search

eclipse / steady

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/
Apache License 2.0
517 stars 124 forks source link

Reachable from app (a2c) Fails With Java 17 #588

Closed mayaba closed 11 months ago

mayaba commented 1 year ago

Describe the bug The console shows me the following error when running the a2c goal on a java 17 project

java.nio.file.NoSuchFileException: /modules/modules at java.base/jdk.internal.jrtfs.JrtFileSystem.checkNode(JrtFileSystem.java:486) at java.base/jdk.internal.jrtfs.JrtFileSystem.isDirectory(JrtFileSystem.java:431) at java.base/jdk.internal.jrtfs.JrtDirectoryStream.<init>(JrtDirectoryStream.java:58) at java.base/jdk.internal.jrtfs.JrtPath.newDirectoryStream(JrtPath.java:642) at java.base/jdk.internal.jrtfs.JrtFileSystemProvider.newDirectoryStream(JrtFileSystemProvider.java:311) at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482) at soot.asm.AsmJava9ClassProvider.find(AsmJava9ClassProvider.java:50) at soot.SourceLocator.getClassSource(SourceLocator.java:187) at soot.SootResolver.bringToHierarchyUnchecked(SootResolver.java:231) at soot.SootResolver.bringToHierarchy(SootResolver.java:221) at soot.SootResolver.bringToSignatures(SootResolver.java:292) at soot.SootResolver.bringToBodies(SootResolver.java:332) at soot.SootResolver.processResolveWorklist(SootResolver.java:171) at soot.SootResolver.resolveClass(SootResolver.java:141) at soot.Scene.tryLoadClass(Scene.java:979) at soot.Scene.loadBasicClasses(Scene.java:1708) at soot.Scene.loadNecessaryClasses(Scene.java:1807) at org.eclipse.steady.cg.soot.SootCallgraphConstructor.setEntrypoints(SootCallgraphConstructor.java:356) at org.eclipse.steady.cg.ReachabilityAnalyzer.run(ReachabilityAnalyzer.java:398) at java.base/java.lang.Thread.run(Thread.java:833) Exception in thread "vulas-reach-1" java.lang.RuntimeException: None of the basic classes could be loaded! Check your Soot class path! at soot.Scene.loadBasicClasses(Scene.java:1718) at soot.Scene.loadNecessaryClasses(Scene.java:1807) at org.eclipse.steady.cg.soot.SootCallgraphConstructor.setEntrypoints(SootCallgraphConstructor.java:356) at org.eclipse.steady.cg.ReachabilityAnalyzer.run(ReachabilityAnalyzer.java:398) at java.base/java.lang.Thread.run(Thread.java:833)

To Reproduce Steps to reproduce the behavior: Run the a2c command on a java 17 project

Expected behavior A clear and concise description of what you expected to happen. The task to be completed successfully

Steady version 3.2.5

mayaba commented 1 year ago

I'm trying to figure out the root cause and found that since the rt.jar is removed from version 9+, Soot throws the previous exception. I tried to add rt.jar manually to the classpath, but this method is not working properly if the source code is not compatible with version 8.

serenaponta commented 1 year ago

Hi @mayaba ,

thanks for reporting and for the investigation.

Could you also share which JDK you are using to run the analysis? If JDK 17 is used to run the analysis, could you also test it with JDK 11?

mayaba commented 1 year ago

Hi @serenaponta, Thank you so much for the reply. I was using JDK 17 and changed to JDK 11. Now, I'm getting a different error. please note that I couldn't compile the project I'm analyzing with JDK 11. Only with JDK 17. 

Exception in thread "vulas-reach-1" java.lang.IllegalArgumentException: Unsupported class file major version 61
    at org.objectweb.asm.ClassReader.<init>(ClassReader.java:195)
    at org.objectweb.asm.ClassReader.<init>(ClassReader.java:176)
    at org.objectweb.asm.ClassReader.<init>(ClassReader.java:162)
    at org.objectweb.asm.ClassReader.<init>(ClassReader.java:283)
    at soot.asm.AsmClassSource.resolve(AsmClassSource.java:65)
    at soot.SootResolver.bringToHierarchyUnchecked(SootResolver.java:253)
    at soot.SootResolver.bringToHierarchy(SootResolver.java:221)
    at soot.SootResolver.bringToSignatures(SootResolver.java:292)
    at soot.SootResolver.bringToBodies(SootResolver.java:332)
    at soot.SootResolver.processResolveWorklist(SootResolver.java:171)
    at soot.SootResolver.resolveClass(SootResolver.java:141)
    at soot.Scene.loadClass(Scene.java:1009)
    at soot.Scene.loadClassAndSupport(Scene.java:994)
    at soot.Scene.loadNecessaryClasses(Scene.java:1822)
    at org.eclipse.steady.cg.soot.SootCallgraphConstructor.setEntrypoints(SootCallgraphConstructor.java:356)
    at org.eclipse.steady.cg.ReachabilityAnalyzer.run(ReachabilityAnalyzer.java:398)
    at java.base/java.lang.Thread.run(Thread.java:829)
serenaponta commented 1 year ago

Hi @mayaba ,

the version of soot used within steady 3.2.5 does not support JDK 17. I updated soot in a new PR #589. Preliminary tests show that the exception you reported is not thrown any longer. It would be greatly appreciated if you can test the PR (steady 3.2.6-SNAPSHOT) on your java 17 project.

mayaba commented 1 year ago

Hi @serenaponta,

Great news. Thank you so much for your help. Will test it and let you know the result.

mayaba commented 1 year ago

Hi @serenaponta, I wasn't able to locate this version steady 3.2.6-SNAPSHOT. Seems that the Jenkins pipeline has failed. https://ci.eclipse.org/steady/job/Steady%20Pipeline/job/PR-589/1/console

mayaba commented 1 year ago

Hi @serenaponta, I see that WALA recently released a version (v1.6.1) that supports JDK 17 https://github.com/wala/WALA/releases/tag/v1.6.1

I see that they changed the method AnalysisScopeReader.makeJavaBinaryAnalysisScope to AnalysisScopeReader.instance.makeJavaBinaryAnalysisScope, and they added an extra parameter for the method Util.makeZeroCFABuilder which, apparently, should be Language.JAVA.

mayaba commented 11 months ago

Hi @serenaponta,

I opened a PR to resolve this issue PR: https://github.com/eclipse/steady/pull/593

mayaba commented 11 months ago

This problem is solved by the PR #593. Static reachability analysis is now supported with WALA option.