Merge pull request #76 from secure-software-engineering/develop

Prepare for release 3.2.3

Author: swissiety

.github/workflows/deploy.yml

@@ -28,3 +28,18 @@ jobs:
           SIGN_KEY_PASS: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
           OSSRH_USERNAME: ${{ secrets.SONATYPE_USER }}
           OSSRH_PASSWORD: ${{ secrets.SONATYPE_PW }}
+
+  synchronize:
+    runs-on: ubuntu-latest
+    needs: deployment
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Synchronize master and develop
+        run: |
+          gh pr create -B develop -H master -t "Synchronize version in master and develop" -b "Update the version in `develop` from `master`"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

SparseBoomerangCorrectness/pom.xml

@@ -25,7 +25,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.3.1-jre</version>
+            <version>33.4.0-jre</version>
         </dependency>
     </dependencies>
 

boomerangPDS/src/main/java/boomerang/example/ExampleMain2.java

@@ -157,7 +157,7 @@ protected Collection<? extends Query> generate(Edge cfgEdge) {
               solver.solve((ForwardQuery) query);
 
           // 3. Process forward results
-          Table<Edge, Val, NoWeight> results = forwardBoomerangResults.asStatementValWeightTable();
+          Table<Edge, Val, NoWeight> results = forwardBoomerangResults.asEdgeValWeightTable();
           for (Edge s : results.rowKeySet()) {
             // 4. Filter results based on your use statement, in our case the call of
             // System.out.println(n.nested.field)

boomerangPDS/src/main/java/boomerang/guided/DemandDrivenGuidedAnalysis.java

@@ -90,7 +90,7 @@ public QueryGraph<NoWeight> run(Query query) {
         }
 
         Table<Edge, Val, NoWeight> forwardResults =
-            results.asStatementValWeightTable((ForwardQuery) pop.query);
+            results.asEdgeValWeightTable((ForwardQuery) pop.query);
         // Any ForwardQuery may trigger additional ForwardQuery under its own scope.
         triggerNewBackwardQueries(forwardResults, currentQuery, QueryDirection.FORWARD);
       } else {
@@ -103,16 +103,14 @@ public QueryGraph<NoWeight> run(Query query) {
                   (BackwardQuery) pop.query, pop.triggeringNode, pop.parentQuery);
         }
         Table<Edge, Val, NoWeight> backwardResults =
-            solver.getBackwardSolvers().get(query).asStatementValWeightTable();
+            solver.getBackwardSolvers().get(query).asEdgeValWeightTable();
 
         triggerNewBackwardQueries(backwardResults, pop.query, QueryDirection.BACKWARD);
         Map<ForwardQuery, Context> allocationSites = results.getAllocationSites();
 
         for (Entry<ForwardQuery, Context> entry : allocationSites.entrySet()) {
           triggerNewBackwardQueries(
-              results.asStatementValWeightTable(entry.getKey()),
-              entry.getKey(),
-              QueryDirection.FORWARD);
+              results.asEdgeValWeightTable(entry.getKey()), entry.getKey(), QueryDirection.FORWARD);
         }
       }
     }

boomerangPDS/src/main/java/boomerang/results/AbstractBoomerangResults.java

@@ -58,7 +58,11 @@ public void computeUnmatchedOpeningContext(
             new OpeningCallStackExtracter<>(initialState, initialState, context, forwardSolver));
   }
 
-  public Table<Edge, Val, W> asStatementValWeightTable(ForwardQuery query) {
+  public Table<Edge, Val, W> asEdgeValWeightTable(ForwardQuery query) {
+    return queryToSolvers.getOrCreate(query).asEdgeValWeightTable();
+  }
+
+  public Table<Statement, Val, W> asStatementValWeightTable(ForwardQuery query) {
     return queryToSolvers.getOrCreate(query).asStatementValWeightTable();
   }
 

boomerangPDS/src/main/java/boomerang/results/ForwardBoomerangResults.java

@@ -27,6 +27,8 @@
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Table;
+import java.util.Collection;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -95,7 +97,7 @@ public Table<Edge, Val, W> getObjectDestructingStatements() {
     if (solver == null) {
       return HashBasedTable.create();
     }
-    Table<Edge, Val, W> res = asStatementValWeightTable();
+    Table<Edge, Val, W> res = asEdgeValWeightTable();
     Set<Method> visitedMethods = Sets.newHashSet();
     for (Edge s : res.rowKeySet()) {
       visitedMethods.add(s.getMethod());
@@ -138,7 +140,11 @@ public void onCallerAdded(Statement callSite, Method m) {
     return destructingStatement;
   }
 
-  public Table<Edge, Val, W> asStatementValWeightTable() {
+  public Table<Edge, Val, W> asEdgeValWeightTable() {
+    return asEdgeValWeightTable(query);
+  }
+
+  public Table<Statement, Val, W> asStatementValWeightTable() {
     return asStatementValWeightTable(query);
   }
 
@@ -212,6 +218,22 @@ public Map<Edge, DeclaredMethod> getInvokedMethodOnInstance() {
     return invokedMethodsOnInstance;
   }
 
+  /**
+   * Get all statements that contain an invoke expression belonging to the original seed.
+   *
+   * @return the statements that contain invoke expressions belonging to the original seed.
+   */
+  public Collection<Statement> getInvokeStatementsOnInstance() {
+    Collection<Statement> statements = new HashSet<>();
+
+    Map<Edge, DeclaredMethod> callsOnObject = getInvokedMethodOnInstance();
+    for (Edge edge : callsOnObject.keySet()) {
+      statements.add(edge.getStart());
+    }
+
+    return statements;
+  }
+
   public QueryResults getPotentialNullPointerDereferences() {
     // FIXME this should be located nullpointer analysis
     Set<Node<Edge, Val>> res = Sets.newHashSet();

boomerangPDS/src/main/java/boomerang/solver/AbstractBoomerangSolver.java

@@ -27,7 +27,6 @@
 import boomerang.scene.Type;
 import boomerang.scene.Val;
 import boomerang.util.RegExAccessPath;
-import com.google.common.base.Stopwatch;
 import com.google.common.collect.HashBasedTable;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Lists;
@@ -227,9 +226,9 @@ public void synchedReachable(
         });
   }
 
-  public Table<Edge, Val, W> asStatementValWeightTable() {
+  public Table<Edge, Val, W> asEdgeValWeightTable() {
     final Table<Edge, Val, W> results = HashBasedTable.create();
-    Stopwatch sw = Stopwatch.createStarted();
+
     WeightedPAutomaton<Edge, INode<Val>, W> callAut = getCallAutomaton();
     for (Entry<Transition<Edge, INode<Val>>, W> e :
         callAut.getTransitionsToFinalWeights().entrySet()) {
@@ -243,6 +242,25 @@ public Table<Edge, Val, W> asStatementValWeightTable() {
     return results;
   }
 
+  public Table<Statement, Val, W> asStatementValWeightTable() {
+    Table<Statement, Val, W> results = HashBasedTable.create();
+
+    WeightedPAutomaton<Edge, INode<Val>, W> callAut = getCallAutomaton();
+    for (Entry<Transition<Edge, INode<Val>>, W> e :
+        callAut.getTransitionsToFinalWeights().entrySet()) {
+      Transition<Edge, INode<Val>> t = e.getKey();
+      W w = e.getValue();
+
+      if (t.getLabel().equals(new Edge(Statement.epsilon(), Statement.epsilon()))) continue;
+      if (t.getStart().fact().isLocal()
+          && !t.getLabel().getMethod().equals(t.getStart().fact().m())) continue;
+
+      results.put(t.getLabel().getStart(), t.getStart().fact(), w);
+    }
+
+    return results;
+  }
+
   protected void addPotentialUnbalancedFlow(
       Method callee, Transition<ControlFlowGraph.Edge, INode<Val>> trans, W weight) {
     if (unbalancedDataFlows.put(callee, new UnbalancedDataFlow<>(callee, trans))) {

boomerangPDS/src/test/java/boomerang/guided/CustomFlowFunctionTest.java

@@ -23,6 +23,7 @@
 import boomerang.scene.jimple.SootCallGraph;
 import boomerang.solver.BackwardBoomerangSolver;
 import com.google.common.collect.Lists;
+import com.google.common.collect.Table;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.List;
@@ -107,11 +108,11 @@ public void killOnSystemExitForwardTest() {
 
     System.out.println("Solving query: " + query);
     ForwardBoomerangResults<NoWeight> res = solver.solve(query);
-    System.out.println(res.asStatementValWeightTable());
+    System.out.println(res.asEdgeValWeightTable());
 
     boolean t =
         res.asStatementValWeightTable().cellSet().stream()
-            .map(c -> c.getRowKey().getTarget())
+            .map(Table.Cell::getRowKey)
             .anyMatch(
                 statement ->
                     statement.containsInvokeExpr()

boomerangPDS/src/test/java/test/cases/bugfixes/Repro.java

@@ -9,9 +9,9 @@
 import boomerang.scene.jimple.*;
 import com.google.common.collect.Sets;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.Set;
 import org.junit.Test;
 import soot.*;
@@ -70,7 +70,7 @@ private static void analyze(String... expectedCallSignatureOnFoo) {
     PackManager.v().getPack("wjtp").apply();
   }
 
-  private static Map<Edge, DeclaredMethod> getMethodsInvokedFromInstanceInStatement(
+  private static Collection<Statement> getMethodsInvokedFromInstanceInStatement(
       Statement queryStatement) {
     Val var = new AllocVal(queryStatement.getLeftOp(), queryStatement, queryStatement.getRightOp());
     ForwardQuery fwq =
@@ -83,7 +83,7 @@ private static Map<Edge, DeclaredMethod> getMethodsInvokedFromInstanceInStatemen
             var);
     Boomerang solver = new Boomerang(new SootCallGraph(), SootDataFlowScope.make(Scene.v()), opts);
     ForwardBoomerangResults<NoWeight> results = solver.solve(fwq);
-    return results.getInvokedMethodOnInstance();
+    return results.getInvokeStatementsOnInstance();
   }
 
   static class ReproTransformer extends SceneTransformer {
@@ -115,13 +115,14 @@ protected void internalTransform(String name, Map<String, String> options) {
 
       // This will only show results if set_exclude above gets uncommented
       System.out.println("\nFoo invoked methods:");
-      Set<Entry<Edge, DeclaredMethod>> entries =
-          getMethodsInvokedFromInstanceInStatement(newFoo).entrySet();
+      Collection<Statement> statements = getMethodsInvokedFromInstanceInStatement(newFoo);
       Set<String> methodCalledOnFoo = Sets.newHashSet();
-      for (Map.Entry<Edge, DeclaredMethod> e : entries) {
-        System.out.println("\t" + e.getKey().toString());
-        System.out.println("\t\t" + e.getValue().toString());
-        methodCalledOnFoo.add(e.getValue().toString());
+      for (Statement s : statements) {
+        System.out.println("\t" + s);
+
+        DeclaredMethod calledMethod = s.getInvokeExpr().getMethod();
+        System.out.println("\t\t" + calledMethod);
+        methodCalledOnFoo.add(calledMethod.toString());
       }
 
       assert methodCalledOnFoo.equals(Sets.newHashSet(expectedCalledMethodsOnFoo));

boomerangScope-WALA/pom.xml

@@ -9,7 +9,7 @@
     <artifactId>boomerangScope-WALA</artifactId>
 
     <properties>
-        <wala.version>1.6.7</wala.version>
+        <wala.version>1.6.9</wala.version>
     </properties>
     <dependencies>
         <dependency>