Analyse real-world systems

README.md

@@ -29,6 +29,7 @@ Once the framework and the OpenStaticAnalyzer components are installed, you can
 
 config.project_name=NAME OF THE PROJECT # e.g. test-project
 config.project_path=ABSOLUTE PATH TO THE PROJECT SRC # e.g. d:\\AIFix4SecCode\\test-project
+config.project_build_tool=NAME OF THE BUILD TOOL # maven / mavenCLI / gradle / ant
 config.osa_path=PATH TO THE JAVA OPEN STATIC ANALYZER # e.g. d:\\OpenStaticAnalyzer-4.1.0-x64-Windows\\Java
 config.osa_edition=ANALYZER EDITION # SourceMeter or OpenStaticAnalyzer
 config.results_path=FOLDER TO PUT ANALYSIS RESULTS # e.g. d:\\AIFix4SecCode\\test-project\\results

pom.xml

@@ -19,6 +19,11 @@
     </properties>
 
     <dependencies>
+        <dependency>
+            <groupId>com.github.javaparser</groupId>
+            <artifactId>javaparser-symbol-solver-core</artifactId>
+            <version>3.24.2</version>
+        </dependency>
         <dependency>
             <groupId>io.github.java-diff-utils</groupId>
             <artifactId>java-diff-utils</artifactId>
@@ -70,6 +75,17 @@
             <artifactId>coderepair</artifactId>
             <version>1.0.1</version>
         </dependency>
+        <dependency>
+            <groupId>de.defmacro</groupId>
+            <artifactId>eclipse-astparser</artifactId>
+            <version>8.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <version>RELEASE</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/eu/assuremoss/VulnRepairDriver.java

@@ -10,12 +10,9 @@
 import eu.assuremoss.framework.api.*;
 import eu.assuremoss.framework.model.CodeModel;
 import eu.assuremoss.framework.model.VulnerabilityEntry;
-import eu.assuremoss.framework.modules.compiler.MavenPatchCompiler;
+import eu.assuremoss.utils.*;
+import eu.assuremoss.utils.factories.PatchCompilerFactory;
 import eu.assuremoss.framework.modules.src.LocalSourceFolder;
-import eu.assuremoss.utils.Configuration;
-import eu.assuremoss.utils.MLogger;
-import eu.assuremoss.utils.Pair;
-import eu.assuremoss.utils.Utils;
 import eu.assuremoss.utils.factories.ToolFactory;
 import org.apache.log4j.LogManager;
 import org.apache.log4j.Logger;
@@ -41,26 +38,35 @@
 public class VulnRepairDriver {
     private static final Logger LOG = LogManager.getLogger(VulnRepairDriver.class);
     public static MLogger MLOG;
+    public static Properties properties;
+    private final PatchCompiler patchCompiler;
+    private final PathHandler path;
+    private final Statistics statistics;
     private int patchCounter = 1;
 
     public static void main(String[] args) throws IOException {
-        VulnRepairDriver driver = new VulnRepairDriver();
         Configuration config = new Configuration(getConfigFile(args), getMappingFile(args));
+        VulnRepairDriver driver = new VulnRepairDriver(config.properties);
 
-        Utils.createDirectoryForResults(config.properties);
-        Utils.createDirectoryForValidation(config.properties);
-        Utils.createEmptyLogFile(config.properties);
+        driver.bootstrap(config.properties);
+    }
 
-        MLOG = new MLogger(config.properties, "log.txt");
+    public VulnRepairDriver(Properties properties) throws IOException {
+        this.patchCompiler = PatchCompilerFactory.getPatchCompiler(properties.getProperty(PROJECT_BUILD_TOOL_KEY));
+        this.path = new PathHandler(properties);
+        this.statistics = new Statistics(path);
+        VulnRepairDriver.properties = properties;
 
-        driver.bootstrap(config.properties);
+        initResourceFiles(properties);
+        MLOG = new MLogger(properties, "log.txt");
     }
 
     public void bootstrap(Properties props) {
         MLOG.fInfo("Start!");
 
         // 0. Setup
-        String currentTime = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss").format(new Date());
+        Date startTime = new Date();
+        String startTimeStr = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss").format(startTime);
 
         // 1. Get source code
         MLOG.info("Project source acquiring started");
@@ -81,7 +87,7 @@ public void bootstrap(Properties props) {
         // 3. Produces :- vulnerability locations
         List<VulnerabilityEntry> vulnerabilityLocations = vulnDetector.getVulnerabilityLocations(scc.getSourceCodeLocation(), codeModels);
         MLOG.info(String.format("Detected %d vulnerabilities", vulnerabilityLocations.size()));
-        vulnerabilityLocations.forEach(vulnEntry -> MLOG.fInfo(vulnEntry.getType() + " -> " + vulnEntry.getStartLine()));
+        statistics.saveVulnerabilityStatistics(props, vulnerabilityLocations);
 
         // == Transform code / repair ==
         Map<String, List<JSONObject>> problemFixMap = new HashMap<>();
@@ -90,28 +96,33 @@ public void bootstrap(Properties props) {
         for (VulnerabilityEntry vulnEntry : vulnerabilityLocations) {
             // - Init -
             vulnIndex++;
-            PatchCompiler comp = new MavenPatchCompiler();
+
+            // - Skip if column info was not retrieved -
+            if (vulnEntry.getStartCol() == -1 && vulnEntry.getEndCol() == -1) {
+                MLOG.ninfo(String.format("No column info were retrieved, skipping vulnerability %d/%d", vulnIndex, vulnerabilityLocations.size()));
+                continue;
+            }
 
             // - Generate repair patches -
-            MLOG.ninfo(String.format("Generating patches for %d/%d vulnerability", vulnIndex, vulnerabilityLocations.size()));
+            MLOG.ninfo(String.format("Generating patches for vulnerability %d/%d", vulnIndex, vulnerabilityLocations.size()));
             List<Pair<File, Pair<Patch<String>, String>>> patches = vulnRepairer.generateRepairPatches(scc.getSourceCodeLocation(), vulnEntry, codeModels);
 
             //  - Applying & Compiling patches -
-            MLOG.info(String.format("Compiling patches for %d/%d vulnerability", vulnIndex, vulnerabilityLocations.size()));
-            List<Pair<File, Pair<Patch<String>, String>>> filteredPatches = comp.applyAndCompile(scc.getSourceCodeLocation(), patches, true);
+            MLOG.info(String.format("Compiling patches for vulnerability %d/%d", vulnIndex, vulnerabilityLocations.size()));
+            List<Pair<File, Pair<Patch<String>, String>>> filteredPatches = patchCompiler.applyAndCompile(scc.getSourceCodeLocation(), patches, true);
 
             //  - Testing Patches -
-            MLOG.info(String.format("Verifying patches for %d/%d vulnerability", vulnIndex, vulnerabilityLocations.size()));
-            List<Pair<File, Pair<Patch<String>, String>>> candidatePatches = getCandidatePatches(props, scc, vulnEntry, comp, filteredPatches);
+            MLOG.info(String.format("Verifying patches for vulnerability %d/%d", vulnIndex, vulnerabilityLocations.size()));
+            List<Pair<File, Pair<Patch<String>, String>>> candidatePatches = getCandidatePatches(props, scc, vulnEntry, patchCompiler, filteredPatches);
 
             // - Save patches -
-            Utils.createDirectoryForPatches(props);
+            Utils.createDirectory(patchSavePath(props));
             if (candidatePatches.isEmpty()) {
                 MLOG.info("No patch candidates were found, skipping!");
                 continue;
             }
 
-            MLOG.info(String.format("Writing out patch candidates patches for %d/%d vulnerability", vulnIndex, vulnerabilityLocations.size()));
+            MLOG.info(String.format("Writing out candidate patches for vulnerability %d/%d", vulnIndex, vulnerabilityLocations.size()));
             if (!problemFixMap.containsKey(vulnEntry.getType())) {
                 problemFixMap.put(vulnEntry.getType(), new ArrayList());
             }
@@ -129,15 +140,19 @@ public void bootstrap(Properties props) {
         }
 
         if (archiveEnabled(props)) {
-            Utils.archiveResults(patchSavePath(props), props.getProperty(ARCHIVE_PATH), descriptionPath(props), currentTime);
+            Utils.archiveResults(patchSavePath(props), props.getProperty(ARCHIVE_PATH), descriptionPath(props), startTimeStr);
         }
 
         Utils.deleteIntermediatePatches(patchSavePath(props));
+        Utils.saveElapsedTime(startTime);
+        statistics.createResultStatistics(vulnerabilityLocations);
+
+        MLOG.info("Framework repair finished!");
     }
 
     private JSONObject getVSCodeConfig(Map<String, List<JSONObject>> problemFixMap) {
         JSONObject vsCodeConfig = new JSONObject();
-        for(String problemType : problemFixMap.keySet()) {
+        for (String problemType : problemFixMap.keySet()) {
             JSONArray fixesArray = new JSONArray();
             fixesArray.addAll(problemFixMap.get(problemType));
             vsCodeConfig.put(problemType, fixesArray);
@@ -219,4 +234,15 @@ private JSONObject generateFixEntity(Properties props, VulnerabilityEntry vulnEn
         return issueObject;
     }
 
+    /**
+     * Creates all resource files (directories, log files)
+     *
+     * @param props - a properties object that specifies the creation path of the files
+     */
+    private static void initResourceFiles(Properties props) {
+        Utils.createDirectory(props.getProperty(RESULTS_PATH_KEY));
+        Utils.createDirectory(props.getProperty(VALIDATION_RESULTS_PATH_KEY));
+        Utils.createDirectory(String.valueOf(Paths.get(props.getProperty(RESULTS_PATH_KEY), "logs")));
+        Utils.createEmptyLogFile(props);
+    }
 }

src/main/java/eu/assuremoss/framework/api/PatchCompiler.java

@@ -15,4 +15,6 @@ public interface PatchCompiler {
     public void revertPatch(Pair<File, Patch<String>> patch, File srcLocation);
 
     public void applyPatch(Pair<File, Patch<String>> patch, File srcLocation);
+
+    public String getBuildDirectoryName();
 }

src/main/java/eu/assuremoss/framework/model/CodeModel.java

@@ -15,7 +15,8 @@ public enum MODEL_TYPES {
         EMBEDDING,
         CFG,
         OSA_GRAPH,
-        OSA_GRAPH_XML
+        OSA_GRAPH_XML,
+        FINDBUGS_XML
     }
 
     public CodeModel(MODEL_TYPES modelType, File codeModel) {

src/main/java/eu/assuremoss/framework/model/VulnerabilityEntry.java

@@ -2,14 +2,39 @@
 
 import lombok.Data;
 
+import java.io.Serializable;
+
 @Data
-public class VulnerabilityEntry {
+public class VulnerabilityEntry implements Serializable {
 
+    /**
+     * Normal vulnerability name that is mapped with the magic name
+     */
     private String type;
+    /**
+     * Magic vulnerability name that should be converted to normal
+     */
+    private String vulnType;
     private String description;
     private String path;
+    private String variable;
     private int startLine;
     private int endLine;
     private int startCol;
     private int endCol;
+
+    @Override
+    public String toString() {
+        return "VulnerabilityEntry\n" +
+                " type=" + type + '\n' +
+                " vulnType=" + vulnType + '\n' +
+                " description=" + description + '\n' +
+                " path=" + path + '\n' +
+                " variable=" + variable + '\n' +
+                " startLine=" + startLine + '\n' +
+                " endLine=" + endLine + '\n' +
+                " startCol=" + startCol + '\n' +
+                " endCol=" + endCol;
+    }
+
 }