serenaponta
commented
1 year ago ASTs are computed by Eclipse Steady during the import of the vulnerabilities in the form of statements from project KB. They are then stored in the database and available from the rest endpoints of the rest-backend.
To see/get the ASTs you can set up the steady backend services and either wait for the initial import to be completed, or use the kb-importer module to analyze vulnerabilities starting from statements.
To set up the steady backend services you can follow the guide at https://eclipse.github.io/steady/admin/tutorials/docker/ The initial import of vulnerabilities starts as soon as the docker containers are started by takes hours to complete. You can check the vulnerabilities already imported using the endpoint http://localhost:8033/bugs To access ASTs you can use the endpoint http://localhost:8033/bugs/CVE-XXXX-YYYY, the ASTs are the vulnerable and fixed methods provided under the fields "buggyBody" and "fixedBody" respectively (for method and constructors whose change type is MOD). Alterantively, to analyze statements explicitly, you can follow the guide at https://eclipse.github.io/steady/user/manuals/updating_vuln_data/
momo-tong
I want to konw how can I see/get the AST of a vulnerability? I use the kaybee
pull commandto get the bugs of kb. However, I just get the source code about a cve vulnerability, in which the statement.yaml describes the fixes info about a vul. So, how can I see/get the AST of a vulnerability, as I know steady extract the AST of the vulnerability code and fixed code. Looking forward to your reply, thank you very much!