Merge pull request diffblue#569 from diffblue/webgoat-demo-working-branch

[SEC-638] [SEC-639] Webgoat demo working branch

Author: owen-jones-diffblue

driver/run.py

@@ -15,14 +15,15 @@
 def _get_my_dir(): return os.path.dirname(os.path.realpath(__file__))
 
 
-def _get_common_libraries():
+def _get_common_libraries(diffblue_models_library_location):
 
     def get_benchmark_library_dir():
         return os.path.abspath(os.path.join(_get_my_dir(), "../benchmarks/LIBRARIES"))
 
-    def get_diffblue_models_library_props():
+    def get_diffblue_models_library_props(pathname):
         props = {"diffblue_models_library": {"paths": [], "error": None}}
-        pathname = os.path.join(get_benchmark_library_dir(), "models", "model", "target", "models.jar")
+        if pathname is None:
+            pathname = os.path.join(get_benchmark_library_dir(), "models", "model", "target", "models.jar")
         if os.path.isfile(pathname):
             props["diffblue_models_library"]["paths"].append(pathname)
         else:
@@ -82,7 +83,7 @@ def get_javax_xxe_library_props():
         return props
 
     result = {}
-    result.update(get_diffblue_models_library_props())
+    result.update(get_diffblue_models_library_props(diffblue_models_library_location))
     result.update(get_java_runtime_library())
     result.update(get_apache_tomcat_props())
     result.update(get_spring_framework_props())
@@ -162,6 +163,9 @@ def create_parser():
     parser.add_argument("--use-models-library", action="store_true",
                         help="Add the Diffblue Models Library's JAR file to the classpath of the security-scanner. "
                              "It will be put in front of the JARs of the analysed web application.")
+    parser.add_argument("--models-library-location", type=str,
+                        help="Absolute path of the models library. Only works if --use-models-library is set. (Will be "
+                             "removed soon)")
     parser.add_argument("--use-java-runtime-library", action="store_true",
                         help="Add the Java standard library to the classpath. First, there will be attempt to add "
                              "OpenJDK version of the library. If it is not found (e.g. not installed), then the "
@@ -428,7 +432,7 @@ def __main():
               analyser.get_missing_binary_error_message())
         return
 
-    common_libraries = _get_common_libraries()
+    common_libraries = _get_common_libraries(cmdline.models_library_location)
 
     if cmdline.use_models_library:
         if common_libraries["diffblue_models_library"]["error"] is not None:

platform-image-builder/Dockerfile

@@ -9,4 +9,4 @@ RUN apt-get install -y cmake g++ flex bison doxygen patch python3
 
 ADD build-security-analyzer.sh /build-security-analyzer.sh
 
-ENTRYPOINT bash /build-security-analyzer.sh
+ENTRYPOINT ["/build-security-analyzer.sh"]

platform-image-builder/README

@@ -3,9 +3,9 @@ expected by Diffblue's platform and export a tarball suitable for building the
 security scanner platform image.
 
 Pre-requisite: the deeptest-base Docker image must be available to build
-against. If it isn't already present (try
-`docker image inspect eu.gcr.io/diffblue-cr/deeptest-base`),
-build it by:
+against. If it isn't already present, i.e. 
+`docker image inspect eu.gcr.io/diffblue-cr/deeptest-base` does not give any
+output, build it by:
 
 $ git clone https://github.com/diffblue/platform
 $ cd platform/docker/docker-jobs
@@ -17,6 +17,8 @@ $ cd $REPO_ROOT/platform-image-builder
 $ mkdir -p /tmp/output-dir # for example
 $ ./make-security-release.sh /tmp/output-dir [branch-or-commit]
 
+'branch-or-commit' refers to the github repository, not your local repository.
+
 If 'branch-or-commit' is not specified we'll build a release tarball from the
 tip of 'develop'.
 

platform-image-builder/build-security-analyzer.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Runs inside the security-analyzer-builder container.
 
 set -e
@@ -9,9 +11,9 @@ fi
 
 cd /
 git clone [email protected]:diffblue/security-scanner
-if [ $# -eq 1 ]; then git checkout $1; fi
 
 cd security-scanner
+if [ $# -eq 1 ]; then git checkout $1; fi
 git submodule update --init
 
 mkdir build
@@ -28,6 +30,7 @@ mkdir /tmp/release/lib
 cp dist/lib/libboost* /tmp/release/lib/
 cp -r dist/lib/driver/*.py /tmp/release
 cp src/java-class-info/default_config.json /tmp/release
+cp benchmarks/LIBRARIES/models/model/target/models.jar /tmp/release
 
 cd /tmp/release
 tar cvzf /output/release.tar.gz .

platform-image-builder/make-security-release.sh

@@ -10,7 +10,7 @@ if [ $# -lt 1 ]; then
   exit 1
 fi
 
-docker image inspect security-analyzer-builder:latest >/dev/null 2>&1 || ./create-builder-image.sh
+./create-builder-image.sh
 
 mkdir -p $1