Reachables slice

[prabhu]

This PR adds support for creating reachables slices for Java applications.

Prerequisites

• Java 17 or above
• Node.js 20
• Scala sbt - https://www.scala-sbt.org/

Steps

• Run cdxgen with --deep and -o bom.json argument. The bom file must be called bom.json and must be present in the target repo.

npm install -g @cyclonedx/cdxgen
cd <path to java repo>
cdxgen -t java -o bom.json --deep .

• Run atom using reachables command. The resulting slice would have a property called "reachables", which is an array of flows and purls as shown.

git clone https://github.com/AppThreat/atom
cd atom
git checkout feature/reachable-slice
sbt stage
./atom.sh reachables -o app.atom -l java --slice-outfile reachables.json .

Sample invocation:

https://github.com/AppThreat/atom/blob/feature/reachable-slice/.github/workflows/repotests.yml#L77

• [ ] The performance for this slicing must be in between usages and data-flow slicing.
• [ ] The line number and purl information must be correct

Known issues

• [ ] A small number of line numbers for method parameters and methods nodes are incorrect due to bugs in javaparser when dealing with comments that include HTML tags.

Sample test results

https://github.com/HooliCorp/java-sec-code reachables.json.txt

https://github.com/OWASP-Benchmark/BenchmarkJava reachables.tar.gz