Giters

eclipse / steady

Analyses your Java applications for open-source dependencies with known vulnerabilities, using both static analysis and testing to determine code context and usage for greater accuracy. https://eclipse.github.io/steady/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Reachable from app (a2c) Fails With Java 17

mayaba opened this issue · comments

commented

Describe the bug
The console shows me the following error when running the a2c goal on a java 17 project

java.nio.file.NoSuchFileException: /modules/modules at java.base/jdk.internal.jrtfs.JrtFileSystem.checkNode(JrtFileSystem.java:486) at java.base/jdk.internal.jrtfs.JrtFileSystem.isDirectory(JrtFileSystem.java:431) at java.base/jdk.internal.jrtfs.JrtDirectoryStream.<init>(JrtDirectoryStream.java:58) at java.base/jdk.internal.jrtfs.JrtPath.newDirectoryStream(JrtPath.java:642) at java.base/jdk.internal.jrtfs.JrtFileSystemProvider.newDirectoryStream(JrtFileSystemProvider.java:311) at java.base/java.nio.file.Files.newDirectoryStream(Files.java:482) at soot.asm.AsmJava9ClassProvider.find(AsmJava9ClassProvider.java:50) at soot.SourceLocator.getClassSource(SourceLocator.java:187) at soot.SootResolver.bringToHierarchyUnchecked(SootResolver.java:231) at soot.SootResolver.bringToHierarchy(SootResolver.java:221) at soot.SootResolver.bringToSignatures(SootResolver.java:292) at soot.SootResolver.bringToBodies(SootResolver.java:332) at soot.SootResolver.processResolveWorklist(SootResolver.java:171) at soot.SootResolver.resolveClass(SootResolver.java:141) at soot.Scene.tryLoadClass(Scene.java:979) at soot.Scene.loadBasicClasses(Scene.java:1708) at soot.Scene.loadNecessaryClasses(Scene.java:1807) at org.eclipse.steady.cg.soot.SootCallgraphConstructor.setEntrypoints(SootCallgraphConstructor.java:356) at org.eclipse.steady.cg.ReachabilityAnalyzer.run(ReachabilityAnalyzer.java:398) at java.base/java.lang.Thread.run(Thread.java:833) Exception in thread "vulas-reach-1" java.lang.RuntimeException: None of the basic classes could be loaded! Check your Soot class path! at soot.Scene.loadBasicClasses(Scene.java:1718) at soot.Scene.loadNecessaryClasses(Scene.java:1807) at org.eclipse.steady.cg.soot.SootCallgraphConstructor.setEntrypoints(SootCallgraphConstructor.java:356) at org.eclipse.steady.cg.ReachabilityAnalyzer.run(ReachabilityAnalyzer.java:398) at java.base/java.lang.Thread.run(Thread.java:833)

To Reproduce
Steps to reproduce the behavior:
Run the a2c command on a java 17 project

Expected behavior
A clear and concise description of what you expected to happen.
The task to be completed successfully

Steady version
3.2.5

commented

I'm trying to figure out the root cause and found that since the rt.jar is removed from version 9+, Soot throws the previous exception. I tried to add rt.jar manually to the classpath, but this method is not working properly if the source code is not compatible with version 8.

commented

Hi @mayaba ,

thanks for reporting and for the investigation.

Could you also share which JDK you are using to run the analysis? If JDK 17 is used to run the analysis, could you also test it with JDK 11?

commented

Hi @serenaponta,
Thank you so much for the reply. I was using JDK 17 and changed to JDK 11. Now, I'm getting a different error. please note that I couldn't compile the project I'm analyzing with JDK 11. Only with JDK 17.

Exception in thread "vulas-reach-1" java.lang.IllegalArgumentException: Unsupported class file major version 61
	at org.objectweb.asm.ClassReader.<init>(ClassReader.java:195)
	at org.objectweb.asm.ClassReader.<init>(ClassReader.java:176)
	at org.objectweb.asm.ClassReader.<init>(ClassReader.java:162)
	at org.objectweb.asm.ClassReader.<init>(ClassReader.java:283)
	at soot.asm.AsmClassSource.resolve(AsmClassSource.java:65)
	at soot.SootResolver.bringToHierarchyUnchecked(SootResolver.java:253)
	at soot.SootResolver.bringToHierarchy(SootResolver.java:221)
	at soot.SootResolver.bringToSignatures(SootResolver.java:292)
	at soot.SootResolver.bringToBodies(SootResolver.java:332)
	at soot.SootResolver.processResolveWorklist(SootResolver.java:171)
	at soot.SootResolver.resolveClass(SootResolver.java:141)
	at soot.Scene.loadClass(Scene.java:1009)
	at soot.Scene.loadClassAndSupport(Scene.java:994)
	at soot.Scene.loadNecessaryClasses(Scene.java:1822)
	at org.eclipse.steady.cg.soot.SootCallgraphConstructor.setEntrypoints(SootCallgraphConstructor.java:356)
	at org.eclipse.steady.cg.ReachabilityAnalyzer.run(ReachabilityAnalyzer.java:398)
	at java.base/java.lang.Thread.run(Thread.java:829)
commented

Hi @mayaba ,

the version of soot used within steady 3.2.5 does not support JDK 17. I updated soot in a new PR #589. Preliminary tests show that the exception you reported is not thrown any longer. It would be greatly appreciated if you can test the PR (steady 3.2.6-SNAPSHOT) on your java 17 project.

commented

Hi @serenaponta,

Great news. Thank you so much for your help. Will test it and let you know the result.

commented

Hi @serenaponta,
I wasn't able to locate this version steady 3.2.6-SNAPSHOT. Seems that the Jenkins pipeline has failed.
https://ci.eclipse.org/steady/job/Steady%20Pipeline/job/PR-589/1/console

commented

Hi @serenaponta,
I see that WALA recently released a version (v1.6.1) that supports JDK 17
https://github.com/wala/WALA/releases/tag/v1.6.1

I see that they changed the method AnalysisScopeReader.makeJavaBinaryAnalysisScope to AnalysisScopeReader.instance.makeJavaBinaryAnalysisScope, and they added an extra parameter for the method Util.makeZeroCFABuilder which, apparently, should be Language.JAVA.

commented

Hi @serenaponta,

I opened a PR to resolve this issue
PR: #593

commented

This problem is solved by the PR #593. Static reachability analysis is now supported with WALA option.