Code Monkey home page Code Monkey logo

code2graph's Introduction

Hi There 👋

About Me 🤔

  • AIGC (C for Code) is All You Need

Recent Interests 🎓

Remeber to Focus!

🌟🌟🌟🌟🌟 AI4SE & SE4AI -> Code&Coding Intelligence -> Large Language Model for Developer teams!

🌟🌟🌟🌟🌟 Software Engineering -> Program&Code Analysis -> Collaborative SE!

🌟🌟🌟🌟🌟 Human Computer Interaction -> Developer-devoted Interaction&Feedback Design!

Technical Stack 💻

  • Java
  • Python
  • Go
  • JavaScript/TypeScript

Recent Projects 🔭

Tools and workflows to boost developers' productivity in a collaborative team & community!

  • Code2Graph: A converter from source code to graph format that is language-agnostic and extensible.
  • SoManyConflicts: A VSCode extension to resolve multiple merge conflicts systematically and interactively.
  • SmartCommit: An assistant for cohesive and conventional commits based on code-change-graph partitioning.
  • IntelliMerge: A refined merging tool for Java: graph-based, refactoring-aware, and semi-structured.
  • CrowdJigsaw: A framework for collective problem solving (e.g., knowledge graph building): collaboratively.

code2graph's People

Contributors

mend-bolt-for-github[bot] avatar shigma avatar symbolk avatar tsukimirini avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

moji1 tsukimirini maijun-sec guitenbay anythingwithawire vibhakti99 budsus

code2graph's Issues

opt (later): early check required files&repos before everything

Fail-fast机制:将检查/准备所有的输入/输出文件、检查git仓库的状态和合法性的逻辑封装并在进入核心解析和算法前运行,如果失败直接early stop,以防止运行之后才发现错误,导致后续的异常。

对实际实用很重要,之后有时间进行重构。

CVE-2022-23305 (High) detected in log4j-1.2.17.jar

CVE-2022-23305 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /gen.sql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha2.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2021-37714 (High) detected in jsoup-1.14.1.jar

CVE-2021-37714 - High Severity Vulnerability

Vulnerable Library - jsoup-1.14.1.jar

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for fetching URLs and extracting and manipulating data, using the best of HTML5 DOM methods and CSS selectors. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Library home page: https://jsoup.org/

Path to dependency file: Code2Graph/gen.html/build.gradle

Path to vulnerable library: 546_UKJLXH/downloadResource_VWASHZ/20210827060405/jsoup-1.14.1.jar

Dependency Hierarchy:

  • jsoup-1.14.1.jar (Vulnerable Library)

Found in HEAD commit: 2a417288ceffa2af5f1d1025fb93f46fbf91228a

Found in base branch: main

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution: org.jsoup:jsoup:1.14.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-35516 (High) detected in commons-compress-1.20.jar

CVE-2021-35516 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: Code2Graph/client/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210816014708_PTEZBB/downloadResource_SMPNAH/20210816015442/commons-compress-1.20.jar

Dependency Hierarchy:

  • client-1.0 (Root Library)
    • diff-1.0
      • gumtree-spoon-ast-diff-1.34.jar
        • spoon-core-9.0.0.jar
          • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 1321c443be3c5e8f97221bdffb8d95eda0aa3c94

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with WhiteSource here

CVE-2021-35515 (High) detected in commons-compress-1.20.jar

CVE-2021-35515 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: Code2Graph/client/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210816014708_PTEZBB/downloadResource_SMPNAH/20210816015442/commons-compress-1.20.jar

Dependency Hierarchy:

  • client-1.0 (Root Library)
    • diff-1.0
      • gumtree-spoon-ast-diff-1.34.jar
        • spoon-core-9.0.0.jar
          • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 1321c443be3c5e8f97221bdffb8d95eda0aa3c94

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with WhiteSource here

CVE-2020-9493 (Critical) detected in log4j-1.2.17.jar

CVE-2020-9493 - Critical Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /gen.kotlin/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha2.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: f6f0f8b738745c459f1c5845fb0913b2c1c29e39

Found in base branch: main

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

dis: 一条use uri是否可以匹配多条def uri

@shigma 之前默认的行为是单条use只匹配多条def,按优先级匹配,一条use匹配到了def以后,优先级较低的rule就算也能为这条use匹配到def也不会被计入结果。
但是针对这个设计有一些反例。
情况1:由于动态因素等的介入,一个ref identifier本身就对应多个def
如在安卓项目中存在不同尺寸的layout文件,虽然组件组成相同(即文件内容)但放在不同路径下
image
但在java文件中对组件的引用并不会分开写,所以此处的引用标识符应当理解为有两处def:
image
不过这个例子在实际focus中并不会有问题,它会被判定为ambiguous,但最终输出依然会同时包含这两个link,因为它们同属于一条rule。我没能找到更适合的例子,所以编个假设情景:如果有例子里两个def对应的rule不同的话(比如,如果我写的rule更加精确,r-layout这条rule只匹配layout文件夹下的layout文件,另设一条rule只匹配layout-large-land下的layout文件),就会出现问题。

情况2:设想两条rule,存在两条link分别对应这两条rule并且use uri相同。为什么会存在这样的写法是因为两条rule匹配的重点不一样,一条rule匹配的是一个变量本身,另一条rule匹配的是这个变量对应的uri的其他要素,比如varType attribute。编个例子:

r1:
  use:
    identifier: (class)/(name)
  def:
    identifier: (sqlTag)/#{(name)}
r2:
  use:
    identifier: (name)
    varType: (layout)Binding
  def:
    file: (layout).xml

不过这只是个纯设想的情景,贴上来只是起个参考作用,应该并没有实际的rule有这样的情况

PS:这个问题只是拿出来讨论一下,优先级不高

bug: rename传播问题,xml inner rule加入后,受到间接影响的identifier依然没有被rename

为了实现对xml文件中并非直接与java元素link的identifier的rename,我加入了以下rule:

r-xml-inner:
#    hidden: true
    def:
      lang: XML
      file: (&layoutName).xml
      identifier: android:id
      inline:
        identifier: '@+id\/(&name)'
    use:
      lang: XML
      file: (&layoutName).xml
      identifier: "*constraint*"
      inline:
        identifier: '*\/(&name)'

根据这条rule可以在某个例子中得到如下的inner link:

r-xml-inner
def://app/src/main/res/layout/fragment_description.xml[language=FILE]//androidx.core.widget.NestedScrollView/androidx.constraintlayout.widget.ConstraintLayout/ImageView/android:id[language=XML]//@+id\\/detail_select_description_button[language=ANY]
def://app/src/main/res/layout/fragment_description.xml[language=FILE]//androidx.core.widget.NestedScrollView/androidx.constraintlayout.widget.ConstraintLayout/TextView/app:layout_constraintEnd_toStartOf[language=XML]//@+id\\/detail_select_description_button[language=ANY]

其中上面xll中的def方(第一条uri)与一个java元素绑定:

r-dataBinding
def://app/src/main/res/layout/fragment_description.xml[language=FILE]//androidx.core.widget.NestedScrollView/androidx.constraintlayout.widget.ConstraintLayout/ImageView/android:id[language=XML]//@+id\\/detail_select_description_button[language=ANY]
use://app/src/main/java/org/schabi/newpipe/fragments/detail/DescriptionFragment.java[language=FILE]//DescriptionFragment/disableDescriptionSelection/TooltipCompat.setTooltipText/binding.detailSelectDescriptionButton[language=JAVA]

以上行为都在预期之中,但是当我rename这个java元素时,预期的行为应该是inner link中的两个uri都被rename,但事实上只有databinding link中的xml uri被rename了:

def://app/src/main/res/layout/fragment_description.xml[language=FILE]//androidx.core.widget.NestedScrollView/androidx.constraintlayout.widget.ConstraintLayout/ImageView/android:id[language=XML]//@+id\\/detail_select_description_button[language=ANY]
def://app/src/main/res/layout/fragment_description.xml[language=FILE]//androidx.core.widget.NestedScrollView/androidx.constraintlayout.widget.ConstraintLayout/ImageView/android:id[language=XML]//@+id\\/detailedSelectDescriptionButton[language=ANY]

CVE-2020-36518 (High) detected in jackson-databind-2.12.2.jar

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.12.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /mining/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar

Dependency Hierarchy:

  • diff-1.0-SNAPSHOT (Root Library)
    • gumtree-spoon-ast-diff-1.34.jar
      • spoon-core-9.0.0.jar
        • jackson-databind-2.12.2.jar (Vulnerable Library)

Found in HEAD commit: f6f0f8b738745c459f1c5845fb0913b2c1c29e39

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6.1,2.13.2.1

Step up your Open Source Security Game with Mend here

bug: Rename 改前改后uri被删除了一些信息

Rename函数输入:

// oldURI: use://src/main/resources/mapper/QuestionExtMapper.xml[language=FILE]//mapper/update[parameterType=life.majiang.community.model.Question,language=XML,queryId=incCommentCount]//Update/Where/=/#{id}[language=SQL]
// newURI:
use://src/main/resources/mapper/QuestionExtMapper.xml[language=FILE]//mapper/update[parameterType=life.majiang.community.model.Question,language=XML,queryId=incCommentCount]//Update/Where/=/#{commentId}[language=SQL]

输出:

"def://src/main/java/life/majiang/community/model/Question.java[language=FILE]//Question/id[varType=Long,language=JAVA]" <-> def://life/majiang/community/model/Question.java[language=FILE]//Question/commentId[language=JAVA]

image

CVE-2020-15250 (Medium) detected in junit-4.12.jar

CVE-2020-15250 - Medium Severity Vulnerability

Vulnerable Library - junit-4.12.jar

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

Library home page: http://junit.org

Path to dependency file: Code2Graph/gen.xml/build.gradle

Path to vulnerable library: 20210223092858_FSMCTY/downloadResource_YNEFMV/20210223093646/junit-4.12.jar

Dependency Hierarchy:

  • junit-4.12.jar (Vulnerable Library)

Found in HEAD commit: 575d8b68b35cdd90e4490bd59b76206c08b1b1d4

Found in base branch: main

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-07-21

Fix Resolution: junit:junit:4.13.1

Step up your Open Source Security Game with WhiteSource here

CVE-2020-9488 (Low) detected in log4j-1.2.17.jar

CVE-2020-9488 - Low Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: Code2Graph/core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha2.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: 1321c443be3c5e8f97221bdffb8d95eda0aa3c94

Found in base branch: main

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/LOG4J2-2819

Release Date: 2020-04-27

Fix Resolution: org.apache.logging.log4j:log4j-core:2.13.2

Step up your Open Source Security Game with WhiteSource here

feat: modifier缺省自动分割identifier,解决case change不可逆问题

一般情况下,开发者完全按照规范中规定的case命名,比如:

def: @+id/widget_name
use: binding.widgetName

因为widget_name从snake case转为camel case是widgetName,所以这个例子是正确的。

有部分特殊情况下,命名并没有那么规范,比如:

def: @+id/widgetName
use: binding.widgetName

因为widgeName作为snake case被视为单个词组成的,转为camel case也是widgetName,所以这个例子也是正确的。

对于这个xll pattern,我们写的rule为:
image
但这条rule无法捕捉到特殊情况下的case。
考虑在modifier缺省的情况下自动分割identifier,使在rule定义为下图时,一般情况和特殊情况都能被捕捉。
image

WS-2021-0616 (Medium) detected in jackson-databind-2.12.2.jar

WS-2021-0616 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.12.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /mining/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.2/5f9d79e09ebf5d54a46e9f4543924cf7ae7654e0/jackson-databind-2.12.2.jar

Dependency Hierarchy:

  • diff-1.0-SNAPSHOT (Root Library)
    • gumtree-spoon-ast-diff-1.34.jar
      • spoon-core-9.0.0.jar
        • jackson-databind-2.12.2.jar (Vulnerable Library)

Found in HEAD commit: f6f0f8b738745c459f1c5845fb0913b2c1c29e39

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1

Step up your Open Source Security Game with Mend here

WS-2019-0379 (Medium) detected in commons-codec-1.10.jar

WS-2019-0379 - Medium Severity Vulnerability

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: Code2Graph/client/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210327124738_QRILWM/downloadResource_MUDLGA/20210327125228/commons-codec-1.10.jar

Dependency Hierarchy:

  • client-1.0 (Root Library)
    • diff-1.0
      • gumtree-spoon-ast-diff-1.30.jar
        • core-2.1.2.jar
          • simmetrics-core-3.2.3.jar
            • commons-codec-1.10.jar (Vulnerable Library)

Found in HEAD commit: 4a8fb8957052fada855c8a9f4c76b6ff4dce7a47

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Step up your Open Source Security Game with WhiteSource here

CVE-2021-44832 (Medium) detected in log4j-core-2.17.0.jar

CVE-2021-44832 - Medium Severity Vulnerability

Vulnerable Library - log4j-core-2.17.0.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /gen.xml/build.gradle

Path to vulnerable library: /dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.17.0/fe6e7a32c1228884b9691a744f953a55d0dd8ead/log4j-core-2.17.0.jar

Dependency Hierarchy:

  • gen.kotlin-1.0-SNAPSHOT (Root Library)
    • log4j-core-2.17.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Publish Date: 2021-12-28

URL: CVE-2021-44832

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logging.apache.org/log4j/2.x/security.html

Release Date: 2021-12-28

Fix Resolution: org.apache.logging.log4j:log4j-core:2.3.2,2.12.4,2.17.1

Step up your Open Source Security Game with WhiteSource here

bug: rename对greedy capture不适配 

# input
def://sagan-site/src/main/java/sagan/site/projects/admin/ProjectAdminController.java[language=FILE]//ProjectAdminController/list/return[language=JAVA]//admin\\/project\\/index[language=ANY],0,def://sagan-site/src/main/java/sagan/site/projects/admin/ProjectAdminController.java[language=FILE]//ProjectAdminController/list/return[language=JAVA]//admin\\/project\\/newIndex[language=ANY]
# output
def://sagan-site/src/main/resources/templates/admin/project/index.html[language=FILE],0,def://admin/project/newIndex.html[language=FILE]

refactor: inline语言在gen.x模块内部还是外部处理?

架构问题:

inline语言在gen.x模块内部还是外部处理?
对xml这样的DSL而言,语言仅提供了一种规范,但每个框架的dialect schema不同,难以目前必须写特殊handler(MybatisMapperHandler和AndroidHandler),对于扩展性而言带来了额外的负担
支持新的语言加gen.X。如果新语言b为一种语言a的dialect,则需要在gen.a下添加b的handler

bug: rule匹配可能有问题

因为没有得到预想的效果,对mybatis项目的jeecg-boot项目的xll eva实验做了个测试。
我没有理解错的话,对于一个config文件的flowgraph,如果注释掉后半部分(即优先级较低的)rule在图中的声明,应该不会影响前半部分rule的匹配。比如:

flowgraph:
  r-mapperBinding:
    - $
  r-queryId-select:
    - r-mapperBinding
  r-queryId-insert:
    - r-mapperBinding
  r-queryId-update:
    - r-mapperBinding
  r-queryId-delete:
    - r-mapperBinding
  r-paramAnno-select:
    - r-queryId-select
  r-paramAnno-insert:
    - r-queryId-insert
  r-paramAnno-update:
    - r-queryId-update
  r-paramAnno-delete:
    - r-queryId-delete
  # target rule
  r-paramAnno-select-no-jdbc:
    - r-queryId-select
  r-paramVarname-select:
    - r-queryId-select
  r-paramVarname-select-no-jdbc:
    - r-queryId-select
#  r-paramType-identifier-select:
#    - $

但事实上是在上面这个例子,注释掉r-paramType-identifier-select以后r-paramAnno-select-no-jdbc匹配到的结果相比没注释掉的多很多。(事实上,加了前者以后后者匹配到的条数为0)
为什么声明一个优先级低且没有前后置关系的rule会反而让优先级高的rule无法匹配呢?

CVE-2021-4104 (High) detected in log4j-1.2.17.jar

CVE-2021-4104 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /gen.sql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha2.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: 3c50893e02318038d0df7bfe5cd30fdf3684bacd

Found in base branch: main

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: log4j:log4j - 1.2.17-atlassian-1

Step up your Open Source Security Game with WhiteSource here

Generator 问题整理

XML

  • xml 的 file 在 windows 下面都是 \,java 是 /,以及文件节点 xml 的 identifier layer 是 null 而 java 是空串(我也不清楚哪边是更好的)

Java

  • 部分类型目前尚不支持
    • implements
    • annotation
    • 函数参数

CVE-2022-23302 (High) detected in log4j-1.2.17.jar

CVE-2022-23302 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /gen.sql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha2.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2022-23307 (Medium) detected in log4j-1.2.17.jar

CVE-2022-23307 - Medium Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /gen.sql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha2.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

bug: auto capture rename没有按照识别得到的modifier模式 

// input
use://app/src/main/java/org/schabi/newpipe/fragments/detail/DescriptionFragment.java[language=FILE]//DescriptionFragment/setupUploadDate/binding.detailUploadDateView[language=JAVA] <-> use://app/src/main/java/org/schabi/newpipe/fragments/detail/DescriptionFragment.java[language=FILE]//DescriptionFragment/setupUploadDate/binding.uploadDateView[language=JAVA]
// output
def://app/src/main/res/layout/fragment_description.xml[language=FILE]//androidx.core.widget.NestedScrollView/androidx.constraintlayout.widget.ConstraintLayout/TextView/android:id[language=XML]//@+id\\/detail_upload_date_view[language=ANY] <-> def://app/src/main/res/layout/fragment_description.xml[language=FILE]//androidx.core.widget.NestedScrollView/androidx.constraintlayout.widget.ConstraintLayout/TextView/android:id[language=XML]//@+id\\/uploadDateView[language=ANY]

使用的rule:

# binding.widgetId <-> @+id/widgetId
  r-dataBinding:
    use:
      lang: JAVA
      file: '(&javaFile).java'
      identifier: (&bindingVar).(name:camel)
    def:
      lang: XML
      file: (&layoutName).xml
      identifier: android:id
      inline:
        identifier: '@+id\/(name)'

feat: 分词词组中允许存在单个分词有大写字符的情况

目前不支持这样的rename:

// input
xxx/index -> xxx/newIndex
// expected output
xxx/index.html -> xxx/newIndex.html
// actual output
xxx/index.html -> xxx/newindex.html

这是因为存在分隔符的情况下,所有的分词会自动被认为只包含小写字符,即xxx/newIndex分词为["xxx", "newindex"]

dis: 多段捕获问题 

@Controller
@RequestMapping("/admin/blog")
class BlogAdminController {
    @GetMapping("/new")
    public String newPost(Model model) {
        model.addAttribute("postForm", new PostForm());
        model.addAttribute("categories", PostCategory.values());
        model.addAttribute("formats", PostFormat.values());
        return "admin/blog/new";
    }
}

这里根据返回值的捕获结果为 (name=admin/blog/new),如果 def.file 定义为 (name).html 则无法实现匹配。

首先,目前捕获组是不能包含 slash 的,并且匹配前会加一个 **/ 作为前缀,也就是说 (name).html 展开后会变成 (?:.+/)?(\w+)(这里甚至不包含 hyphen 和 underscore,因为在匹配前会被删掉),最终匹配的结果只能是 (name=new)

注 1:捕获组在默认情况下只匹配最后一段的原因是:这样设计能覆盖大部分情况。无论是对于 R.layout 的场景还是 MyBatis 中的场景都是基于这种逻辑的,改成允许多段匹配既不具备实现价值又不符合设计逻辑。

要允许捕获组包含多段,可以设计新的语法,比如用 (name...) 表示包含多段的捕获组,其展开后会变成 (?:.+/)?(\w+(?:/\w+)*)。但是这并不能解决问题,因为根据正则表达式的规范定义,匹配的结果依旧会是 (name=new)

注 2:目前的匹配算法的基础是,我们用两个 pattern 分别匹配两个 URI,并将结果进行比对。如果两边都匹配成功并且结果一致,则视为有效的 link。我们不能先入为主地认定应该拿到 (name=admin/blog/new) 之后再去找另一边。这种算法设计也是一切优化的基础。如果不是两边同时匹配,至少时间复杂度要乘上节点数量,也就是说单次匹配要达到目前时间的几万倍,这还是不考虑未来要做循环的情况下。

注 3:同时我们也不应该尝试对相同的 URI 和 pattern 去产生多个匹配结果。最主要的原因是,我们不能重写一个匹配引擎,那样的工作量可能大于目前的整个项目本身。此外,产生多个匹配结果也会产生极大的性能损失,至少单个字符串的匹配效率会从多项式级别变成指数级别。

为了解决这个问题,我大概想出了以下几种思路:

允许嵌套捕获组,通过循环获取一个 layer 的所有后缀字符串

基本逻辑类似 (name)/(&name)/**。用这个表达式去匹配一个字符串,每次将得到其中的一段。但是这样做并不能获得完整的后缀,同时对于含有重复段的 URI 又会出现死循环。要想获得准确的后缀,可以设计新语法,允许在捕获组中嵌套捕获组。

新语法形如 (name=(temp)/(&name))。这个表达式的意思是说,先匹配 (temp),然后将匹配结果加上 /(&name) 后设置为新的 name。这样一轮匹配结束就会得到所有的后缀了。

允许多段捕获组,同时通过固定前缀的方式进行定位

上面提到 (name...) 会变成 (?:.+/)?(\w+(?:/\w+)*) 从而无法匹配,但是如果给定一个 base(表示所有 html 文件所在的根目录,换句话说 admin 的上一级目录,我们假设叫做 root),(&base)/(name...) 会变成 (?:.+/)?root/(\w+(?:/\w+)*),这样正则表达式也能得出准确的结果了。因此我们只需要通过前置规则找出这个 base 即可。

实际上,既然程序可以理解 admin/blog/new 这个相对路径,就说明一定有什么地方写了 base,这样做理论上是可行的。

eva: 实验验证方法的效果

三组实验:

  1. XLL:跨语言连接检测的Precision/Recall
  2. Cochange:历史在文件级别的预测P/R
  3. Lint:是否能发现已知或未知的因跨语言变更造成的bug/code smell

CVE-2021-45105 (High) detected in log4j-core-2.16.0.jar

CVE-2021-45105 - High Severity Vulnerability

Vulnerable Library - log4j-core-2.16.0.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: Code2Graph/gen.kotlin/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.16.0/ca12fb3902ecfcba1e1357ebfc55407acec30ede/log4j-core-2.16.0.jar

Dependency Hierarchy:

  • gen.kotlin-1.0-SNAPSHOT (Root Library)
    • log4j-core-2.16.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache Log4J 2.0-beta9 before 2.17.0 is vulnerable to Denial of Service (DoS) attacks. Due to lack of protection from uncontrolled recursion from self-referential lookups, attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.

Publish Date: 2021-12-17

URL: CVE-2021-45105

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logging.apache.org/log4j/2.x/security.html

Release Date: 2021-12-17

Fix Resolution: org.apache.logging.log4j:log4j-core:2.17.0

Step up your Open Source Security Game with WhiteSource here

bug: 无法匹配Mybatis中@Param注释的uri

Mybatis中的@Param("name")无法被类似以下的rule匹配:

# <select> select * from xx=#{name,jdbcType=yy} </select> <-> @Param("name")
  r-paramAnno-select-no-jdbc:
    use:
      lang: XML
      file: (&xmlFile).xml
      identifier: 'select'
      queryId: (&queryId)
      inline:
        lang: SQL
        identifier: "#{(name)}"
    def:
      lang: JAVA
      file: (&packagePath:slash).java
      identifier: (&mapperInterface)/(&queryId)/(a)/@Param\("(name)"\)

在这个例子中,理论上应该匹配到的link为:

"use://jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/quartz/mapper/xml/QuartzJobMapper.xml[language=FILE]//mapper/select[language=XML,resultType=org.jeecg.modules.quartz.entity.QuartzJob,queryId=findByJobClassName]//Select/Where/=/#{jobClassName}[language=ANY]","def://jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/quartz/mapper/QuartzJobMapper.java[language=FILE]//QuartzJobMapper/findByJobClassName/jobClassName/@Param\\(""jobClassName""\\)[language=JAVA]"

与此同时另一条比较相似,只是symbol部分不同的rule可以匹配:

# <select> select * from xx=#{name,jdbcType=yy} </select> <-> func(int name)
  r-paramVarname-select-no-jdbc:
    use:
      lang: XML
      file: (&xmlFile).xml
      identifier: "select"
      queryId: (&queryId)
      inline:
        lang: SQL
        identifier: "#{(name)}"
    def:
      lang: JAVA
      file: (&packagePath:slash).java
      identifier: "(&mapperInterface)/(&queryId)/(name)"

匹配到的link为:

"use://jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/quartz/mapper/xml/QuartzJobMapper.xml[language=FILE]//mapper/select[language=XML,resultType=org.jeecg.modules.quartz.entity.QuartzJob,queryId=findByJobClassName]//Select/Where/=/#{jobClassName}[language=ANY]","def://jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/quartz/mapper/QuartzJobMapper.java[language=FILE]//QuartzJobMapper/findByJobClassName/jobClassName/@Param\\(""jobClassName""\\)[language=JAVA]"

完整config在这里

NOTE: 由于groundtruth中输出的uri双引号重复的问题看上去有点可疑所以去看了一下uri生成的地方,看运行时结果生成的时候还没有重复:
image

CVE-2021-44228 (High) detected in multiple libraries

CVE-2021-44228 - High Severity Vulnerability

Vulnerable Libraries - log4j-api-2.14.0.jar, log4j-core-2.14.0.jar, log4j-1.2.17.jar

log4j-api-2.14.0.jar

The Apache Log4j API

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: Code2Graph/gen.kotlin/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-api/2.14.0/23cdb2c6babad9b2b0dcf47c6a2c29d504e4c7a8/log4j-api-2.14.0.jar

Dependency Hierarchy:

  • log4j-core-2.14.0.jar (Root Library)
    • log4j-api-2.14.0.jar (Vulnerable Library)
log4j-core-2.14.0.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: Code2Graph/dist/build.gradle

Path to vulnerable library: dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar,dle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.14.0/e257b0562453f73eabac1bc3181ba33e79d193ed/log4j-core-2.14.0.jar

Dependency Hierarchy:

  • log4j-core-2.14.0.jar (Vulnerable Library)
log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: Code2Graph/gen.sql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha2.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.

Publish Date: 2021-11-27

URL: CVE-2021-44228

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jfh8-c2jp-5v3q

Release Date: 2021-12-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.15.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-17571 (High) detected in log4j-1.2.17.jar

CVE-2019-17571 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: Code2Graph/core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar

Dependency Hierarchy:

  • slf4j-log4j12-2.0.0-alpha1.jar (Root Library)
    • log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: 575d8b68b35cdd90e4490bd59b76206c08b1b1d4

Found in base branch: main

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

Release Date: 2019-12-20

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

Step up your Open Source Security Game with WhiteSource here

feat: Extractor执行代码上传;导出文件名改为repoName:commitID

  1. 执行generateInstances()的代码上传,以便其他人可以在本地抽取GT
  2. 在GitService中添加获取repo HEAD commit id的接口,git rev-parse --short HEAD
  3. GT和output导出文件名格式都改为:repoName:commitID
  4. 在Evaluation中寻找gtPath和otPath需要特殊处理一下

因为发现前一次结果较差原因是我本地的repo与GT所在的commit不一致所致,最新结果:

NewPie:ba6fdecba
image

VirtualXposed:9c20336a
image

GSYVideoPlayer:e3eae615
image

CVE-2021-35517 (High) detected in commons-compress-1.20.jar

CVE-2021-35517 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: Code2Graph/client/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210816014708_PTEZBB/downloadResource_SMPNAH/20210816015442/commons-compress-1.20.jar

Dependency Hierarchy:

  • client-1.0 (Root Library)
    • diff-1.0
      • gumtree-spoon-ast-diff-1.34.jar
        • spoon-core-9.0.0.jar
          • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 1321c443be3c5e8f97221bdffb8d95eda0aa3c94

Found in base branch: main

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with WhiteSource here

refactor:可能有必要调整 config 的格式

目前 rule 是一个数组:[left, right, ...subrule]

但是随着 subrule 的开发,我发觉很多时候我们确实需要明确指定哪一个是 def 哪一个是 use,因此建议改成对象的写法。

rules:
  - def:
      lang: Xml
      file: (layout).xml
    use:
      lang: Java
      file: '*.java'
      identifier: (layout)Binding
    subrules:
      - def:
          identifier: '@+id\/(name)'
        use:
          identifier: R.id.(name)

bug: 可能是auto导致的rename过程中modifier会变化的问题

目前rename中存在这样的错误例子(snake变成了camel):

def://app/src/main/res/layout/item_everyday_three.xml[language=FILE]//layout/LinearLayout/LinearLayout/android:id[language=XML]//@+id\\/ll_three_one_three[language=ANY]
def://app/src/main/res/layout/item_everyday_three.xml[language=FILE]//layout/LinearLayout/LinearLayout/android:id[language=XML]//@+id\\/llThreeOneThird[language=ANY]

对应的是下面这条rule:

r-dataBinding:
    use:
      lang: JAVA
      file: '(&javaFile).java'
      identifier: (&bindingVar).(name:camel)
    def:
      lang: XML
      file: (&layoutName).xml
      identifier: android:id
      inline:
        identifier: '@+id\/(name)'

对应的XLL为:

r-dataBinding
def://app/src/main/res/layout/item_everyday_three.xml[language=FILE]//layout/LinearLayout/LinearLayout/android:id[language=XML]//@+id\\/ll_three_one_three[language=ANY]
use://app/src/main/java/com/example/jingbin/cloudreader/adapter/EverydayAdapter.java[language=FILE]//EverydayAdapter/ThreeHolder/onBindingView/setOnClick/binding.llThreeOneThree[language=JAVA]

feat: gen.java的增强

根据目前发现的问题,需要对Generator Java以及URI进行增强,主要是增加对于嵌套层次的定位
例如:对于代码:

public class A {
	private int a;
	public A(int a) {
		this.a = a;
	}
	
	public static void main(String[] args) {
		int a = 0;
		A aObj = new A(a);
		return;
	}
}

对于field a,URI:def://a.java//A/a
对于local var a,URI:def://a.java//A/main/a

CVE-2021-36090 (High) detected in commons-compress-1.20.jar

CVE-2021-36090 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: Code2Graph/client/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210816014708_PTEZBB/downloadResource_SMPNAH/20210816015442/commons-compress-1.20.jar

Dependency Hierarchy:

  • client-1.0 (Root Library)
    • diff-1.0
      • gumtree-spoon-ast-diff-1.34.jar
        • spoon-core-9.0.0.jar
          • commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 1321c443be3c5e8f97221bdffb8d95eda0aa3c94

Found in base branch: main

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.