Reachables slice (#82)

* Reachables slice Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * api based flows for benchmark Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Update readme Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
AppThreat · Oct 17, 2023 · fc432c3 · fc432c3
1 parent 973f1c7
commit fc432c3
Show file tree

Hide file tree

Showing 23 changed files with 9,812 additions and 5,952 deletions.
diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml
@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - main
+      - feature/*
   workflow_dispatch:
 jobs:
   jvm-testing:
@@ -31,6 +32,10 @@ jobs:
         with:
           repository: 'libexpat/libexpat'
           path: 'repotests/libexpat'
+      - uses: actions/checkout@v3
+        with:
+          repository: 'HooliCorp/java-sec-code'
+          path: 'repotests/java-sec-code'
       - uses: actions/checkout@v3
         with:
           repository: 'HooliCorp/DjanGoat'
@@ -41,6 +46,10 @@ jobs:
         with:
           distribution: 'zulu'
           java-version: ${{ matrix.java-version }}
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20.x'
       - run: |
           sbt stage astGenDlTask
           ./atom.sh -o /tmp/java.atom -l java $GITHUB_WORKSPACE/repotests/shiftleft-java-example -Dlog4j.configurationFile=log4j2.xml
@@ -63,3 +72,9 @@ jobs:
           ./atom.sh usages -o /tmp/c3.atom -l c $GITHUB_WORKSPACE/repotests/libexpat -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/c.usages.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: |
+          npm install -g @cyclonedx/cdxgen --omit=optional
+          cdxgen -t java --deep -o java-sec-code/bom.json java-sec-code
+          ./atom.sh reachables -o /tmp/java-sec-code.atom -l java $GITHUB_WORKSPACE/repotests/java-sec-code -Dlog4j.configurationFile=log4j2.xml --slice-outfile /tmp/java-sec-code.reachables.json
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
@@ -28,6 +28,12 @@ npm install @appthreat/atom
 # sudo npm install -g @appthreat/atom
 ```
 
+Install cdxgen to generate a Software Bill-of-Materials which is required for certain slicing.
+
+```shell
+npm install -g @cyclonedx/cdxgen --omit=optional
+```
+
 ## CLI Usage
 
 ```
@@ -56,6 +62,10 @@ Command: usages [options]
 Extract local variable and parameter usages
   --min-num-calls <value>  the minimum number of calls required for a usage slice - defaults to 1.
   --include-source         includes method source code in the slices - defaults to false.
+Command: reachables [options]
+Extract reachable data-flow slices based on automated framework tags
+--source-tag <value>     source tag - defaults to framework-input.
+--sink-tag <value>       sink tag - defaults to framework-output.
   --help                   display this help message
 ```
 
@@ -77,6 +87,14 @@ export ANDROID_HOME=<path to android sdk>
 atom -o app.atom -l apk <apk file>
 ```
 
+### Create reachables slice for a java project.
+
+```shell
+cd <path to repo>
+cdxgen -t java --deep -o bom.json .
+atom reachables -o app.atom -s reachables.json -l java .
+```
+
 ### Create data-flow slice for a java project.
 
 ```shell

diff --git a/build.sbt b/build.sbt
@@ -1,9 +1,9 @@
 name                     := "atom"
 ThisBuild / organization := "io.appthreat"
-ThisBuild / version      := "1.2.5"
+ThisBuild / version      := "1.5.0"
 ThisBuild / scalaVersion := "3.3.1"
 
-val chenVersion      = "0.0.11"
+val chenVersion      = "0.0.17"
 
 lazy val atom = Projects.atom
 

diff --git a/specification/atom.proto b/specification/atom.proto
@@ -924,14 +924,7 @@ message UsageSlice {
     repeated UserDefinedTypes userDefinedTypes = 2;
 }
 
-/**
- * DataFlow slices offers a list of nodes and edges exported from data dependency graph
- *
- * ![Data Flow slices overview](./docs/Data%20Flows.png)
- */
-message DataFlowSlice {
-
-    message Nodes {
+message Nodes {
         // Id of the node
         uint32 id = 1;
         // Label
@@ -960,7 +953,16 @@ message DataFlowSlice {
         uint32 lineNumber = 13;
         // Column number
         uint32 columnNumber = 14;
-    }
+        // Tags. Can contain simple names including package url
+        string tags = 15;
+}
+
+/**
+ * DataFlow slices offers a list of nodes and edges exported from data dependency graph
+ *
+ * ![Data Flow slices overview](./docs/Data%20Flows.png)
+ */
+message DataFlowSlice {
 
     message Edges {
         // Source node id
@@ -989,3 +991,20 @@ message DataFlowSlice {
     Graph graph = 1;
     Paths path = 2;
 }
+
+/**
+ * Reachables slices offers a list of reachable nodes based on automated tags exported from data dependency graph
+ */
+message ReachableSlice {
+
+    message Reachables {
+      repeated Nodes nodes = 1;
+    }
+
+    message Purls {
+      repeated string purls = 1;
+    }
+
+    Reachables reachables = 1;
+    Purls purls = 2;
+}