how to get potentially or actually executable of vuln. code when scan source code?

[momo-tong]

Question how to get potentially or actually executable of vuln. code when scan pom.xml, and where do i need to put the source code?

To Reproduce Analyzed project: ch.qos.logback : logback-classic : 1.1.11 Pom.xml from: https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.pom and i put pom.xml in ../app path

Same info in steady-custom.properties vulas.core.appContext.group = ch.qos.logback vulas.core.appContext.artifact = logback-classic vulas.core.appContext.version = 1.1.11 vulas.core.app.appPrefixes = logback-classic vulas.core.app.sourceDir = app vulas.core.uploadEnabled = true vulas.reach.wala.callgraph.reflection = NO_FLOW_TO_CASTS_NO_METHOD_INVOKE vulas.reach.timeout = 120 vulas.core.instr.sourceDir = vulas.core.instr.targetDir = vulas/target vulas.core.instr.includeDir = vulas/include vulas.core.instr.libDir = vulas/lib vulas.core.instr.instrumentorsChoosen = org.eclipse.steady.java.monitor.trace.SingleTraceInstrumentor vulas.core.instr.searchRecursive = true

Command that i use sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal a2c sudo cd app sudo mvn compile org.eclipse.steady:plugin-maven:3.2.5:prepare-agent sudo cd .. sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal instr sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal t2c sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal checkcode sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report

In case of bugs in a Web frontend:

1. Vulnerabilities: 2
2. Inclusion of vulnerable code display "Yellow hourglass"
3. Static Analysis and Dynamic Analysis display nothing

[henrikplate]

If you run the Steady CLI via java steady-cli-3.2.5-jar-with-dependencies.jar, the setting vulas.core.app.appPrefixes should specify a Java package namespace (or multiple ones) that can be used to uniquely identify the project code, in this case probably ch.qos.logback or similar.

However, I would generally recommend using Steady's Maven plugin where possible. The invocation and configuration is much easier.

[momo-tong]

Thanks for your reply. I understand how to set vulas.core.app.appPrefixes parameter. However, I want to know What directory should the source code be, or just put in app directory, and how to config in steady-custom.properties file. I tried using pom.xml in app directory, and not including source code. So, I can't get Static Analysis and Dynamic Analysis in the Web frontend. Can you just give me an example? Looking forward to your reply.

[henrikplate]

If the project you're analyzing has a pom.xml, I suggest to use the Maven plugin. You can do so either by adding a profile to the POM or by calling the plugin with the fully-qualified name from the command line as follows (also see here for more information): mvn compile org.eclipse.steady:plugin-maven:3.2.5:app, for example, calls the appgoal on the Maven project. As soon as you use the Maven plugin, you do not need to specify appPrefixes at all, since the sources directory will be discovered automatically.