Open momo-tong opened 1 year ago
If you run the Steady CLI via java steady-cli-3.2.5-jar-with-dependencies.jar
, the setting vulas.core.app.appPrefixes
should specify a Java package namespace (or multiple ones) that can be used to uniquely identify the project code, in this case probably ch.qos.logback
or similar.
However, I would generally recommend using Steady's Maven plugin where possible. The invocation and configuration is much easier.
Thanks for your reply. I understand how to set vulas.core.app.appPrefixes
parameter. However, I want to know What directory should the source code be, or just put in app
directory, and how to config in steady-custom.properties
file.
I tried using pom.xml in app
directory, and not including source code. So, I can't get Static Analysis and Dynamic Analysis
in the Web frontend. Can you just give me an example? Looking forward to your reply.
If the project you're analyzing has a pom.xml
, I suggest to use the Maven plugin. You can do so either by adding a profile to the POM or by calling the plugin with the fully-qualified name from the command line as follows (also see here for more information): mvn compile org.eclipse.steady:plugin-maven:3.2.5:app
, for example, calls the app
goal on the Maven project. As soon as you use the Maven plugin, you do not need to specify appPrefixes
at all, since the sources directory will be discovered automatically.
Question how to get potentially or actually executable of vuln. code when scan pom.xml, and where do i need to put the source code?
To Reproduce Analyzed project: ch.qos.logback : logback-classic : 1.1.11 Pom.xml from: https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.pom and i put pom.xml in ../app path
Same info in steady-custom.properties vulas.core.appContext.group = ch.qos.logback vulas.core.appContext.artifact = logback-classic vulas.core.appContext.version = 1.1.11 vulas.core.app.appPrefixes = logback-classic vulas.core.app.sourceDir = app vulas.core.uploadEnabled = true vulas.reach.wala.callgraph.reflection = NO_FLOW_TO_CASTS_NO_METHOD_INVOKE vulas.reach.timeout = 120 vulas.core.instr.sourceDir = vulas.core.instr.targetDir = vulas/target vulas.core.instr.includeDir = vulas/include vulas.core.instr.libDir = vulas/lib vulas.core.instr.instrumentorsChoosen = org.eclipse.steady.java.monitor.trace.SingleTraceInstrumentor vulas.core.instr.searchRecursive = true
Command that i use sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal a2c sudo cd app sudo mvn compile org.eclipse.steady:plugin-maven:3.2.5:prepare-agent sudo cd .. sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal instr sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal t2c sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal checkcode sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report
In case of bugs in a Web frontend: