search

soot-oss / soot

Soot - A Java optimization framework
GNU Lesser General Public License v2.1
2.84k stars 708 forks source link

Soot call graph did not fully parse the call chain #2064

Open NiceAsiv opened 3 months ago

NiceAsiv commented 3 months ago

Describe the bug Soot call graph did not fully parse the call chain

The complete call chain should include vulnerability functions in the class Book , But in the course of debugging, I couldn't trace the invocation in CallGraph from the method getTitle() within the class TestCaseDroid.test.MultilevelCall.Book to the method vulnerable() also within the same class

Input file

public class LibraryApplication {
    public static void main(String[] args) {
        Library library = new Library();
        LibraryService libraryService = new LibraryService(library);

        Book book1 = new Book("Java Fundamentals", "John Doe");
        Book book2 = new Book("Advanced Java", "Jane Doe");

        libraryService.addBookToLibrary(book1);
        libraryService.addBookToLibrary(book2);

        System.out.println("Searching for 'Java Fundamentals':");
        libraryService.displayBooksByTitle("Java Fundamentals");
    }
}
import java.util.List;

public class LibraryService {
    private Library library;

    public LibraryService(Library library) {
        this.library = library;
    }

    public void addBookToLibrary(Book book) {
        library.addBook(book);
    }

    public void displayBooksByTitle(String title) {
        List<Book> books = library.searchByTitle(title);
        for (Book book : books) {
            System.out.println(book);
        }
    }
}
import java.util.ArrayList;
import java.util.List;

public class Library {
    private List<Book> books;

    public Library() {
        this.books = new ArrayList<>();
    }

    public void addBook(Book book) {
        books.add(book);
    }

    public List<Book> searchByTitle(String title) {
        List<Book> foundBooks = new ArrayList<>();
        for (Book book : books) {
            if (book.getTitle().equalsIgnoreCase(title)) {
                foundBooks.add(book);
                book.vulnerable();
            }
        }
        return foundBooks;
    }
}

package TestCaseDroid.test.MultilevelCall;

public class Book {
    private String title;
    private String author;

    public Book(String title, String author) {
        this.title = title;
        this.author = author;
    }

    public String getTitle() {
        vulnerable();
        return title;
    }

    public String getAuthor() {
        return author;
    }

    public void vulnerable(){
        //vulnerable code
        System.out.println("vulnerable");
    }

    @Override
    public String toString() {
        return "Book{" +
                "title='" + title + '\'' +
                ", author='" + author + '\'' +
                '}';
    }
}

     Options.v().setPhaseOption("cg.cha", "on");
                    CHATransformer.v().transform();
                    CallGraph callGraph = Scene.v().getCallGraph();

output

Entry method: <TestCaseDroid.test.MultilevelCall.LibraryApplication: void main(java.lang.String[])>
<TestCaseDroid.test.MultilevelCall.LibraryApplication: void main(java.lang.String[])> may call <TestCaseDroid.test.MultilevelCall.Book: void <init>(java.lang.String,java.lang.String)>
<TestCaseDroid.test.MultilevelCall.LibraryApplication: void main(java.lang.String[])> may call <TestCaseDroid.test.MultilevelCall.LibraryService: void displayBooksByTitle(java.lang.String)>
<TestCaseDroid.test.MultilevelCall.LibraryService: void displayBooksByTitle(java.lang.String)> may call <TestCaseDroid.test.MultilevelCall.Library: java.util.List searchByTitle(java.lang.String)>
<TestCaseDroid.test.MultilevelCall.Library: java.util.List searchByTitle(java.lang.String)> may call <TestCaseDroid.test.MultilevelCall.Book: void vulnerable()>
<TestCaseDroid.test.MultilevelCall.Library: java.util.List searchByTitle(java.lang.String)> may call <TestCaseDroid.test.MultilevelCall.Book: java.lang.String getTitle()>
<TestCaseDroid.test.MultilevelCall.LibraryApplication: void main(java.lang.String[])> may call <TestCaseDroid.test.MultilevelCall.LibraryService: void addBookToLibrary(TestCaseDroid.test.MultilevelCall.Book)>
<TestCaseDroid.test.MultilevelCall.LibraryService: void addBookToLibrary(TestCaseDroid.test.MultilevelCall.Book)> may call <TestCaseDroid.test.MultilevelCall.Library: void addBook(TestCaseDroid.test.MultilevelCall.Book)>
<TestCaseDroid.test.MultilevelCall.LibraryApplication: void main(java.lang.String[])> may call <TestCaseDroid.test.MultilevelCall.LibraryService: void <init>(TestCaseDroid.test.MultilevelCall.Library)>
<TestCaseDroid.test.MultilevelCall.LibraryApplication: void main(java.lang.String[])> may call <TestCaseDroid.test.MultilevelCall.Library: void <init>()>
NiceAsiv commented 3 months ago

o(╥﹏╥)oo(╥﹏╥)oo(╥﹏╥)oo(╥﹏╥)oo(╥﹏╥)o