how to get potentially or actually executable of vuln. code when scan source code?

[momo-tong]

Question
how to get potentially or actually executable of vuln. code when scan pom.xml, and where do i need to put the source code?

To Reproduce
Analyzed project: ch.qos.logback : logback-classic : 1.1.11
Pom.xml from: https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.pom
and i put pom.xml in ../app path

Same info in steady-custom.properties
vulas.core.appContext.group = ch.qos.logback
vulas.core.appContext.artifact = logback-classic
vulas.core.appContext.version = 1.1.11
vulas.core.app.appPrefixes = logback-classic
vulas.core.app.sourceDir = app
vulas.core.uploadEnabled = true
vulas.reach.wala.callgraph.reflection = NO_FLOW_TO_CASTS_NO_METHOD_INVOKE
vulas.reach.timeout = 120
vulas.core.instr.sourceDir =
vulas.core.instr.targetDir = vulas/target
vulas.core.instr.includeDir = vulas/include
vulas.core.instr.libDir = vulas/lib
vulas.core.instr.instrumentorsChoosen = org.eclipse.steady.java.monitor.trace.SingleTraceInstrumentor
vulas.core.instr.searchRecursive = true

Command that i use
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal a2c
sudo cd app
sudo mvn compile org.eclipse.steady:plugin-maven:3.2.5:prepare-agent
sudo cd ..
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal instr
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal t2c
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal checkcode
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload
sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report

In case of bugs in a Web frontend:

1. Vulnerabilities: 2
2. Inclusion of vulnerable code display "Yellow hourglass"
3. Static Analysis and Dynamic Analysis display nothing
   

[henrikplate]

If you run the Steady CLI via java steady-cli-3.2.5-jar-with-dependencies.jar, the setting vulas.core.app.appPrefixes should specify a Java package namespace (or multiple ones) that can be used to uniquely identify the project code, in this case probably ch.qos.logback or similar.

However, I would generally recommend using Steady's Maven plugin where possible. The invocation and configuration is much easier.

[momo-tong]

Thanks for your reply. I understand how to set vulas.core.app.appPrefixes parameter. However, I want to know What directory should the source code be, or just put in app directory, and how to config in steady-custom.properties file.
I tried using pom.xml in app directory, and not including source code. So, I can't get Static Analysis and Dynamic Analysis in the Web frontend. Can you just give me an example? Looking forward to your reply.

[henrikplate]

If the project you're analyzing has a pom.xml, I suggest to use the Maven plugin. You can do so either by adding a profile to the POM or by calling the plugin with the fully-qualified name from the command line as follows (also see here for more information): mvn compile org.eclipse.steady:plugin-maven:3.2.5:app, for example, calls the appgoal on the Maven project. As soon as you use the Maven plugin, you do not need to specify appPrefixes at all, since the sources directory will be discovered automatically.