using steady cli a2c goal, Cannot create instance of class

Question

using steady cli a2c goal, Cannot create instance of class

momo-tong opened this issue 2 years ago · comments

when i execute the command of "java -jar steady-cli-3.2.4-jar-with-dependencies.jar -goal a2c", the error is

2022-07-19 19:21:12,150 [main] [ERROR] rg.eclipse.steady.cli.VulasCli - Cannot create instance of class [com.sap.psr.vulas.cg.A2CGoal]: com.sap.psr.vulas.cg.A2CGoal

I use Apache Maven 3.6.0 and Java version: 1.8.0_333
I get success result of app goal

Serena Ponta · Answer 1 · Wed Jul 20 2022 04:50:00 GMT+0800 (China Standard Time)

Hi @momo-tong,

thanks for reporting this issue that will be fixed in the next release. Until then, you can use the jar steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies, available from Release 3.2.4 [1],[2]. Please extract the jar and place it in the same folder currently containing steady-cli-3.2.4-jar-with-dependencies.jar and then update the command line to java -jar steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies.jar -goal a2c.

[1] https://github.com/eclipse/steady/releases/tag/release-3.2.4
[2] https://github.com/eclipse/steady/releases/download/release-3.2.4/steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies.jar

momo-tong · Answer 2 · Thu Jul 21 2022 00:28:01 GMT+0800 (China Standard Time)

@serenaponta Thank you, that resolved my problems. But I still hava other questions.

Does the order in which the goals are executed matter? Except that app has to be executed before all the other analysis goals.
Do I have to execute upload goal after test and instr goal, or it's ok that I just execute upload goal once before report goal?

by the way, when I use the command "mvn compile org.eclipse.steady:plugin-maven:3.2.4:prepare-agent"，there is a err, just copy the lang-java-3.2.4-jar-with-dependencies.jar to ../app/target/dependency, then run success.

Err:
Failed to execute goal org.eclipse.steady.. prepare-agent on project .. :Error during agent preparation: : Could not find agent JAR [../steady-cli/app/target/dependency/lang-java-3.2.4-jar-with-dependencies.jar], ...

Serena Ponta · Answer 3 · Thu Jul 21 2022 18:41:02 GMT+0800 (China Standard Time)

Hello @momo-tong,

Yes, the order in which the goals are executed matters. As you wrote app must be executed first. prepare-agent must preceed test and t2c must follow the collection of traces, i.e., test + upload. Also instr is meant to collect dynamic traces but the goal itself is "just" statically instrumenting the application so that the user can then deploy the instrumented artifact and all the traces collected during its execution will be uploaded to the steady backend. As a result, instr should only be used when such a testing is planned.
upload must follow test otherwise t2c won't be able to use the dynamic traces as starting point for the static reachability analysis. Also note that, for multi-module maven projects, report must be executed in a separate command, after all other goals have been executed (https://eclipse.github.io/steady/user/manuals/analysis/#multi-module-maven-projects).

You can find examples of usages for maven (involving several goals) at https://eclipse.github.io/steady/user/tutorials/jenkins_howto/.

The error you encountered about the agent JAR required at location app/target/dependency/ is due to a change since version 3.2.3. Since then the user is expected to copy the JAR in the location mentioned. The JAR can be downloaded from maven central (e.g., manually https://search.maven.org/remotecontent?filepath=org/eclipse/steady/lang-java/3.2.4/lang-java-3.2.4-jar-with-dependencies.jar or using the maven dependency:get plugin https://maven.apache.org/plugins/maven-dependency-plugin/get-mojo.html)

momo-tong · Answer 4 · Fri Jul 22 2022 19:43:30 GMT+0800 (China Standard Time)

Hi，@ serenaponta
Thanks for your quick reply and clear explanation. Sorry to bother you again.

There is another err when I use mvn compile org.eclipse.steady:plugin-maven:3.2.4:report :
[ERROR] Failed to execute goal org.eclipse.steady:plugin-maven:3.2.4:report (default-cli) on project log4j-core: The application depends on the following vulnerable archives: [ERROR] 1: [filename=jackson-databind-2.12.4.jar, digest=069206E02E6A696034F06A59D3DDBFBBA5A4CD81, scope=COMPILE, transitive=false, wellknownSha1=true, isAffectedVersionConfirmed=true, bug=CVE-2020-36518] [ERROR] 2: [filename=log4j-api-2.15.0.jar, digest=4A5AA7E55A29391C6F66E0B259D5189AA11E45D0, scope=COMPILE, transitive=false, wellknownSha1=true, isAffectedVersionConfirmed=true, bug=CVE-2021-45105]: Application depends on archives with vulnerable code [ERROR] -> [Help 1]

Using java -jar steady-cli-3.2.5-SNAPSHOT-jar-with-dependencies.jar -goal:report the err is:
2022-07-22 19:29:02,643 [main] [INFO ] ipse.steady.goals.AbstractGoal - Uploaded goal execution info Exception in thread "main" org.eclipse.steady.goals.ReportException: Application depends on archives with vulnerable code at org.eclipse.steady.goals.ReportGoal.executeTasks(ReportGoal.java:93) at org.eclipse.steady.goals.AbstractGoal.execute(AbstractGoal.java:255) at org.eclipse.steady.goals.AbstractGoal.executeSync(AbstractGoal.java:248) at org.eclipse.steady.cli.VulasCli.main(VulasCli.java:99)

Howerer, both commands can create or update report files, such as vulas-report.json. So I confused. Do I miss any configuration?

And the order of commands:

 mvn compile org.eclipse.steady:plugin-maven:3.2.4:app
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:a2c
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:prepare-agent
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:prepare-agent
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:test
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:upload
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:instr
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:upload
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:t2c
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:checkcode
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:upload
 mvn compile org.eclipse.steady:plugin-maven:3.2.4:report

Does the order right? Which order can get more accurate answers?
Thank you!

Antonino Sabetta · Answer 5 · Fri Jul 22 2022 20:49:35 GMT+0800 (China Standard Time)

As far as I can tell, you are using Steady correctly and it is behaving as designed: it fails your build if it finds that your project has vulnerable dependencies. It was designed that way because that is the simplest way to integrate it in automated CI pipelines. If that is not the behaviour you want, you can still configure it to not fail but just report the issues, as described in the documentation (the directive you're looking for is vulas.report.exceptionThreshold (which defaults to dependsOn).
You can set it to noException instead.

See https://eclipse.github.io/steady/user/manuals/analysis/#configure-as-follows_5

Excerpt from the docs:

# Possible values: noException < dependsOn < potentiallyExecutes < actuallyExecutes
#    noException : no build exception even if vulnerable code is included
#    dependsOn : exception raised when vulnerable code is included
#    potentiallyExecutes : exception raised when vulnerable code is potentially executed (result of static analyse)
#    actuallyExecutes : exception raised when vulnerable code is executed (result of dynamic analyse)

I'm closing this issue. In case you need further help, do not hesitate to create a new one.