使用Xcalscan RuleBuild实现JAVA项目源代码安全检查-gradle
Xcalscan可以通过使用RBC rule规则集,对软件项目的API接口参数与返回值进行标签追踪,检测数据流是否符合业务逻辑,从而实现JAVA项目源代码安全检查的目标。
1. 环境
1.1 Ubuntu 16.04;
1.2 java 1.8;
1.3 Gradle插件;
1.4 XcalScan 1.2;
2. 编辑gradle工程文件
2.1 准备maven工程
阅读此篇文章前请参考,使用Xcalscan扫描JAVA项目
https://blog.csdn.net/testshaw/article/details/107376627
2.2 编辑测试程序
$ cd ~~/gradledemo/
$ vim src/main/java/gradledemo/App.java
/*
* This Java source file was generated by the Gradle 'init' task.
*/
package gradledemo;
public class App {
public String getGreeting() {
return "Hello world.";
}
public static void main(String[] args) {
// System.out.println(new App().getGreeting());
new App().test();
}
public String readUserInput() {
///... read some thing that is user controllable
return "this value only serves to be a place-holder".toString();
}
public void conductRiskyOperation(String input) {
// ... do something risky
System.out.println(input);
}
public void test() {
String val = readUserInput();
conductRiskyOperation(val);
}
}
2.3 生成程序集函数名称信息(MI文件)
生成依赖库的函数信息
./gradlew clean xvsa -PXVSA_JFE_SKIP=false -PXVSA_JFE_OPT="-dumpMethodName=true,-v" -PXVSA_LIB_GEN=true -PXVSA_HOME=<XVSA_INSTALL_DIR>
仅生成当前项目内的函数信息
./gradlew xvsa -PXVSA_JFE_SKIP=false -PXVSA_JFE_OPT="-dumpMethodName=true,-v,-libGenOnly=true,-VTABLE=true" -PXVSA_HOME=<XVSA_INSTALL_DIR>
执行指令如下:
$ ./gradlew clean xvsa -PXVSA_JFE_SKIP=false -PXVSA_JFE_OPT="-dumpMethodName=true,-v,-VTABLE=true,-libGenOnly=true" -PXVSA_LIB_GEN=true -PXVSA_HOME=/home/shaw/xvsa/install
Starting a Gradle Daemon (subsequent builds will be faster)
> Configure project :
[XVSA plugin]: Apply to project gradledemo
> Task :xvsa
[01:59:51 DEBUG io.xcalibyte.B2WFrontEnd] [initLoggers] - Log level set to : ALL
[01:59:51 DEBUG io.xcalibyte.B2WFrontEnd] [run] - Soot args : -process-dir /home/uftp/02_opensource/02_java/gradledemo/build/classes/java/main -cp :/home/uftp/02_opensource/02_java/gradledemo/build/classes/java/main:/home/shaw/.gradle/caches/modules-2/files-2.1/com.google.guava/failureaccess/1.0.1/1dcf1de382a0bf95a3d8b0849546c88bac1292c9/failureaccess-1.0.1.jar:/home/shaw/.gradle/caches/modules-2/files-2.1/org.checkerframework/checker-qual/2.11.1/8c43bf8f99b841d23aadda6044329dad9b63c185/checker-qual-2.11.1.jar:/home/shaw/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/29.0-jre/801142b4c3d0f0770dd29abea50906cacfddd447/guava-29.0-jre.jar:/home/uftp/02_opensource/02_java/gradledemo/build/classes/java/main:/home/shaw/.gradle/caches/modules-2/files-2.1/com.google.code.findbugs/jsr305/3.0.2/25ea2e8b0c338a877313bd4672d3fe056ea78f0d/jsr305-3.0.2.jar:/home/shaw/.gradle/caches/modules-2/files-2.1/com.google.errorprone/error_prone_annotations/2.3.4/dac170e4594de319655ffb62f41cbd6dbb5e601e/error_prone_annotations-2.3.4.jar:/home/shaw/.gradle/caches/modules-2/files-2.1/com.google.j2objc/j2objc-annotations/1.3/ba035118bc8bac37d7eff77700720999acd9986d/j2objc-annotations-1.3.jar:/home/shaw/.gradle/caches/modules-2/files-2.1/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/b421526c5f297295adef1c886e5246c39d4ac629/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar -pp -allow-phantom-refs -show-start-end -f J -keep-line-number -keep-offset -w -p cg enabled:false -p wjop enabled:false -p wjap enabled:false -p jtp enabled:false -p jop enabled:false -p jap enabled:false -p bb enabled:false -p tag enabled:false -allow-phantom-elms -library-only-mode -p jb.dtr enabled:false -p jb.ese enabled:false -p jb.a enabled:false -p jb.ule enabled:false -p jb.cp-ule enabled:false -p jb.tr ignore-nullpointer-dereferences:true -p jb use-original-names:true -include-all -x *
[01:59:51 DEBUG io.xcalibyte.B2WFrontEnd] [run] - Finished loading library macbcb
Soot started on Thu Jul 16 01:59:51 PDT 2020
[01:59:55 DEBUG io.xcalibyte.B2WGenerator] [internalTransform] - [B2W 0/1] Analyze class:gradledemo.App
[01:59:55 INFO io.xcalibyte.B2WGenerator] [visit] - Visit Class: [gradledemo.App]
[01:59:56 INFO io.xcalibyte.SymbolHandler$ClassInfo] [<init>] - [ClassInfo] finishing : java.lang.Object's size is 8
[01:59:56 INFO io.xcalibyte.SymbolHandler$ClassInfo] [] - [ClassInfo] finishing : gradledemo.App' s size is 8
[01:59:56 INFO io.xcalibyte.SymbolHandler$ClassInfo] [<init>] - [ClassInfo] finishing : java.lang.Class's size is 104
[01:59:56 DEBUG io.xcalibyte.SymbolInitializer] [initReflectionData] - Initilializing byte array = [3, 0]
[01:59:56 DEBUG io.xcalibyte.LibraryGenerationHelper] [dumpVTable] - Dump vtables
[01:59:56 DEBUG io.xcalibyte.LibraryGenerationHelper] [dumpVTable] - Writing to file /home/uftp/02_opensource/02_java/gradledemo/build/target/gradledemo.o.vtable
[01:59:56 DEBUG io.xcalibyte.LibraryGenerationHelper] [dumpVTable] - Class : gradledemo.App
[01:59:56 DEBUG io.xcalibyte.LibraryGenerationHelper] [dumpMethodName] - Writing to file /home/uftp/02_opensource/02_java/gradledemo/build/target/gradledemo.o.vtable.mi
[01:59:56 DEBUG io.xcalibyte.ResourceMonitor] [dumpAllUsage] - Resource Monitor not Enabled
Skipping V-Table generation for libraries
Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/6.5/userguide/command_line_interface.html#sec:command_line_warnings
BUILD SUCCESSFUL in 17s
3 actionable tasks: 3 executed
2.4 查看MI文件
MI文件存放路径:
$ ls build/target/
gradledemo.dir.list gradledemo.lib.list gradledemo.o gradledemo.o.vtable gradledemo.o.vtable.mi
$ vim build/target/gradledemo.o.vtable.mi
<gradledemo.App: void <init>()>|_ZN10gradledemo3AppC1Ev|V|0|C
<gradledemo.App: java.lang.String getGreeting()>|_ZN10gradledemo3App11getGreetingEJPN4java4lang6StringEv|R|0|I
<gradledemo.App: void main(java.lang.String[])>|_ZN10gradledemo3App4mainEJvP6JArrayIPN4java4lang6StringEE|V|1|S
<gradledemo.App: java.lang.String readUserInput()>|_ZN10gradledemo3App13readUserInputEJPN4java4lang6StringEv|R|0|I
<gradledemo.App: void conductRiskyOperation(java.lang.String)>|_ZN10gradledemo3App21conductRiskyOperationEJvPN4java4lang6StringE|V|1|I
<gradledemo.App: void test()>|_ZN10gradledemo3App4testEJvv|V|0|I
2.5 编辑intent-table规则表:
2.6 生成项目检查库
准备库生成程序与规则表:
$ mkdir rule
$ cp ~~/xmlread.py .
$ cp ~~/gradledemo.xlsx .
生成规则集udr文件:
$ python3 xmlread.py -i gradledemo.xlsx -o gradledemo.udr -k
INFO:root:RBC_EVAL: row = [4.0, '' , 'V', 1.0, 'I', 'RBC_EVAL', 'Is_tag_attr_set', 'IDS00-J', 'IET_IET', 'ARG1', 'IET_STRING_TAG', 'tainted', 'IET_STRING_ATTR', 'sanitize_path', 'NA', '', 'NA', '', 'NA', '', 'NA', '', ''] ...
INFO:root:Dump rule file gradledemo/App.java ...
INFO:root:Dump dependency dummy java/lang/String.java ...
INFO:root:Working with file : gradledemo/App.java
INFO:root:Javac compiling gradledemo/App.java ...
INFO:root:Visiting dir : /home/uftp/02_opensource/02_java/gradledemo/rule/gradledemo
INFO:root:Xvsa compiling /home/uftp/02_opensource/02_java/gradledemo/rule/gradledemo/App.class ...
INFO:root:Archived gradledemo.udr
$ ls
App.o conert MI.xlsx **gradledemo** gradledemo.udr gradledemo.xlsx **io** **java** xmlread.py
2.7 复制规则集文件到xcalscan
$ cp java_rbc.udr ~~/xcalscan/xcalibyte/xcalscan/2020-07-12/data/volume/rules/
3 扫描项目
3.1 修改扫描配置文件
添加rule规则:
"xvsaOptions": "-VSA:cusr=1 -udr:/share/rules -noinline"
$ cd ~~/xcalagent/
$ vim workdir/gradledemo.conf
{
"projectId": "gradledemo",
"projectName": "gradedemo",
"projectPath": "/home/uftp/02_opensource/02_java/gradledemo",
"uploadSourceCode": "Y",
"scanConfig":{
"lang":"java",
"build": "gradle",
"builderPath": "/home/uftp/02_opensource/02_java/gradledemo/gradlew",
"jobQueueName": "shaw-agent",
"xvsaOptions": "-VSA:cusr=1 -udr:/share/rules -noinline"
}
}
3.2 启动扫描
$ bash ./ci/xcal-scanner.sh gradledemo
Workdir: /home/shaw/agent/xcalagent-2020-07-12/xcalagent
WARNING:root:Jaeger seems missing, skipping Jaeger initialization
2020-07-16 02:31:29,905 - INFO - process_arguments: begin to process arguments
2020-07-16 02:31:29,906 - TRACE - command_line_runner trying to login to server ...
2020-07-16 02:31:29,974 - TRACE - command_line_runner login completed.
2020-07-16 02:31:30,014 - TRACE - command_line_runner creating project scan task ...
2020-07-16 02:31:30,093 - TRACE - command_line_runner preparing the job configuration ...
2020-07-16 02:31:30,094 - TRACE - command_line_runner performing offline preprocessing ...
2020-07-16 02:31:30,095 - TRACE - Starting Java Prescan Task
2020-07-16 02:31:30,096 - TRACE - Composed command-line to run : /home/uftp/02_opensource/02_java/gradledemo/gradlew xvsa -PXVSA_JFE_SKIP=true -PXVSA_HOME= -PXVSA_GRADLE_OUTPUT=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/5a2633a1-1408-4fa8-98e4-ef791e581b6e/xvsa-out -PXVSA_SRC_LIST=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/5a2633a1-1408-4fa8-98e4-ef791e581b6e/source_files.json --info
2020-07-16 02:31:30,096 - TRACE - Invoking Maven process to files ('invocation line:', '/home/uftp/02_opensource/02_java/gradledemo/gradlew xvsa -PXVSA_JFE_SKIP=true -PXVSA_HOME= -PXVSA_GRADLE_OUTPUT=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/5a2633a1-1408-4fa8-98e4-ef791e581b6e/xvsa-out -PXVSA_SRC_LIST=/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/5a2633a1-1408-4fa8-98e4-ef791e581b6e/source_files.json --info ', 'out:', '/home/shaw/agent/xcalagent-2020-07-12/xcalagent/workdir/jobs/5a2633a1-1408-4fa8-98e4-ef791e581b6e/javapreprocess.log', 'workdir:', '/home/uftp/02_opensource/02_java/gradledemo')
....................................
2020-07-16 02:31:31,810 - TRACE - [output] Dumping source file
2020-07-16 02:31:31,811 - TRACE - [output] Dump the source list to file: gradledemo.src.list, with a list of size = 1
2020-07-16 02:31:31,811 - TRACE - [output] Finishing project gradledemo for no-JFE mode.
2020-07-16 02:31:31,811 - TRACE - [output] :xvsa (Thread[Execution worker for ':',5,main]) completed. Took 0.04 secs.
2020-07-16 02:31:31,812 - TRACE - [output]
2020-07-16 02:31:31,812 - TRACE - [output] Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
2020-07-16 02:31:31,812 - TRACE - [output] Use '--warning-mode all' to show the individual deprecation warnings.
2020-07-16 02:31:31,814 - TRACE - [output] See https://docs.gradle.org/6.5/userguide/command_line_interface.html#sec:command_line_warnings
2020-07-16 02:31:31,814 - TRACE - [output]
2020-07-16 02:31:31,814 - TRACE - [output] BUILD SUCCESSFUL in 1s
2020-07-16 02:31:44,832 - TRACE - command_line_runner offline preprocessing finished.
4 查看项目扫描结果
