search

pascal-lab / Tai-e

An easy-to-learn/use static analysis framework for Java
https://tai-e.pascal-lab.net/docs/index.html
GNU Lesser General Public License v3.0
1.35k stars 171 forks source link

*.tir contains only the class name, the interior of the class is empty and some confusion about analyzing springweb #115

Closed YunFy26 closed 1 week ago

YunFy26 commented 3 weeks ago

Overall Description

Hello, I want to use Tai-e as a dependency to implement data flow analysis of the SpringWeb project to detect possible vulnerabilities in the SpringWeb project.

I use the WebGoat project as the project to be analyzed:

I hope to automatically extract the url entry and perform data flow analysis on each URL entry function. I hope to extract the URL entry through ir, but I found that the ir of all class files are as follows

class org.owasp.webgoat.container.AjaxAuthenticationEntryPoint extends java.lang.Object {

}

Expected Behavior

*.tir should not be empty

Current Behavior

As shown above

Tai-e Arguments

Click here to see Tai-e Options ```yaml optionsFile: null printHelp: false classPath: - WebGoat's libs...It's too lang appClassPath: - ../WebGoat-2023.8/target/classes mainClass: null inputClasses: [] javaVersion: 17 prependJVM: true allowPhantom: true worldBuilderClass: pascal.taie.frontend.soot.SootWorldBuilder outputDir: output preBuildIR: false worldCacheMode: false scope: APP nativeModel: true planFile: null analyses: ir-dumper: ; routerAnalysis: "" onlyGenPlan: false keepResult: - $KEEP-ALL ```
Click here to see Tai-e Analysis Plan ```yaml - id: ir-dumper options: {} - id: routerAnalysis options: {} ```

Tai-e Log

Click here to see Tai-e Log ``` Writing log to /Users/yuntsy/My/Projects/Java/WebAnalyzer/output/tai-e.log java.version: 17.0.11 java.version.date: 2024-04-16 java.runtime.version: 17.0.11+7-LTS-207 java.vendor: Oracle Corporation java.vendor.version: null os.name: Mac OS X os.version: 14.6.1 os.arch: aarch64 Tai-e Version: 0.5.1-SNAPSHOT Tai-e Commit: af7ae19ac4b5fb5f495bcd3aebe584775d7bfb6d Writing analysis plan to /Users/yuntsy/My/Projects/Java/WebAnalyzer/output/tai-e-plan.yml WorldBuilder starts ... Warning: main class was not given! 10363 classes with 99467 methods in the world WorldBuilder finishes, elapsed time: 1.71s ir-dumper starts ... Dumping IR in /Users/yuntsy/My/Projects/Java/WebAnalyzer/output/tir 284 classes in scope (APP) of class analyses ir-dumper finishes, elapsed time: 0.03s routerAnalysis starts ... routerAnalysis finishes, elapsed time: 0.00s Tai-e finishes, elapsed time: 1.84s ```

Additional Information

RouterAnalysis.java

package org.example;

import pascal.taie.analysis.pta.core.solver.EntryPoint;
import pascal.taie.World;
import pascal.taie.analysis.ProgramAnalysis;
import pascal.taie.config.AnalysisConfig;
import pascal.taie.language.annotation.Annotation;
import pascal.taie.language.classes.JClass;
import pascal.taie.language.classes.JMethod;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

public class RouterAnalysis extends ProgramAnalysis {

    public static final String ID = "routerAnalysis";

    public List<Router> routers = new ArrayList<>();

    public RouterAnalysis(AnalysisConfig config) {
        super(config);
    }

    @Override
    public Object analyze() {
        extractUrls();
        return null;
    }

    private void extractUrls() {
        World world = World.get();
        world.getClassHierarchy().applicationClasses().forEach(jClass -> {
            Collection<Annotation> annotations = jClass.getAnnotations();
            System.out.println(annotations);
        });

    }
}

I want to extract all the URLs through RouterAnalysis, but the irs of all classes are empty and I can't get any information through

World.get().getClassHierarchy().applicationClasses().forEach(jClass -> {
            Collection<Annotation> annotations = jClass.getAnnotations();
        });

Do I need to specify input-classes? But now Tai-e has added all appClasses to Tai-e World.

If I want to perform call flow analysis on each URL entry, how should I add each URL entry as an entry point through ir?

I referred to https://github.com/pascal-lab/Tai-e/issues/19 https://github.com/pascal-lab/Tai-e/issues/9 https://github.com/lcark/Tai-e-demo/blob/main/spring-boot-3/ExtractApi.java

But I am still a little confused about this process. Can you explain this process in detail? Thank you very much.

zhangt2333 commented 3 weeks ago

*.tir contains only the class name

Could you provide a reproducible example, via File Upload or GitHub Repo (e.g., https://github.com/Tai-e/Tai-e-Examples/tree/master/MinimalReproducibleExample-0069)?

YunFy26 commented 3 weeks ago

I created a repository, you can view through this repository: https://github.com/YunFy26/SpringAnalyzer

zhangt2333 commented 3 weeks ago

Thanks for your repo! It allowed me to reproduce the issue in just one minute. The fix has been implemented in this commit. The SNAPSHOT has been published, so you'll need to refresh 🔄 your Gradle/Maven in IntelliJ IDEA (e.g., run gradlew build --refresh-dependencies).

YunFy26 commented 3 weeks ago

ok, now *.tir can display IR correctly, thank you!