search

eclipse / steady

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/
Apache License 2.0
517 stars 124 forks source link

Update soot to latest version #589

Open serenaponta opened 1 year ago

serenaponta commented 1 year ago

Updated soot version to 4.4.1 as the previously used (4.1.0) didn't support JDK 17.

henrikplate commented 11 months ago

Compilation error:

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.1:compile (default-compile) on project lang-java-reach-soot: Compilation failure
/home/jenkins/agent/workspace/Steady_Pipeline_PR-589/lang-java-reach-soot/src/main/java/org/eclipse/steady/cg/soot/CustomEntryPointCreator.java:[24,25] cannot find symbol
  symbol:   class LocalGenerator
  location: package soot.javaToJimple
henrikplate commented 11 months ago

@mayaba - Serena updated Soot following #588. Do you mind checking whether your app can also be analyzed with Java 17 + Soot (even though Wala already works with Java 17)?

mayaba commented 11 months ago

@henrikplate I just started the a2c test with the same Java 17 project I tested with WALA. The old exception is gone. But faced a different one

2023-08-28 14:59:34,796 [vulas-reach-1] [INFO ] .soot.SootCallgraphConstructor - [7033] entry points set
2023-08-28 14:59:34,796 [vulas-reach-1] [INFO ] .soot.SootCallgraphConstructor - Starting call graph construction for [PROJECT-NAME:VERSION]
Exception in thread "vulas-reach-1" java.lang.RuntimeException: Failed to convert <org.objectweb.asm.AnnotationVisitor: void visit(java.lang.String,java.lang.Object)>
    at soot.asm.AsmMethodSource.getBody(AsmMethodSource.java:2249)
    at soot.SootMethod.retrieveActiveBody(SootMethod.java:447)
    at soot.jimple.toolkits.annotation.LineNumberAdder.internalTransform(LineNumberAdder.java:63)
    at soot.PackManager.runPacksNormally(PackManager.java:496)
    at soot.PackManager.runPacks(PackManager.java:425)
    at org.eclipse.steady.cg.soot.SootCallgraphConstructor.buildCallgraph(SootCallgraphConstructor.java:418)
    at org.eclipse.steady.cg.ReachabilityAnalyzer.run(ReachabilityAnalyzer.java:399)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.RuntimeException: Trying to create virtual invoke expression for interface type (org.objectweb.asm.AnnotationVisitor in file unknown). Use JInterfaceInvokeExpr instead!
    at soot.jimple.internal.JVirtualInvokeExpr.<init>(JVirtualInvokeExpr.java:51)
    at soot.jimple.Jimple.newVirtualInvokeExpr(Jimple.java:469)
    at soot.asm.AsmMethodSource.convertMethodInsn(AsmMethodSource.java:1433)
    at soot.asm.AsmMethodSource.convert(AsmMethodSource.java:1965)
    at soot.asm.AsmMethodSource.getBody(AsmMethodSource.java:2247)
    ... 7 more
henrikplate commented 11 months ago

@mayaba - Thank you for checking! Looking at the stack trace, this may be a problem in re-bundled ASM code. Is the application you use for testing open source or proprietary?

mayaba commented 11 months ago

@henrikplate I'm testing a proprietary project. I can try with an open source one. Give me a min.

mayaba commented 11 months ago

Hi @henrikplate, I wrote a unit test to test Soot with a Java 17 compiled JAR and worked perfectly. I used the same JAR I used with WALA unit test.

mayaba commented 11 months ago

@henrikplate I wasn't able to push to this PR. So, I created a different one https://github.com/eclipse/steady/pull/595 I will test the change with an open source project that is written in Java 17 later.