Propagation of library JAR files to classpath

Author: marek-trtik

driver/mkbench.py

@@ -70,7 +70,7 @@ def _read_info_of_class_files(class_files, temp_dir, verbosity):
     return classes_info, java_class_info_call_duration
 
 
-def collect_java_binaries(app_binary_dirs, temp_dir, output_json, verbosity):
+def collect_java_binaries(app_binary_dirs, list_of_classpaths, temp_dir, output_json, verbosity):
     prof_start_time = time.time()
     prof = dict()
 
@@ -164,7 +164,10 @@ def collect_java_binaries(app_binary_dirs, temp_dir, output_json, verbosity):
     if not os.path.isdir(os.path.dirname(output_json)):
         os.makedirs(os.path.dirname(output_json))
     with open(output_json, "w") as ofile:
-        ofile.write(json.dumps({"jar": java_binaries.jar_files}, sort_keys=True, indent=4))
+        ofile.write(json.dumps({
+            "jar": sorted(java_binaries.jar_files),
+            "classpath": sorted([p for p in list_of_classpaths if os.path.exists(p)])
+            }, sort_keys=True, indent=4))
 
     # Lastly, we complete and return statistics from this stage.
     prof["num_jars_final"] = len(java_binaries.jar_files)

driver/run.py

@@ -28,6 +28,9 @@ def __parse_cmd_line():
                          help="The install directory of the Java web application to be analysed. Under that "
                               "directory (directly or indirectly) there should be all binaries files "
                               "(WAR/JAR/CLASS files) of that wab application.")
+    parser.add_argument("-L", "--libraries", nargs='+', default=[],
+                        help="A list of disk paths to libraries you want to include into class path. A path "
+                             "can either be a path-name of a JAR file, or a directory.")
     parser.add_argument("-R", "--results-dir", type=str,
                          help="A directory into which all results from the analysis of the given Java web applicaton "
                               "will be written.")
@@ -104,6 +107,7 @@ def evaluate(cmdline):
     classes_jar_pathname = os.path.abspath(os.path.join(cmdline.results_dir, "program.json"))
     prof["collect_java_binaries"] = mkbench.collect_java_binaries(
         input_search_dirs,
+        cmdline.libraries,
         cmdline.temp_dir,
         classes_jar_pathname,
         cmdline.verbosity

src/taint-analysis/taint_config.cpp

@@ -191,6 +191,39 @@ bool taint_configt::load(message_handlert &handler)
   return false;
 }
 
+struct cmdline_updatert : public cmdlinet
+{
+  void add_to_classpaths(const std::vector<std::string> &classpaths)
+  {
+    PRECONDITION(!classpaths.empty());
+    int idx=getoptnr("classpath");
+    if(idx==-1)
+    {
+      options.push_back({});
+      idx=int(options.size()-1UL);
+    }
+    if(options.at(idx).isset==false)
+    {
+      options.at(idx).isset=true;
+      if(options.at(idx).values.empty())
+        options.at(idx).values.push_back("");
+    }
+    std::string &dst_classpaths = options.at(idx).values.front();
+    for(const auto &classpath : classpaths)
+    {
+      if(!dst_classpaths.empty())
+        dst_classpaths+=
+#ifdef _WIN32
+          ';'
+#else
+          ':'
+#endif
+          ;
+      dst_classpaths+=classpath;
+    }
+  }
+};
+
 void taint_build_cmdline_from_config(
   const std::string &cfg_file_path,
   messaget * const logger,
@@ -213,5 +246,12 @@ void taint_build_cmdline_from_config(
     return;
   for(auto const &jar : cfg["jar"].array)
     cmdline.args.push_back(jar.value);
+  if(!cfg["classpath"].array.empty())
+  {
+    std::vector<std::string> classpaths;
+    for(auto const &classpath : cfg["classpath"].array)
+      classpaths.push_back(classpath.value);
+    static_cast<cmdline_updatert*>(&cmdline)->add_to_classpaths(classpaths);
+  }
   cmdline.set("lazy-methods");
 }