         callee.put(callers);
 
         return callee;
     }
 
-    private static SourceSignature getFormattedSourceSignature(SootMethod method, int lineNumber) {
+    private static SourceSignature getFormattedSourceSignature(SootMethod method, int lineNumber, Iterable<? extends Path> pathToClassFiles) {
         return method == null
-                ? new SourceSignature("-", -1)
-                : new SourceSignature(getSignatureString(method), lineNumber);
+                ? new SourceSignature("-", -1, "-")
+                : new SourceSignature(
+                    getSignatureString(method),
+                    lineNumber,
+                    getProbableSourceName(method, pathToClassFiles)
+                );
     }
 
     private static TargetSignature getFormattedTargetSignature(SootMethod method) {
@@ -169,6 +178,26 @@ private static String getSignatureString(SootMethod method) {
         return sb.toString();
     }
 
+    private static String getModuleString(SootMethod method) {
+        StringBuilder sb = new StringBuilder();
+        String classString = method.getDeclaringClass().toString();
+        boolean foundDot = false;
+        for (int i = 0; i < classString.length(); i++) {
+            char c = classString.charAt(i);
+            if (c != '.') {
+                sb.append(c);
+            } else {
+                foundDot = true;
+                break;
+            }
+        }
+        if (!foundDot) {
+            return "";
+        }
+        return sb.toString();
+    }
+
+
     private static String getProbableName(SootClass c) {
         if (c.isJavaLibraryClass()) {
             return "-";
@@ -183,6 +212,20 @@ private static String getProbableName(SootClass c) {
         return className;
     }
 
+    private static String getProbableSourceName(SootMethod method, Iterable<? extends Path> pathToClassFiles) {
+        String moduleName = getModuleString(method);
+        String onlyDeclaringClassName = method.getDeclaringClass().getName().replaceFirst(moduleName + ".", "/");
+        if (moduleName.length() == 0) {
+            return "<unknown>";
+        }
+        for (Path path : pathToClassFiles) {
+            if (path.toString().endsWith(moduleName)) {
+                return path.toString() + onlyDeclaringClassName + ".java";
+            }
+        }
+        return "-";
+    }
+
     private static String getParameterClass(Type parameter) {
         String[] paramType = parameter.toString().split("\\.");
         return paramType[paramType.length-1];

java/common/src/main/java/SootWrapper/SourceSignature.java

@@ -5,9 +5,12 @@ public class SourceSignature {
 
     private final int lineNumber;
 
-    public SourceSignature(String method, int lineNumber) {
+    private final String fileName;
+
+    public SourceSignature(String method, int lineNumber, String fileName) {
         this.method = method;
         this.lineNumber = lineNumber;
+        this.fileName = fileName;
     }
 
     public String getMethod() {
@@ -17,4 +20,8 @@ public String getMethod() {
     public int getLineNumber() {
         return lineNumber;
     }
+
+    public String getFileName() {
+        return fileName;
+    }
 }

java/common/src/test/java/SootWrapper/SootWrapperTest.java

@@ -316,7 +316,7 @@ private static Map<TargetSignature, Set<SourceSignature>> getCallGraphMap(
             JSONArray sourcesJSON = theEntry.getJSONArray(7);
             for (int j = 0; j < sourcesJSON.length(); j++) {
                 JSONArray theSource = sourcesJSON.getJSONArray(j);
-                sources.add(new SourceSignature(theSource.getString(0), theSource.getInt(1)));
+                sources.add(new SourceSignature(theSource.getString(0), theSource.getInt(1), "-"));
             }
             calls.put(tar, sources);
         }