Merge pull request #518 from CROSSINGTUD/develop

Merge develop into master for new release

.github/workflows/test.yml

@@ -0,0 +1,16 @@
+name: Test Internal Action
+
+on: push
+
+jobs:
+  internal_action:
+    runs-on: ubuntu-latest
+    name: Test CryptoAnalysis Action
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v3
+      - name: Run CogniCrypt
+        uses: ./
+        with:
+          appPath: "CryptoAnalysisTargets/HelloWorld/HelloWorld.jar"
+          basePath: "CryptoAnalysisTargets/HelloWorld"

CryptoAnalysis-Android/pom.xml

@@ -46,7 +46,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.11.0</version>
+				<version>3.12.1</version>
 				<configuration>
 					<source>${maven.compiler.source}</source>
 					<target>${maven.compiler.target}</target>

CryptoAnalysis-Android/src/main/java/de/fraunhofer/iem/crypto/CogniCryptAndroidAnalysis.java

@@ -1,20 +1,26 @@
 package de.fraunhofer.iem.crypto;
 
 import java.io.File;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+
 import com.google.common.collect.Lists;
+
 import boomerang.callgraph.BoomerangICFG;
 import boomerang.callgraph.ObservableICFG;
 import boomerang.callgraph.ObservableStaticICFG;
 import boomerang.preanalysis.BoomerangPretransformer;
 import crypto.analysis.CrySLResultsReporter;
 import crypto.analysis.CryptoScanner;
 import crypto.analysis.errors.AbstractError;
+import crypto.cryslhandler.CrySLModelReader;
 import crypto.exceptions.CryptoAnalysisException;
 import crypto.reporting.CollectErrorListener;
+import crypto.reporting.CommandLineReporter;
 import crypto.rules.CrySLRule;
 import crypto.rules.CrySLRuleReader;
 import soot.Scene;
@@ -26,11 +32,10 @@
 import soot.jimple.infoflow.android.SetupApplication;
 import soot.jimple.infoflow.android.config.SootConfigForAndroid;
 import soot.options.Options;
-import crypto.cryslhandler.CrySLModelReader;
-import crypto.reporting.CommandLineReporter;
 
 public class CogniCryptAndroidAnalysis {
-	public static void main(String... args) {
+
+	public static void main(String... args) throws CryptoAnalysisException {
 		CogniCryptAndroidAnalysis analysis;
 		if (args[3] != null) {
 			analysis = new CogniCryptAndroidAnalysis(args[0], args[1], args[2], args[3], Lists.<String>newArrayList());
@@ -61,7 +66,7 @@ public CogniCryptAndroidAnalysis(String apkFile, String platformsDirectory, Stri
 		this.outputDir = outputDir;
 	}
 
-	public Collection<AbstractError> run() {
+	public Collection<AbstractError> run() throws CryptoAnalysisException {
 		logger.info("Running static analysis on APK file " + apkFile);
 		logger.info("with Android Platforms dir " + platformsDirectory);
 		constructCallGraph();
@@ -105,7 +110,7 @@ public void setSootOptions(Options options, InfoflowConfiguration config) {
 		logger.info("Done constructing call graph");
 	}
 
-	private Collection<AbstractError> runCryptoAnalysis() {
+	private Collection<AbstractError> runCryptoAnalysis() throws CryptoAnalysisException {
 		prepareAnalysis();
 
 		final ObservableStaticICFG icfg = new ObservableStaticICFG(new BoomerangICFG(false));
@@ -157,25 +162,20 @@ private void prepareAnalysis() {
         logger.info("Library classes: "+ Scene.v().getLibraryClasses().size());
     }
 
-	protected List<CrySLRule> getRules() {
-		List<CrySLRule> rules = Lists.newArrayList();
+	protected List<CrySLRule> getRules() throws CryptoAnalysisException {
 		if (rulesDirectory == null) {
 			throw new RuntimeException(
 					"Please specify a directory the CrySL rules ( " + CrySLModelReader.cryslFileEnding +" Files) are located in.");
 		}
 		File[] listFiles = new File(rulesDirectory).listFiles();
-		for (File file : listFiles) {
-			if (file != null && file.getName().endsWith(CrySLModelReader.cryslFileEnding)) {
-				try {
-					rules.add(CrySLRuleReader.readFromSourceFile(file));
-				} catch (CryptoAnalysisException e) {
-					logger.error(e.getMessage(), e);
-				}
-			}
+		List<File> files = Arrays.asList(listFiles);
+
+		CrySLRuleReader reader = new CrySLRuleReader();
+		List<CrySLRule> rules = reader.readFromSourceFiles(files);
+
+		if (rules.isEmpty()) {
+			throw new CryptoAnalysisException("No CrySL rules found in " + rulesDirectory);
 		}
-		if (rules.isEmpty())
-			System.out.println("CogniCrypt did not find any rules to start the analysis for.\n"
-								+ "It checked for rules in "+rulesDirectory);
 		return rules;
 	}
 

CryptoAnalysis/.gitignore

@@ -1 +1 @@
-src/main/resources/**/*.crysl
+src/main/resources/**/*.crysl

CryptoAnalysis/pom.xml

@@ -134,7 +134,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>3.2.2</version>
+				<version>3.2.5</version>
 				<configuration>
 					<reuseForks>false</reuseForks>
 					<argLine>-Xmx8G -Xms256M -Xss8M -Dmaven.home="${maven.home}"</argLine>
@@ -145,7 +145,7 @@
 					<dependency>
 						<groupId>org.apache.maven.surefire</groupId>
 						<artifactId>surefire-junit4</artifactId>
-						<version>3.2.2</version>
+						<version>3.2.5</version>
 					</dependency>
 					<dependency>
 						<groupId>junit</groupId>
@@ -202,7 +202,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.11.0</version>
+				<version>3.12.1</version>
 				<configuration>
 					<source>${maven.compiler.source}</source>
 					<target>${maven.compiler.target}</target>
@@ -262,7 +262,7 @@
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
-			<version>32.1.3-jre</version>
+			<version>33.0.0-jre</version>
 		</dependency>
 		<dependency>
 			<!-- https://mvnrepository.com/artifact/org.ow2.asm/asm -->
@@ -319,12 +319,12 @@
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
-			<version>2.0.9</version>
+			<version>2.0.11</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-simple</artifactId>
-			<version>2.0.9</version>
+			<version>2.0.11</version>
 		</dependency>
 		<dependency>
 			<groupId>com.google.crypto.tink</groupId>
@@ -370,12 +370,17 @@
 		<dependency>
         	<groupId>com.fasterxml.jackson.core</groupId>
        		<artifactId>jackson-databind</artifactId>
-        	<version>2.16.0</version>
+        	<version>2.16.1</version>
 		</dependency>
 		<dependency>
     		<groupId>commons-io</groupId>
     		<artifactId>commons-io</artifactId>
     		<version>2.15.1</version>
 		</dependency>
+		<dependency>
+			<groupId>info.picocli</groupId>
+			<artifactId>picocli</artifactId>
+			<version>4.7.5</version>
+		  </dependency>
 	</dependencies>
 </project>

CryptoAnalysis/src/main/java/crypto/HeadlessCryptoScanner.java

@@ -1,24 +1,12 @@
 package crypto;
 
-import java.io.File;
-import java.util.Arrays;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.TimeUnit;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Stopwatch;
-import com.google.common.collect.Lists;
-
 import boomerang.callgraph.ObservableDynamicICFG;
 import boomerang.callgraph.ObservableICFG;
 import boomerang.debugger.Debugger;
 import boomerang.debugger.IDEVizDebugger;
 import boomerang.preanalysis.BoomerangPretransformer;
+import com.google.common.base.Stopwatch;
+import com.google.common.collect.Lists;
 import crypto.analysis.CrySLAnalysisListener;
 import crypto.analysis.CrySLResultsReporter;
 import crypto.analysis.CryptoScanner;
@@ -34,12 +22,15 @@
 import crypto.reporting.CSVReporter;
 import crypto.reporting.CSVSummaryReporter;
 import crypto.reporting.CommandLineReporter;
+import crypto.reporting.GitHubAnnotationReporter;
 import crypto.reporting.Reporter;
 import crypto.reporting.SARIFReporter;
 import crypto.reporting.TXTReporter;
 import crypto.rules.CrySLRule;
 import crypto.rules.CrySLRuleReader;
 import ideal.IDEALSeedSolver;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import soot.Body;
 import soot.BodyTransformer;
 import soot.EntryPoints;
@@ -55,29 +46,43 @@
 import soot.options.Options;
 import typestate.TransitionFunction;
 
+import java.io.File;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
 public abstract class HeadlessCryptoScanner {
 
-	private static CryptoScannerSettings settings = new CryptoScannerSettings();
-	private boolean hasSeeds;
+	private static final Logger LOGGER = LoggerFactory.getLogger(HeadlessCryptoScanner.class);
+	private static final CryptoScannerSettings settings = new CryptoScannerSettings();
 	private static Stopwatch callGraphWatch;
 	private static List<CrySLRule> rules = Lists.newArrayList();
 	private static String rulesetRootPath;
-	private static final Logger LOGGER = LoggerFactory.getLogger(HeadlessCryptoScanner.class);
-
+	private static final CrySLRuleReader ruleReader = new CrySLRuleReader();
+	private boolean hasSeeds;
+
+	public static int exitCode = 0;
+
 	public static void main(String[] args) {
 		HeadlessCryptoScanner scanner = createFromCLISettings(args);
 		scanner.exec();
+		System.exit(exitCode);
 	}
 
 	public static HeadlessCryptoScanner createFromCLISettings(String[] args) {
 		try {
 			settings.parseSettingsFromCLI(args);
 		} catch (CryptoAnalysisParserException e) {
 			LOGGER.error("Parser failed with error: " + e.getClass().toString(), e);
+			System.exit(-1);
 		}
 
 		HeadlessCryptoScanner scanner = new HeadlessCryptoScanner() {
-			
+
 			@Override
 			protected String applicationClassPath() {
 				return settings.getApplicationPath();
@@ -88,18 +93,20 @@ protected List<CrySLRule> getRules() {
 				switch(settings.getRulesetPathType()) {
 					case DIR:
 						try {
-							rules.addAll(CrySLRuleReader.readFromDirectory(new File(settings.getRulesetPathDir())));
-							rulesetRootPath = settings.getRulesetPathDir().substring(0, settings.getRulesetPathDir().lastIndexOf(File.separator));
+							File ruleSetDir = new File(settings.getRulesetPathDir());
+							rules.addAll(ruleReader.readFromDirectory(ruleSetDir));
+							rulesetRootPath = ruleSetDir.getParent();
 						} catch (CryptoAnalysisException e) {
 							LOGGER.error("Error happened when getting the CrySL rules from the specified directory: " + settings.getRulesetPathDir(), e);
 						}
 						break;
 					case ZIP:
 						try {
-							rules.addAll(CrySLRuleReader.readFromZipFile(new File(settings.getRulesetPathZip())));
-							rulesetRootPath = settings.getRulesetPathZip().substring(0, settings.getRulesetPathZip().lastIndexOf(File.separator));
+							File ruleSetZip = new File(settings.getRulesetPathDir());
+							rules.addAll(ruleReader.readFromZipFile(ruleSetZip));
+							rulesetRootPath = ruleSetZip.getParent();
 						} catch (CryptoAnalysisException e) {
-							LOGGER.error("Error happened when getting the CrySL rules from the specified file: " + settings.getRulesetPathZip(), e);
+							LOGGER.error("Error happened when getting the CrySL rules from the specified file: " + settings.getRulesetPathDir(), e);
 						}
 						break;
 					default:
@@ -194,7 +201,7 @@ protected void internalTransform(String phaseName, Map<String, String> options)
 
 				Set<ReportFormat> formats = reportFormats();
 
-				if (formats.size() > 0) {
+				if (!formats.isEmpty()) {
 					for (ReportFormat format : formats) {
 						switch (format) {
 							case CMD:
@@ -217,6 +224,10 @@ protected void internalTransform(String phaseName, Map<String, String> options)
 								fileReporter = new CSVSummaryReporter(getOutputFolder(), softwareIdentifier(), rules, callgraphConstructionTime, includeStatistics());
 								reporter.addReportListener(fileReporter);
 								break;
+							case GITHUB_ANNOTATION:
+								fileReporter = new GitHubAnnotationReporter(softwareIdentifier(), rules, callgraphConstructionTime, includeStatistics());
+								reporter.addReportListener(fileReporter);
+								break;
 							default:
 								fileReporter = new CommandLineReporter(softwareIdentifier(), rules, callgraphConstructionTime, includeStatistics());
 								reporter.addReportListener(fileReporter);
@@ -258,10 +269,21 @@ public Debugger<TransitionFunction> debugger(IDEALSeedSolver<TransitionFunction>
 						}
 						return super.debugger(solver, seed);
 					}
+
+					@Override
+					public Collection<String> getForbiddenPredicates() {
+						return forbiddenPredicates();
+					}
+
+					@Override
+					public Collection<String> getIgnoredSections() {
+						return ignoredSections();
+					}
+
 				};
 
 				if (providerDetection()) {
-					ProviderDetection providerDetection = new ProviderDetection();
+					ProviderDetection providerDetection = new ProviderDetection(ruleReader);
 
 					if(rulesetRootPath == null) {
 						rulesetRootPath = System.getProperty("user.dir") + File.separator + "src" + File.separator + "main" + File.separator + "resources";
@@ -389,7 +411,7 @@ protected String sootClassPath() {
 	}
 
 	protected String softwareIdentifier(){
-		return settings.getSoftwareIdentifier();
+		return settings.getIdentifier();
 	}
 
 	protected String getOutputFolder(){
@@ -415,7 +437,15 @@ protected boolean providerDetection() {
 	protected boolean includeStatistics() {
 		return settings.isIncludeStatistics();
 	}
-
+
+	protected Collection<String> forbiddenPredicates() {
+		return settings.getForbiddenPredicates();
+	}
+
+	protected Collection<String> ignoredSections() {
+		return settings.getIgnoredSections();
+	}
+
 	private static String pathToJCE() {
 		// When whole program mode is disabled, the classpath misses jce.jar
 		return System.getProperty("java.home") + File.separator + "lib" + File.separator + "jce.jar";
@@ -438,5 +468,4 @@ private boolean isModularProject() {
 	    boolean check = new File(moduleFile).exists();
 	    return check;
 	}
-
 }