Make atom 2 the default (#127)

* Switch to java 21 (#110)

* Switch to java 21

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Update chen with the latest odb2 and cpg2 (#112)

* Temp commit

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* native image

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* native-image config for more languages (#113)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Fix/issue 114 (#115)

* Do not remove nodejs directory

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Use java version of atom in the image (#117)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Update docs regarding native image (#120)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Feature/upx (#121)

* upx

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Readme update

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Update chen to fix java native image (#123)

* Update chen to fix java native image

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Update chen to fix java native image

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Feature/windows native (#124)

* Windows build

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Disable upx for windows for now

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* cli source. switch to chen js type recovery (#125)

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Fix workflow pattern

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Update java version

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Option to include crypto library flows in reachables (#126)

* Option to include crypto library flows in reachables

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Tweaks

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

.dockerignore

@@ -44,4 +44,4 @@ flake.lock
 .metals/
 
 workspace/
-app.atom
+app.atom

.github/workflows/containers.yml

@@ -26,10 +26,10 @@ jobs:
       - name: Set up JDK
         uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: '21'
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: '21.x'
       - name: Delete `.rustup` directory
@@ -45,11 +45,6 @@ jobs:
             ~/.coursier
           key: ${{ runner.os }}-sbt-${{ hashfiles('**/build.sbt') }}
       - run: |
-          git apply --ignore-space-change --ignore-whitespace contrib/java21.patch
-          if [ $? != 0 ]; then
-            echo "Unable to patch the codebase correctly."
-            exit 1
-          fi
           sbt stage createDistribution
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -80,24 +75,3 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=atom
           cache-to: type=gha,mode=max,scope=atom
-      - name: Upload atom to ghcr
-        run: |
-          cd target
-          cp atom.zip atom-java21.zip
-          sha512sum atom.zip > atom.zip.sha512
-          sha512sum atom-java21.zip > atom-java21.zip.sha512
-          echo $GITHUB_TOKEN | oras login ghcr.io -u $GITHUB_USERNAME --password-stdin
-          oras push ghcr.io/appthreat/atom-java21:v1 \
-            --annotation-file ../ci/annotations.json \
-            ./atom.zip:application/vnd.appthreat.atom.layer.v1+tar \
-            ./atom.zip.sha512:application/vnd.appthreat.atom.layer.v1+tar
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITHUB_USERNAME: ${{ github.actor }}
-      - name: Create Release
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
-        with:
-          files: |
-            target/atom-java21.zip
-            target/atom-java21.zip.sha512

.github/workflows/nodejstests.yml

@@ -7,13 +7,13 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest]
-        java-version: ['17', '19', '20', '21']
-        node-version: ['20.x']
+        java-version: ['21']
+        node-version: ['21.x']
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - uses: actions/checkout@v4
@@ -40,7 +40,7 @@ jobs:
       - name: Set up JDK
         uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: ${{ matrix.java-version }}
       - run: |
           sbt stage assembly createDistribution
@@ -61,12 +61,12 @@ jobs:
     runs-on: windows-latest
     strategy:
       matrix:
-        java-version: ['17', '19', '20', '21']
-        node-version: ['20.x']
+        java-version: ['21']
+        node-version: ['21.x']
     steps:
       - uses: actions/checkout@v4
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - uses: actions/checkout@v4
@@ -93,7 +93,7 @@ jobs:
       - name: Set up JDK
         uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: ${{ matrix.java-version }}
       - name: build
         shell: pwsh

.github/workflows/npm-release.yml

@@ -15,16 +15,16 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Use Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: 18.x
         registry-url: https://registry.npmjs.org/
     - uses: coursier/cache-action@v6
     - name: Set up JDK
       uses: actions/setup-java@v4
       with:
-        distribution: 'zulu'
-        java-version: '19'
+        distribution: 'temurin'
+        java-version: '21'
     - name: Release
       run: |
         sbt scalafmtCheck stage assembly createDistribution

.github/workflows/pr.yml

@@ -35,10 +35,13 @@ jobs:
           path: 'repotests/django-DefectDojo'
       - uses: coursier/cache-action@v6
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: graalvm/setup-graalvm@v1
         with:
-          distribution: 'zulu'
+          distribution: 'graalvm-community'
           java-version: '21'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          native-image-job-reports: 'true'
+          cache: 'sbt'
       - run: |
           sbt stage astGenDlTask
           ./atom.sh --remove-atom -o /tmp/java.atom -l java $GITHUB_WORKSPACE/repotests/shiftleft-java-example -Dlog4j.configurationFile=log4j2.xml
@@ -64,9 +67,14 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - run: |
           npm install -g @cyclonedx/cdxgen --omit=optional
-          cdxgen -t python --deep -o $GITHUB_WORKSPACE/repotests/django-DefectDojo/bom.json $GITHUB_WORKSPACE/repotests/django-DefectDojo
-          ./atom.sh reachables -o /tmp/django-DefectDojo.atom -l python $GITHUB_WORKSPACE/repotests/django-DefectDojo -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/django-DefectDojo.reachables.json
-          ./atom.sh usages -o /tmp/django-DefectDojo.atom -l python $GITHUB_WORKSPACE/repotests/django-DefectDojo -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/django-DefectDojo.usages.json
+          cdxgen -t python --deep -o $GITHUB_WORKSPACE/repotests/DjanGoat/bom.json $GITHUB_WORKSPACE/repotests/DjanGoat
+          ./atom.sh reachables -o /tmp/DjanGoat.atom -l python $GITHUB_WORKSPACE/repotests/DjanGoat -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/DjanGoat.reachables.json
+          ./atom.sh usages -o /tmp/DjanGoat.atom -l python $GITHUB_WORKSPACE/repotests/DjanGoat -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/DjanGoat.usages.json
         env:
           JAVA_TOOL_OPTIONS: "-Dfile.encoding=UTF-8"
         if: runner.os != 'Windows'
+      - run: |
+          bash ci/native-image.sh
+        env:
+          JAVA_TOOL_OPTIONS: "-Dfile.encoding=UTF-8"
+        shell: bash

.github/workflows/release.yml

@@ -8,6 +8,46 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: appthreat/atom
 jobs:
+  release-win:
+    if: github.repository_owner == 'appthreat'
+    concurrency: release-win
+    runs-on: windows-latest
+    permissions:
+      contents: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up JDK
+        uses: graalvm/setup-graalvm@v1
+        with:
+          distribution: 'graalvm-community'
+          java-version: '21'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          native-image-job-reports: 'true'
+          cache: 'sbt'
+      - uses: ilammy/msvc-dev-cmd@v1
+        with:
+          arch: amd64
+      - run: |
+          Invoke-WebRequest -Uri https://github.com/upx/upx/releases/download/v4.2.2/upx-4.2.2-win64.zip -UseBasicParsing -OutFile upx-4.2.2-win64.zip
+          Expand-Archive -Path upx-4.2.2-win64.zip -DestinationPath . -Force
+          sbt stage createDistribution
+          sbt "GraalVMNativeImage / packageBin"
+          .\target\graalvm-native-image\atom.exe --help
+          cd target\graalvm-native-image
+          (Get-FileHash -Algorithm SHA512 .\atom.exe).hash | Out-File -FilePath .\atom.exe.sha512
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create Release
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            target/graalvm-native-image/atom.exe
+            target/graalvm-native-image/atom.exe.sha512
+
   release:
     if: github.repository_owner == 'appthreat'
     concurrency: release
@@ -19,15 +59,26 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: coursier/cache-action@v6
       - name: Set up JDK
-        uses: actions/setup-java@v4
+        uses: graalvm/setup-graalvm@v1
         with:
-          distribution: 'zulu'
+          distribution: 'graalvm-community'
           java-version: '21'
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          native-image-job-reports: 'true'
+          cache: 'sbt'
       - run: |
+          wget https://github.com/upx/upx/releases/download/v4.2.2/upx-4.2.2-amd64_linux.tar.xz
+          tar -xvf upx-4.2.2-amd64_linux.tar.xz
+          chmod +x upx-4.2.2-amd64_linux/upx
+          sudo cp upx-4.2.2-amd64_linux/upx /usr/local/bin/
           sbt stage astGenDlTask assembly createDistribution
           sha512sum target/atom.zip > target/atom.zip.sha512
+          bash ci/native-image.sh
+          cp target/graalvm-native-image/atom target/graalvm-native-image/atom-amd64
+          /usr/local/bin/upx -9 --lzma target/graalvm-native-image/atom-amd64
+          target/graalvm-native-image/atom-amd64 --help
+          sha512sum target/graalvm-native-image/atom-amd64 > target/graalvm-native-image/atom-amd64.sha512
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - run: sbt publish
@@ -38,10 +89,15 @@ jobs:
         run: |
           cd target
           echo $GITHUB_TOKEN | oras login ghcr.io -u $GITHUB_USERNAME --password-stdin
-          oras push ghcr.io/$IMAGE_NAME:v1 \
-            --annotation-file ../ci/annotations.json \
+          oras push ghcr.io/$IMAGE_NAME:v2 \
+            --artifact-type application/vnd.oras.config.v1+json \
             ./atom.zip:application/vnd.appthreat.atom.layer.v1+tar \
             ./atom.zip.sha512:application/vnd.appthreat.atom.layer.v1+tar
+          cd graalvm-native-image
+          oras push ghcr.io/appthreat/atom-amd64:v2 \
+            --artifact-type application/vnd.oras.config.v1+json \
+            ./atom-amd64:application/vnd.appthreat.atom.layer.v1+tar \
+            ./atom-amd64.sha512:application/vnd.appthreat.atom.layer.v1+tar
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_USERNAME: ${{ github.actor }}
@@ -52,3 +108,5 @@ jobs:
           files: |
             target/atom.zip
             target/atom.zip.sha512
+            target/graalvm-native-image/atom-amd64
+            target/graalvm-native-image/atom-amd64.sha512

.github/workflows/repotests.yml

@@ -6,68 +6,11 @@ on:
       - feature/*
   workflow_dispatch:
 jobs:
-  jvm21-testing:
-    strategy:
-      matrix:
-        os: [ ubuntu-latest, macos-latest ]
-        java-version: [ '21' ]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - uses: actions/checkout@v4
-        with:
-          repository: 'HooliCorp/java-sec-code'
-          path: 'repotests/java-sec-code'
-      - uses: actions/checkout@v4
-        with:
-          repository: 'DefectDojo/django-DefectDojo'
-          path: 'repotests/django-DefectDojo'
-      - uses: actions/checkout@v4
-        with:
-          repository: 'nodejs/node'
-          path: 'repotests/nodejs'
-      - uses: actions/checkout@v4
-        with:
-          repository: 'awsdocs/aws-doc-sdk-examples'
-          path: 'repotests/aws-doc-sdk-examples'
-      - uses: actions/checkout@v4
-        with:
-          repository: 'friendica/friendica'
-          path: 'repotests/friendica'
-      - uses: coursier/cache-action@v6
-      - name: Set up JDK
-        uses: actions/setup-java@v4
-        with:
-          distribution: 'zulu'
-          java-version: ${{ matrix.java-version }}
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
-        with:
-          node-version: '21.x'
-      - run: |
-          git apply --ignore-space-change --ignore-whitespace contrib/java21.patch
-          sbt stage astGenDlTask
-          npm install -g @cyclonedx/cdxgen --omit=optional
-          cdxgen -t java --deep -o $GITHUB_WORKSPACE/repotests/java-sec-code/bom.json $GITHUB_WORKSPACE/repotests/java-sec-code
-          ./atom.sh reachables --remove-atom -o /tmp/java-sec-code.atom -l java $GITHUB_WORKSPACE/repotests/java-sec-code -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/java-sec-code.reachables.json
-          cdxgen -t python --deep -o $GITHUB_WORKSPACE/repotests/django-DefectDojo/bom.json $GITHUB_WORKSPACE/repotests/django-DefectDojo
-          ./atom.sh reachables --remove-atom -o /tmp/django-DefectDojo.atom -l python $GITHUB_WORKSPACE/repotests/django-DefectDojo -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/django-DefectDojo.reachables.json
-          ./atom.sh usages --remove-atom -o /tmp/v8.atom -l h $GITHUB_WORKSPACE/repotests/nodejs/deps/v8 -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/v8.slices.json
-          ./atom.sh usages --remove-atom -o /tmp/uv.atom -l h $GITHUB_WORKSPACE/repotests/nodejs/deps/uv -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/uv.slices.json
-          ./atom.sh usages --remove-atom -o /tmp/aws.atom -l h $GITHUB_WORKSPACE/repotests/aws-doc-sdk-examples/cpp -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/aws.slices.json
-          ./atom.sh usages --remove-atom -o /tmp/friendica.atom -l h $GITHUB_WORKSPACE/repotests/friendica -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/friend.slices.json
-          cdxgen -t php -o $GITHUB_WORKSPACE/repotests/friendica/bom.json $GITHUB_WORKSPACE/repotests/friendica
-          ./atom.sh reachables --remove-atom -o /tmp/friendica2.atom -l h $GITHUB_WORKSPACE/repotests/friendica -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/friend2.slices.json
-        env:
-          JAVA_TOOL_OPTIONS: "-Dfile.encoding=UTF-8"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   jvm-testing:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        java-version: ['17', '19', '20']
+        java-version: ['21']
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -77,6 +20,10 @@ jobs:
         with:
           repository: 'ShiftLeftSecurity/shiftleft-java-example'
           path: 'repotests/shiftleft-java-example'
+      - uses: actions/checkout@v4
+        with:
+          repository: 'rodbate/bouncycastle-examples'
+          path: 'repotests/bouncycastle-examples'
       - uses: actions/checkout@v4
         with:
           repository: 'juice-shop/juice-shop'
@@ -113,12 +60,12 @@ jobs:
       - name: Set up JDK
         uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: ${{ matrix.java-version }}
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: '20.x'
+          node-version: '21.x'
       - run: |
           sbt stage astGenDlTask
           ./atom.sh --remove-atom -o /tmp/java.atom -l java $GITHUB_WORKSPACE/repotests/shiftleft-java-example -Dlog4j.configurationFile=log4j2.xml
@@ -148,12 +95,14 @@ jobs:
           JAVA_TOOL_OPTIONS: "-Dfile.encoding=UTF-8"
       - run: |
           npm install -g @cyclonedx/cdxgen --omit=optional
+          cdxgen -t java --deep -o $GITHUB_WORKSPACE/repotests/bouncycastle-examples/bom.json $GITHUB_WORKSPACE/repotests/bouncycastle-examples
+          ./atom.sh reachables --include-crypto --remove-atom -o /tmp/bouncycastle-examples.atom -l java $GITHUB_WORKSPACE/repotests/bouncycastle-examples -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/bouncycastle-examples.reachables.json
           cdxgen -t java --deep -o $GITHUB_WORKSPACE/repotests/java-sec-code/bom.json $GITHUB_WORKSPACE/repotests/java-sec-code
-          ./atom.sh reachables --remove-atom -o /tmp/java-sec-code.atom -l java $GITHUB_WORKSPACE/repotests/java-sec-code -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/java-sec-code.reachables.json
+          ./atom.sh reachables --include-crypto --remove-atom -o /tmp/java-sec-code.atom -l java $GITHUB_WORKSPACE/repotests/java-sec-code -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/java-sec-code.reachables.json
           cdxgen -t c --deep -o $GITHUB_WORKSPACE/repotests/aws-doc-sdk-examples/cpp/bom.json $GITHUB_WORKSPACE/repotests/aws-doc-sdk-examples/cpp
           ./atom.sh reachables --remove-atom -o /tmp/aws-doc-sdk-examples.atom -l c $GITHUB_WORKSPACE/repotests/aws-doc-sdk-examples/cpp -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/aws-doc-sdk-examples.reachables.json
-          cdxgen -t python --deep -o $GITHUB_WORKSPACE/repotests/django-DefectDojo/bom.json $GITHUB_WORKSPACE/repotests/django-DefectDojo
-          ./atom.sh reachables --remove-atom -o /tmp/django-DefectDojo.atom -l python $GITHUB_WORKSPACE/repotests/django-DefectDojo -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/django-DefectDojo.reachables.json
+          cdxgen -t python --deep -o $GITHUB_WORKSPACE/repotests/DjanGoat/bom.json $GITHUB_WORKSPACE/repotests/DjanGoat
+          ./atom.sh reachables --remove-atom -o /tmp/DjanGoat.atom -l python $GITHUB_WORKSPACE/repotests/DjanGoat -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/DjanGoat.reachables.json
         if: runner.os != 'Windows'
         env:
           JAVA_TOOL_OPTIONS: "-Dfile.encoding=UTF-8"