Merge pull request diffblue#345 from diffblue/owen-jones-diffblue/improve-pipeline-scripts

SEC-253: Improve pipeline scripts

Author: owen-jones-diffblue

benchmarks/GENUINE/Sakai_rules.json

@@ -1,107 +1,96 @@
-[
-  {
-    "comment": "Potentially tained data was returned from the called function.",
-    "class": "TaintSource",
-    "method": "get_tainted_int:()I",
-    "result": {
-      "location": "return_value",
-      "taint": "<TaintSource.get_tainted_int@Integer>"
-    }
-  },
-  {
-    "comment": "Potentially tained data was returned from the tainted input stream.",
-    "class": "TaintedInputStream",
-    "method": "read:([BII)I",
-    "result": {
-      "location": "arg1",
-      "taint": "<TaintedInputStream.read@byte[]>"
-    }
-  },
-  {
-    "comment": "Conversion of an array of potentially tainted bytes to a string.",
-    "class": "java.lang.String",
-    "method": "<init>:([BII)V",
-    "input": {
-      "location": "arg1",
-      "taint": "<TaintedInputStream.read@byte[]>"
-    },
-    "result": {
-      "location": "arg0",
-      "taint": "<toString(TaintedInputStream.read@byte[])@String>"
-    }
-  },
-  {
-    "comment": "Appending a potentially tainted string into the StringBuilder instance. Making the builder tainted.",
-    "class": "java.lang.StringBuilder",
-    "method": "append:(Ljava/lang/String;)Ljava/lang/StringBuilder;",
-    "input": {
-      "location": "arg1",
-      "taint": "<toString(TaintedInputStream.read@byte[])@String>"
-    },
-    "result": {
-      "location": "arg0",
-      "taint": "<StringBuilder.append(toString(TaintedInputStream.read@byte[]))@StringBuilder>"
-    }
-  },
-  {
-    "comment": "Conversion of potentially tainted data in the StringBuilder to a potentially tainted string.",
-    "class": "java.lang.StringBuilder",
-    "method": "toString:()Ljava/lang/String;",
-    "input": {
-      "location": "arg0",
-      "taint": "<StringBuilder.append(toString(TaintedInputStream.read@byte[]))@StringBuilder>"
-    },
-    "result": {
-      "location": "return_value",
-      "taint": "<toString(TaintedInputStream.read@byte[])@String>"
-    }
-  },
-  {
-    "comment": "Inserting a potentially tainted string into a HashMap container. Making the container tainted.",
-    "class": "java.util.HashMap",
-    "method": "put:(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;",
-    "input": {
-      "location": "arg2",
-      "taint": "<toString(TaintedInputStream.read@byte[])@String>"
-    },
-    "result": {
-      "location": "arg0",
-      "taint": "<HashMap.put(toString(TaintedInputStream.read@byte[]))@HashMap>"
-    }
-  },
-  {
-    "comment": "Retrieving a potentially tainted string from a HashMap container.",
-    "class": "java.util.HashMap",
-    "method": "get:(Ljava/lang/Object;)Ljava/lang/Object;",
-    "input": {
-      "location": "arg0",
-      "taint": "<HashMap.put(toString(TaintedInputStream.read@byte[]))@HashMap>"
-    },
-    "result": {
-      "location": "return_value",
-      "taint": "<toString(TaintedInputStream.read@byte[])@String>"
-    }
-  },
-  {
-    "comment": "Retrieving a potentially tainted character from a potentially tainted string.",
-    "class": "java.lang.String",
-    "method": "charAt:(I)C",
-    "input": {
-      "location": "arg0",
-      "taint": "<toString(TaintedInputStream.read@byte[])@String>"
-    },
-    "result": {
-      "location": "return_value",
-      "taint": "<charAt(toString(TaintedInputStream.read@byte[]))@Character>"
-    }
-  },
-  {
-    "comment": "Writing a potentially tainted data into the output",
-    "class": "TaintSink",
-    "method": "receive_taint:(C)V",
-    "sinkTarget": {
-      "location": "arg0",
-      "taint": "<charAt(toString(TaintedInputStream.read@byte[]))@Character>"
-    }
-  }
-]
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Streams returned by getInputStream on ServletRequest are tainted",
+        "class": "javax.servlet.http.HttpServletRequest",
+        "method": "getInputStream:()Ljava/io/InputStream;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted stream"
+        }
+      },
+      {
+        "comment": "Read from tainted stream gives tainted string",
+        "class": "java.io.InputStream",
+        "method": "read:([BII)I",
+        "input": {
+          "location": "this",
+          "taint": "Tainted stream"
+        },
+        "result": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Construction from an array of tainted bytes gives a tainted string",
+        "class": "java.lang.String",
+        "method": "<init>:([BII)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted string"
+        }
+      },
+      {
+        "comment": "Bytes obtained from a tainted string are tainted.",
+        "class": "java.lang.String",
+        "method": "getBytes:()[B",
+        "input": {
+          "location": "this",
+          "taint": "Tainted string"
+        },
+        "result": {
+          "location": "returns",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        }
+      },
+      {
+        "comment": "Streams returned by getOutputStream on ServletResponse are vulnerable",
+        "class": "javax.servlet.http.HttpServletResponse",
+        "method": "getOutputStream:()Ljava/io/OutputStream;",
+        "result": {
+          "location": "returns",
+          "vulnerability": "Vulnerable stream"
+        }
+      },
+      {
+        "comment": "Writing potentially tainted bytes (in a given range) to a vulnerable stream is a sink.",
+        "class": "java.io.OutputStream",
+        "method": "write:([BII)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "sinkTarget": {
+          "location": "this",
+          "vulnerability": "Vulnerable stream"
+        }
+      },
+      {
+        "comment": "Writing potentially tainted bytes (the whole array) to a vulnerable stream is a sink.",
+        "class": "java.io.OutputStream",
+        "method": "write:([B)V",
+        "input": {
+          "location": "arg1",
+          "namespace": "com.diffblue.security.specialized",
+          "taint": "Tainted byte array"
+        },
+        "sinkTarget": {
+          "location": "this",
+          "vulnerability": "Vulnerable stream"
+        },
+        "message": "Unescaped HTML potentially written back to browser"
+      }
+    ]
+}
+

benchmarks/LIBRARIES/.gitignore

@@ -1,3 +1,4 @@
 apache-tomcat-9
 openjdk-8
+spring-framework
 

benchmarks/LIBRARIES/README.txt

@@ -56,3 +56,51 @@ Alternative installation:
 2. Unpack the downloaded ZIP file into this directory and rename its root
    directory to: apache-tomcat-9
 
+
+(3) Spring framework
+--------------------
+
+I. Installation from prebuilt package:
+
+1. Download Spring framework binary (of a desired version) from: 
+        https://repo.spring.io/release/org/springframework/spring/
+   NOTE: Security scanner currently do not detect version used by an
+         analysed web app. So, you need to manually check for the version.
+         However, default version we take is 4.3.13:
+            https://repo.spring.io/release/org/springframework/spring/4.3.13.RELEASE/spring-framework-4.3.13.RELEASE-dist.zip
+2. Unpack the downloaded ZIP file to:
+        <security-scanner-root-dir>/benchmarks/LIBRARIES
+   That should lead to creation of a directory:
+        <security-scanner-root-dir>/benchmarks/LIBRARIES/spring-framework<some-suffix-with-version>
+   Rename the directory to:
+        <security-scanner-root-dir>/benchmarks/LIBRARIES/spring-framework
+   The rename is necessary, because our python script currently assumes the
+   framework is on that path.
+
+II. Install from sources (won't work, if you use 'encryptfs' file system).
+
+1. Download Spring framework source (of a desired version) from:
+        https://github.com/spring-projects/spring-framework/releases
+   NOTE: Security scanner currently do not detect version used by an
+         analysed web app. So, you need to manually check for the version.
+         However, default version we take is 4.3.13:
+            https://github.com/spring-projects/spring-framework/releases/tag/v4.3.13.RELEASE
+   NOTE: Alternatively, you may consider to clone the repository:
+            git clone [email protected]:spring-projects/spring-framework.git
+         into the directory:
+            <security-scanner-root-dir>/benchmarks/LIBRARIES/spring-framework
+         In this case skip the step 2 below.
+2. Unpack the downloaded ZIP file to:
+        <security-scanner-root-dir>/benchmarks/LIBRARIES
+   That should lead to creation of a directory:
+        <security-scanner-root-dir>/benchmarks/LIBRARIES/spring-framework<some-suffix-with-version>
+   Rename the directory to:
+        <security-scanner-root-dir>/benchmarks/LIBRARIES/spring-framework
+   The rename is necessary, because our python script currently assumes the
+   framework is on that path.
+3. Open a terminal and type there:
+        cd <security-scanner-root-dir>/benchmarks/LIBRARIES/spring-framework
+        ./gradlew build
+   NOTE: Make sure that 'Gradle' build system and its wrapper script is installed
+         on your computer.
+