Feat: Update corax to v2.6

Feysh-Group · Jan 15, 2024 · 3c33a57 · 3c33a57
1 parent 6077f49
commit 3c33a57
Show file tree

Hide file tree

Showing 171 changed files with 3,883 additions and 743 deletions.
diff --git a/.run/debug-config-template.run.xml b/.run/debug-config-template.run.xml
@@ -1,7 +1,7 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="debug-config-template" type="JarApplication">
     <option name="JAR_PATH" value="{corax-cli.jar path}" />
-    <option name="PROGRAM_PARAMETERS" value="--verbosity info --output build/output --make-scorecard --enable-data-flow true --target java --auto-app-classes corax-config-tests --result-type sarif --result-type plist --config default-config.yml@build\analysis-config" />
+    <option name="PROGRAM_PARAMETERS" value="--verbosity info --output build/report/normal --make-scorecard --enable-data-flow true --target java --auto-app-classes corax-config-tests/normal --result-type sarif --result-type plist --config default-config.yml@build\analysis-config" />
     <option name="ALTERNATIVE_JRE_PATH" />
     <method v="2">
       <option name="Gradle.BeforeRunTask" enabled="false" tasks="build" externalProjectPath="$PROJECT_DIR$" vmOptions="" scriptParameters="-x test" />

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 FROM openjdk:17
-ENV CORAX_VERSION 2.5
+ENV CORAX_VERSION 2.6
 ENV CORAX_JAVA_ARTIFACT_NAME "corax-java-cli-community-$CORAX_VERSION"
 ENV CORAX_JAVA_ARTIFACT_ZIP "$CORAX_JAVA_ARTIFACT_NAME.zip"
 ENV CORAX_JAVA_CLI_NAME "corax-cli-community-${CORAX_VERSION}.jar"

diff --git a/Readme.md b/Readme.md
@@ -87,17 +87,17 @@ $ gradlew build
 │   │                                                      // 仅当修改后的主配置文件存在部分配置缺失或者一些配置无法对应到已有插件，
 │   ├── default-config.normalize.yml                       // 以及存在风格问题时，引擎将会自动进行修补和规范化主配置并输出到此文件
 │   ├── plugins                                            // 插件存放目录
-│   │   ├── feysh-config-community-plugin-2.5               // 第一次运行分析后，自动解压，按需删除
-│   │   ├── feysh-config-community-plugin-2.5.zip           // 编译产物，corax-config-community module 编译后生成的规则检查器插件
-│   │   ├── feysh-config-general-plugin-2.5                 // 第一次运行分析后，自动解压，按需删除
-│   │   └── feysh-config-general-plugin-2.5.zip             // 编译产物, corax-config-general module 编译后生成的规则检查器插件
+│   │   ├── feysh-config-community-plugin-2.6               // 第一次运行分析后，自动解压，按需删除
+│   │   ├── feysh-config-community-plugin-2.6.zip           // 编译产物，corax-config-community module 编译后生成的规则检查器插件
+│   │   ├── feysh-config-general-plugin-2.6                 // 第一次运行分析后，自动解压，按需删除
+│   │   └── feysh-config-general-plugin-2.6.zip             // 编译产物, corax-config-general module 编译后生成的规则检查器插件
 │   └── rules                                              // 规则检查器的一些静态数据，用户可以自定义进行配置
 │       ├── **.sources.json                                   // taint sources
 │       ├── **.summaries.json                                 // taint summaries,sanitizers
 │       ├── **.sinks.json                                     // taint sinks
 │       ├── **.access-path.json                               // method signature and sink data
 ```
-> 注意：`feysh-config-community-plugin-2.5.zip` 为 `corax-config-community` 模块编译后生成的规则检查器插件，主要包含了自定义规则检查器的实现，`feysh-config-general-plugin-2.5.zip` 为 `corax-config-general` 模块编译后生成的规则检查器插件，主要包含了一些通用的内建检查器模型，一般不需要修改。
+> 注意：`feysh-config-community-plugin-2.6.zip` 为 `corax-config-community` 模块编译后生成的规则检查器插件，主要包含了自定义规则检查器的实现，`feysh-config-general-plugin-2.6.zip` 为 `corax-config-general` 模块编译后生成的规则检查器插件，主要包含了一些通用的内建检查器模型，一般不需要修改。
 
 ### 开始分析
 
@@ -113,7 +113,7 @@ $ gradlew build
 
         **第二步**：分析引擎需要载入 `CoraxJava规则检查器插件`（如：`analysis-config/plugins/feysh-config-*-plugin-*.*.*.zip`）及依赖的一些配置文件（如` analysis-config/rules`），所以需要准备好 `analysis-config` (规则配置文件夹) **：**
 
-  - 可以使用从 [release](https://github.com/Feysh-Group/corax-community/releases) 下载并解压zip得到已生成好的 `analysis-config`目录： `{corax-java-cli-community-2.5.zip解压位置}/analysis-config/`
+  - 可以使用从 [release](https://github.com/Feysh-Group/corax-community/releases) 下载并解压zip得到已生成好的 `analysis-config`目录： `{corax-java-cli-community-2.6.zip解压位置}/analysis-config/`
   - 或者使用[编译构建](#编译构建)步骤中生成的[build/analysis-config](build%2Fanalysis-config)目录：`./build/analysis-config/`
 
 
@@ -133,20 +133,20 @@ $ gradlew build
 -         设置分析目标所在路径，此处以本项目所包含的测试用例举例 `--auto-app-classes ./corax-config-tests`，此参数要求该路径或子目录下必须包含项目源码及编译后的字节码产物（class文件或 jar 包都可），
 
 -         指定配置的参数格式为 `--config (yaml文件名字.yml)@(规则配置文件夹)`，yml 文件名可以任意命名不必一定存在。`(规则配置文件夹)`就是前面所准备好的 `analysis-config` 的路径。例如
-  - `--config default-config.yml@{corax-java-cli-community-2.5.zip解压位置}/analysis-config/`
+  - `--config default-config.yml@{corax-java-cli-community-2.6.zip解压位置}/analysis-config/`
   - `--config default-config.yml@./build/analysis-config/`
 
 
 
   分析命令模板：
 
 ```bash
-$ java -jar corax-cli-x.x.x.jar --verbosity info --output build/output --enable-data-flow true --target java --result-type sarif --auto-app-classes {项目根目录（包含源码和编译产物）} --config default-config.yml@{corax-java-cli-community-2.5.zip解压位置}/analysis-config/
+$ java -jar corax-cli-x.x.x.jar --verbosity info --output build/output --enable-data-flow true --target java --result-type sarif --auto-app-classes {项目根目录（包含源码和编译产物）} --config default-config.yml@{corax-java-cli-community-2.6.zip解压位置}/analysis-config/
 ```
 
         **tips**: 如果项目根目录没有编译产物，可以再增加任意个数的 `--auto-app-classes` 参数指向编译产物所在的位置或文件夹
 
-		执行此命令时，如果分析引擎无法在指定的 `{corax-java-cli-community-2.5.zip解压位置}/analysis-config/` 目录中找到名为`default-config.yml`的 yml 文件，将自动根据插件中的默认参数生成一个同名的默认yaml主要配置文件到规则配置文件夹：`{corax-java-cli-community-2.5.zip解压位置}/analysis-config/default-config.yml`，如果需要更改配置，请复制整个 `analysis-config` 文件夹到您的工作目录，并适当按照您的需求自定义修改配置，在下次的分析前指定参数 `--config 配置文件名.yml@新的规则配置文件夹` ，使其生效。
+		执行此命令时，如果分析引擎无法在指定的 `{corax-java-cli-community-2.6.zip解压位置}/analysis-config/` 目录中找到名为`default-config.yml`的 yml 文件，将自动根据插件中的默认参数生成一个同名的默认yaml主要配置文件到规则配置文件夹：`{corax-java-cli-community-2.6.zip解压位置}/analysis-config/default-config.yml`，如果需要更改配置，请复制整个 `analysis-config` 文件夹到您的工作目录，并适当按照您的需求自定义修改配置，在下次的分析前指定参数 `--config 配置文件名.yml@新的规则配置文件夹` ，使其生效。
 
 
 

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -21,7 +21,7 @@ val guavaVersion: String by rootProject
 val semVer: String? by project
 val configDir by extra { file("$buildDir/analysis-config") }
 val pluginDir by extra { file("$buildDir/analysis-config/plugins") }
-version = semVer ?: "2.5"
+version = semVer ?: "2.6"
 
 plugins {
     `java-library`
@@ -295,15 +295,15 @@ configure(
         dependsOn(pluginZip)
         from(pluginZip)
         into(pluginDir)
-//        val archiveFileName = pluginZip.get().archiveFileName.get()
-//        val folder = archiveFileName.substringBeforeLast(pluginZip.get().archiveExtension.get()).dropLast(1)
-//        val extract = "$pluginDir/${folder}"
-//        doFirst {
-//            println("delete $extract")
-//            delete(extract)
-//            delete("$configDir/default-config.yml")
-//            delete("$configDir/default-config.normalize.yml")
-//        }
+        val archiveFileName = pluginZip.get().archiveFileName.get()
+        val folder = archiveFileName.substringBeforeLast(pluginZip.get().archiveExtension.get()).dropLast(1)
+        val extract = "$pluginDir/${folder}"
+        doFirst {
+            println("delete $extract")
+            delete(extract)
+            delete("$configDir/default-config.yml")
+            delete("$configDir/default-config.normalize.yml")
+        }
     }
 
     tasks.register("createProperties") {

diff --git a/build.local.env.gradle.kts b/build.local.env.gradle.kts
@@ -14,13 +14,14 @@ kotlin.run {
         error("coraxEnginePath: $coraxEnginePath does not exist. Please modify $properties and " +
                 "set property: \"coraxEngine\" to the path of corax-cli_x.x.x.jar." )
     }
-    val engineJar by extra { if (coraxEnginePath.isDirectory){
-        val foundJar = coraxEnginePath.listFiles()?.filter { it.extension == "jar" }
-        println("foundJar: \n[${foundJar?.joinToString("\n"){ "\t$it "}}]")
-        foundJar?.sortedBy { it.name }?.lastOrNull() ?: error("directory: $coraxEnginePath doesn't contains any corax_cli_x.x.x.jar")
-    } else {
-        coraxEnginePath
-    }
+    val engineJar by extra {
+        if (coraxEnginePath.isDirectory){
+            val foundJar = coraxEnginePath.listFiles()?.filter { it.extension == "jar" }
+            println("foundJar: \n[${foundJar?.joinToString("\n"){ "\t$it "}}]")
+            foundJar?.sortedBy { it.name }?.lastOrNull() ?: error("directory: $coraxEnginePath doesn't contains any corax_cli_x.x.x.jar")
+        } else {
+            coraxEnginePath
+        }
     }
     println("used engine jar: $engineJar")
 

diff --git a/corax-config-community/build.gradle.kts b/corax-config-community/build.gradle.kts
@@ -6,6 +6,8 @@ val commonsLangVersion: String by rootProject
 val kamlVersion: String by rootProject
 val log4j2Version: String by rootProject
 val caffeineVersion: String by rootProject
+val mybatisApacheVersion: String by rootProject
+val javaparserVersion: String by rootProject
 val kotlinSerializationVersion: String by rootProject
 
 plugins {
@@ -28,13 +30,14 @@ dependencies {
     compileOnly(project(":corax-config-api"))
     compileOnly(project(":corax-config-general"))
 
+    implementation(group = "org.mybatis", name = "mybatis", version = mybatisApacheVersion)
     implementation(group = "com.github.ben-manes.caffeine", name = "caffeine", version = caffeineVersion)
     implementation(group = "org.apache.commons", name = "commons-lang3", version = commonsLangVersion)
     implementation(group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-json", version = kotlinSerializationVersion)
+    implementation(group = "com.github.javaparser", name = "javaparser-core", version = javaparserVersion)
 
     implementation("com.google.code.findbugs:jsr305:3.0.2")
     implementation("javax:javaee-api:7.0")
-    implementation("org.mybatis:mybatis:3.4.5")
     implementation("org.springframework:spring-web:4.3.30.RELEASE")
     implementation("org.springframework:spring-webmvc:4.3.30.RELEASE")
 
@@ -47,11 +50,11 @@ dependencies {
 
 
 sourceSets {
-    main{
-        java{
+    main {
+        java {
             srcDirs("src/main/java", "src/main/kotlin")
         }
-        kotlin{
+        kotlin {
             srcDirs("src/main/java", "src/main/kotlin")
         }
     }

diff --git a/...nfig-community/src/main/kotlin/com/feysh/corax/config/community/AnalyzerConfigRegistry.kt b/...nfig-community/src/main/kotlin/com/feysh/corax/config/community/AnalyzerConfigRegistry.kt
@@ -2,27 +2,10 @@
 
 package com.feysh.corax.config.community
 
-import com.feysh.corax.config.api.AnalyzerConfigEntry
+import com.feysh.corax.config.api.*
 import com.feysh.corax.config.api.IConfigPluginExtension
 import com.feysh.corax.config.api.ISootInitializeHandler
 import com.feysh.corax.config.builtin.soot.DefaultSootConfiguration
-import com.feysh.corax.config.community.checkers.*
-import com.feysh.corax.config.general.model.`outstanding-summaries`
-import com.feysh.corax.config.general.model.taint.TaintModelingConfig
-import com.feysh.corax.config.general.model.javaee.JavaeeAnnotationSource
-import com.feysh.corax.config.general.model.`main-method-source`
-import com.feysh.corax.config.general.model.`secret-data-annotation`
-import com.feysh.corax.config.general.checkers.analysis.LibVersionProvider
-import com.feysh.corax.config.community.checkers.cipher.`insecure-cipher`
-import com.feysh.corax.config.community.checkers.cipher.`insecure-cipher-api-call`
-import com.feysh.corax.config.community.checkers.frameworks.persistence.hibernate.jpa.JpaAnnotationSqlSinks
-import com.feysh.corax.config.community.checkers.frameworks.persistence.ibatis.IbatisAnnotationSQLSinks
-import com.feysh.corax.config.community.checkers.frameworks.persistence.ibatis.mybatis.MybatisMapperXmlSQLSinkConsumer
-import com.feysh.corax.config.community.checkers.frameworks.persistence.ibatis.mybatis.MybatisMapperXmlSQLSinkProvider
-import com.feysh.corax.config.community.checkers.frameworks.spring.ResponseBodyCheck
-import com.feysh.corax.config.community.checkers.hardcode.`hardcode-crypto-key`
-import com.feysh.corax.config.community.checkers.hardcode.`hardcode-credential`
-import com.feysh.corax.config.community.checkers.jwt.MissingJWTSignatureCheck
 
 import mu.KotlinLogging
 import org.pf4j.Extension
@@ -44,48 +27,40 @@ class AnalyzerConfigRegistry(wrapper: PluginWrapper) : Plugin(wrapper) {
 
     @Extension
     class CommunityJavaDefault : IConfigPluginExtension {
-        companion object {
-            val configCallBack: AnalyzerConfigEntry = {
-                preAnalysisImpl?.apply {
-                    this += listOf(
-                        LibVersionProvider,
-                        MybatisMapperXmlSQLSinkProvider,
-                        `weak-ssl`.`default-http-client`,
-                        `insecure-cipher-api-call`,
-                        `predict-random`,
-                        MissingJWTSignatureCheck,
-                        csrf,
-                    )
-                }
 
-                aiCheckerImpl?.apply {
-                    this += listOf(
-                        TaintModelingConfig,
-                        JavaeeAnnotationSource,
-                        `main-method-source`,
-                        `secret-data-annotation`,
-                        `outstanding-summaries`,
-                        `taint-checker`,
-                        JpaAnnotationSqlSinks,
-                        MybatisMapperXmlSQLSinkConsumer,
-                        IbatisAnnotationSQLSinks,
-                        ResponseBodyCheck,
-                        `insecure-cookie`,
-                        `httponly-cookie`,
-                        `weak-ssl`.SSLContext,
-                        `xxe-attacks`,
-                        `weak-hash`,
-                        `hardcode-crypto-key`,
-                        `hardcode-credential`,
-                        `insecure-cipher`,
-                        `open-redirect`,
-                        `permissive-cors`,
-                    )
-                }
-            }
+        override val units: LinkedHashSet<CheckerUnit> = linkedSetOf<CheckerUnit>().also {
+            it += com.feysh.corax.config.general.checkers.analysis.LibVersionProvider
+            it += com.feysh.corax.config.general.model.taint.TaintModelingConfig
+            it += com.feysh.corax.config.general.model.javaee.JavaeeAnnotationSource
+            it += com.feysh.corax.config.general.model.`outstanding-summaries`
+            it += com.feysh.corax.config.general.model.`main-method-source`
+            it += com.feysh.corax.config.general.model.`secret-data-annotation`
+
+            it += com.feysh.corax.config.community.checkers.frameworks.persistence.hibernate.jpa.JpaAnnotationSqlSinks
+            it += com.feysh.corax.config.community.checkers.frameworks.persistence.ibatis.mybatis.`mybatis-sql-injection-checker`
+            it += com.feysh.corax.config.community.checkers.frameworks.persistence.ibatis.IbatisAnnotationSQLSinks
+            it += com.feysh.corax.config.community.checkers.frameworks.spring.ResponseBodyCheck
+            it += com.feysh.corax.config.community.checkers.cipher.`insecure-cipher`
+            it += com.feysh.corax.config.community.checkers.cipher.`insecure-cipher-api-call`
+            it += com.feysh.corax.config.community.checkers.frameworks.persistence.hibernate.jpa.JpaAnnotationSqlSinks
+            it += com.feysh.corax.config.community.checkers.frameworks.spring.ResponseBodyCheck
+            it += com.feysh.corax.config.community.checkers.hardcode.`hardcode-crypto-key`
+            it += com.feysh.corax.config.community.checkers.hardcode.`hardcode-credential`
+            it += com.feysh.corax.config.community.checkers.jwt.MissingJWTSignatureCheck
+            it += com.feysh.corax.config.community.checkers.`weak-ssl`.`default-http-client`
+            it += com.feysh.corax.config.community.checkers.`predict-random`
+            it += com.feysh.corax.config.community.checkers.csrf
+            it += com.feysh.corax.config.community.checkers.`taint-checker`
+            it += com.feysh.corax.config.community.checkers.`insecure-cookie`
+            it += com.feysh.corax.config.community.checkers.`httponly-cookie`
+            it += com.feysh.corax.config.community.checkers.`weak-ssl`.SSLContext
+            it += com.feysh.corax.config.community.checkers.`xxe-attacks`
+            it += com.feysh.corax.config.community.checkers.`weak-hash`
+            it += com.feysh.corax.config.community.checkers.`open-redirect`
+            it += com.feysh.corax.config.community.checkers.`permissive-cors`
+            it += com.feysh.corax.config.community.checkers.`permissive-cors`.`any-url-request`
         }
 
-        override val entry: AnalyzerConfigEntry = configCallBack
         override val sootConfig: ISootInitializeHandler = DefaultSootConfiguration
         override val name: String = "feysh.community.java"
         override fun toString(): String = name