Closed momo-tong closed 2 years ago
Hi @momo-tong,
thanks for reporting this issue that will be fixed in the next release. Until then, you can use the jar steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies
, available from Release 3.2.4 [1],[2]. Please extract the jar and place it in the same folder currently containing steady-cli-3.2.4-jar-with-dependencies.jar
and then update the command line to java -jar steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies.jar -goal a2c
.
[1] https://github.com/eclipse/steady/releases/tag/release-3.2.4 [2] https://github.com/eclipse/steady/releases/download/release-3.2.4/steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies.jar
@serenaponta Thank you, that resolved my problems. But I still hava other questions.
by the way, when I use the command "mvn compile org.eclipse.steady:plugin-maven:3.2.4:prepare-agent",there is a err, just copy the lang-java-3.2.4-jar-with-dependencies.jar to ../app/target/dependency, then run success.
Err: Failed to execute goal org.eclipse.steady.. prepare-agent on project .. :Error during agent preparation: : Could not find agent JAR [../steady-cli/app/target/dependency/lang-java-3.2.4-jar-with-dependencies.jar], ...
Hello @momo-tong,
app
must be executed first. prepare-agent
must preceed test
and t2c
must follow the collection of traces, i.e., test
+ upload
. Also instr
is meant to collect dynamic traces but the goal itself is "just" statically instrumenting the application so that the user can then deploy the instrumented artifact and all the traces collected during its execution will be uploaded to the steady backend. As a result, instr
should only be used when such a testing is planned.upload
must follow test
otherwise t2c
won't be able to use the dynamic traces as starting point for the static reachability analysis. Also note that, for multi-module maven projects, report
must be executed in a separate command, after all other goals have been executed (https://eclipse.github.io/steady/user/manuals/analysis/#multi-module-maven-projects).You can find examples of usages for maven (involving several goals) at https://eclipse.github.io/steady/user/tutorials/jenkins_howto/.
The error you encountered about the agent JAR required at location app/target/dependency/
is due to a change since version 3.2.3. Since then the user is expected to copy the JAR in the location mentioned. The JAR can be downloaded from maven central (e.g., manually https://search.maven.org/remotecontent?filepath=org/eclipse/steady/lang-java/3.2.4/lang-java-3.2.4-jar-with-dependencies.jar or using the maven dependency:get plugin https://maven.apache.org/plugins/maven-dependency-plugin/get-mojo.html)
Hi,@ serenaponta Thanks for your quick reply and clear explanation. Sorry to bother you again.
There is another err when I use mvn compile org.eclipse.steady:plugin-maven:3.2.4:report
:
[ERROR] Failed to execute goal org.eclipse.steady:plugin-maven:3.2.4:report (default-cli) on project log4j-core: The application depends on the following vulnerable archives: [ERROR] 1: [filename=jackson-databind-2.12.4.jar, digest=069206E02E6A696034F06A59D3DDBFBBA5A4CD81, scope=COMPILE, transitive=false, wellknownSha1=true, isAffectedVersionConfirmed=true, bug=CVE-2020-36518] [ERROR] 2: [filename=log4j-api-2.15.0.jar, digest=4A5AA7E55A29391C6F66E0B259D5189AA11E45D0, scope=COMPILE, transitive=false, wellknownSha1=true, isAffectedVersionConfirmed=true, bug=CVE-2021-45105]: Application depends on archives with vulnerable code [ERROR] -> [Help 1]
Using java -jar steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies.jar -goal:report
the err is:
2022-07-22 19:29:02,643 [main] [INFO ] ipse.steady.goals.AbstractGoal - Uploaded goal execution info Exception in thread "main" org.eclipse.steady.goals.ReportException: Application depends on archives with vulnerable code at org.eclipse.steady.goals.ReportGoal.executeTasks(ReportGoal.java:93) at org.eclipse.steady.goals.AbstractGoal.execute(AbstractGoal.java:255) at org.eclipse.steady.goals.AbstractGoal.executeSync(AbstractGoal.java:248) at org.eclipse.steady.cli.VulasCli.main(VulasCli.java:99)
Howerer, both commands can create or update report
files, such as vulas-report.json
. So I confused. Do I miss any configuration?
And the order of commands:
mvn compile org.eclipse.steady:plugin-maven:3.2.4:app
mvn compile org.eclipse.steady:plugin-maven:3.2.4:a2c
mvn compile org.eclipse.steady:plugin-maven:3.2.4:prepare-agent
mvn compile org.eclipse.steady:plugin-maven:3.2.4:prepare-agent
mvn compile org.eclipse.steady:plugin-maven:3.2.4:test
mvn compile org.eclipse.steady:plugin-maven:3.2.4:upload
mvn compile org.eclipse.steady:plugin-maven:3.2.4:instr
mvn compile org.eclipse.steady:plugin-maven:3.2.4:upload
mvn compile org.eclipse.steady:plugin-maven:3.2.4:t2c
mvn compile org.eclipse.steady:plugin-maven:3.2.4:checkcode
mvn compile org.eclipse.steady:plugin-maven:3.2.4:upload
mvn compile org.eclipse.steady:plugin-maven:3.2.4:report
Does the order right? Which order can get more accurate answers? Thank you!
As far as I can tell, you are using Steady correctly and it is behaving as designed: it fails your build if it finds that your project has vulnerable dependencies. It was designed that way because that is the simplest way to integrate it in automated CI pipelines. If that is not the behaviour you want, you can still configure it to not fail but just report the issues, as described in the documentation (the directive you're looking for is vulas.report.exceptionThreshold
(which defaults to dependsOn
).
You can set it to noException
instead.
See https://eclipse.github.io/steady/user/manuals/analysis/#configure-as-follows_5
Excerpt from the docs:
# Possible values: noException < dependsOn < potentiallyExecutes < actuallyExecutes
# noException : no build exception even if vulnerable code is included
# dependsOn : exception raised when vulnerable code is included
# potentiallyExecutes : exception raised when vulnerable code is potentially executed (result of static analyse)
# actuallyExecutes : exception raised when vulnerable code is executed (result of dynamic analyse)
I'm closing this issue. In case you need further help, do not hesitate to create a new one.
when i execute the command of "java -jar steady-cli-3.2.4-jar-with-dependencies.jar -goal a2c", the error is
2022-07-19 19:21:12,150 [main] [ERROR] rg.eclipse.steady.cli.VulasCli - Cannot create instance of class [com.sap.psr.vulas.cg.A2CGoal]: com.sap.psr.vulas.cg.A2CGoal