NullPointer Exception due to a insufficient symbol table

[GoogleCodeExporter]

Hi folks,

I was very glad to find the code of Livshits' work and tested it with an 
industrial case study, available at our institute. During the test a null 
pointer exception popped up during the "Find sinks" process.
The source of the exception is the SourceViewClass and a simple patch, which 
fixes my problem and a reproducer, is attached.

The fix solves the symptom but it does not solve the real problem, which is the 
underlying symbol table implemented in DeclarationInfoManager, which does a 
very rough estimation of the available symbols since it does not handle 
inherited fields.

Regards

Bernhard

Original issue reported on code.google.com by berge...@googlemail.com on 28 Jul 2011 at 4:43

Attachments:

• Reproducer.zip
• NullPointerBug.patch

[GoogleCodeExporter]

Hi,

I have reproduced the same problem symptoms even in Eclipse HELIOS.

Eclipse Versions used: Eclipse Helios, Eclipse Helios SR1, Eclipse Helios SR2. 
All of them for Linux x64.

Am I missing something during plugin instalation? (As it is supposed to be 
compatible with HELIOS).

I've also tried the plugin in JUNO as a first attempt, but no success.

Hope to get an answer since this seems to be an old issue.

Thanks in advance! :)

Original comment by morenois...@gmail.com on 24 Mar 2013 at 2:01

[GoogleCodeExporter]

please l want symbol table for compiler java 
contact with me in 
https://www.facebook.com/engolfat.ameen?ref=tn_tnmn

Original comment by olfatam...@gmail.com on 18 May 2013 at 7:16

[GoogleCodeExporter]

hi, can anyone please tell me how to apply that nullpointerbug patch ?
Thanks
Azizun

Original comment by azi...@gmail.com on 7 Jun 2013 at 8:58

[GoogleCodeExporter]

Hi Azizun,

normally you have to use a patch program ( 
http://en.wikipedia.org/wiki/Patch_(Unix) ). But take a look at the patch 
itself. Checkout lapse+ source code. Load the eclipse project. Open 
fuentes/lapsePlus/views/SourceView.java. Replace the lines starting with - and 
add those with a + in front. That's all.

Regards, Bernhard

Original comment by berge...@googlemail.com on 8 Jun 2013 at 5:53

[GoogleCodeExporter]

Thanks Bernhard for the reply. Looks like to checkout the code I need SVN 
client installed or is there a way to download source as Zip (like to avoid any 
installation if i can) ? And once I load that project in eclipse and change 
those lines, I need to build it to get new jar and then replace my current 
lapse jar with this new jar - is that correct assumption ?  
Thanks
Azizun

Original comment by azi...@gmail.com on 11 Jun 2013 at 2:50

[GoogleCodeExporter]

Hi Azizun,

I forked a copy of this repository today that can be found at github 
(https://github.com/bergerbd/lapse-plus).  This project looks orphaned. 
Furthermore, I applied the patch and created an update site 
(http://update.security-comprehension.org/lapsePlus). Just add it to your 
available update sites and install lapse plus.

Regards,

Bernhard

Original comment by berge...@googlemail.com on 12 Jun 2013 at 7:28

[GoogleCodeExporter]

Hi Bernhard, 
Hi all,

I'm also facing these annoying NPEs in lapse-plus 2.8.1 for Eclipse Helios. 
And I'm very happy you provided your own fork trying to fix them. Thank you so 
much!

However, it seems that your fix does not affect the NPE that occurs while 
finding sinks in 'Vulnerability Sinks' view, at least in my environment. I get 
some results and then at some point it crashes.

The stack trace from console log is as follows (is there a typo in 
SinkView.isStringContant? ;-)):
java.lang.NullPointerException
        at lapsePlus.views.SinkView.isStringContant(SinkView.java:810)
        at lapsePlus.views.SinkView.isStringContant(SinkView.java:790)
        at lapsePlus.views.SinkView$4.run(SinkView.java:721)
        at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)

Any help would be appreciated.

Btw: Why is there so little activity in such a wonderful project?

Br,
nyc2

Original comment by st.fren...@gmail.com on 18 Jun 2013 at 5:15

[GoogleCodeExporter]

Hi nyc2,

I have filed a bug and will take a look at it: 
https://github.com/bergerbd/lapse-plus/issues/2 . Everyone who wants to 
volunteer for lapse+ is welcome. ;-)

Bernhard

Original comment by berge...@googlemail.com on 18 Jun 2013 at 5:26

[GoogleCodeExporter]

Hi,

I have added some additional code to check for null. If I will find some time 
I've to dig deeper into this problem. Nevertheless, you can try to update your 
plugin from the mentioned update site. I've to learn more on release management 
for eclipse plugins and hope it will work for you, too.

Bernhard

Original comment by berge...@googlemail.com on 18 Jun 2013 at 6:18

[GoogleCodeExporter]

Hi Bernhard,

Eclipse recognized and installed an update. However, the exception still 
remains at the very same line and typo:
java.lang.NullPointerException
        at lapsePlus.views.SinkView.isStringContant(SinkView.java:810)
        at lapsePlus.views.SinkView.isStringContant(SinkView.java:790)
        at lapsePlus.views.SinkView$4.run(SinkView.java:721)
        at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)

Did the rebuild properly work?

Br,
nyc2

Original comment by st.fren...@gmail.com on 18 Jun 2013 at 7:55

[GoogleCodeExporter]

Hi,

I had to understand eclipse feature and plugin versioning and there was another 
bug. Now I tested the update mechanism and it works. Can you try to update the 
feature?  I hope it is going to work. If you have still the same problem (look 
for the typo in the exception. i fixed the name, too) you have to deinstall all 
old lapse+ versions. The current version is 2.8.3....

Regards, Bernhard 

Original comment by berge...@googlemail.com on 19 Jun 2013 at 10:38

[GoogleCodeExporter]

Hi Bernhard,

The automatic update worked and the NPE disappeared, good work, thank you!

Are there any plans on your side to further enhance lapse+ and integrate new 
features? E.g. lapse+ claims to be a security scanner for JEE applications but 
doesn't support any JEE APIs like JPA or JSF at all (servlet API seems to be 
the only exception).

To enhance lapse+ API support it's sufficient to add sink nodes to sinks.xml, 
isn't it?
E.g.
<sink id="javax.persistence.EntityManager.createQuery(String)">
   <paramCount>1</paramCount>
   <vulnParam>0</vulnParam>
   <category>SQL Injection</category>
</sink>

However, in order to support JSF vulnerability sources, it would be necessary 
to parse XHTMLs in addition to Java sources as well?

Br,
nyc2

Original comment by st.fren...@gmail.com on 20 Jun 2013 at 5:37

[GoogleCodeExporter]

Hi,

I'm glad it's working for you.  I filed a feature request here: 
https://github.com/bergerbd/lapse-plus/issues/8 . And I will answer to it. ;)

Regards,
Bernhard 

Original comment by berge...@googlemail.com on 20 Jun 2013 at 7:01

[GoogleCodeExporter]

Thanks Bernhard and all who are involved in this thread. I'm very glad to know 
there are people interested in this project. I had lost all expectations after 
some time with no answers since my post on Mar 23 in this thread. I'm willing 
to find some time to get hands on this project!

Regards,

Isidro.

Original comment by morenois...@gmail.com on 20 Jun 2013 at 12:29