debricked · TeodorBucht1729 · Jun 30, 2021 · Jun 30, 2021 · Jun 30, 2021 · Jun 30, 2021
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -73,3 +73,71 @@ jobs:
           tags: |
            ghcr.io/debricked/vulnerable-functionality:gradle
            debricked/vulnerable-functionality:gradle
+
+  docker-javascript:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: javascript/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: |
+           ghcr.io/debricked/vulnerable-functionality:javascript
+           debricked/vulnerable-functionality:javascript
+
+  docker-golang:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: golang/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: |
+           ghcr.io/debricked/vulnerable-functionality:golang
+           debricked/vulnerable-functionality:golang
diff --git a/.github/workflows/golang.yml b/.github/workflows/golang.yml
@@ -0,0 +1,31 @@
+name: Golang test
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.8'
+      - name: Set up Go 1.16.5
+        uses: actions/setup-go@v2
+        with:
+          go-version: '1.16.5'
+      - name: Display Golang version
+        run: go version
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pytest
+          go get -u golang.org/x/tools/cmd/callgraph
+          cd golang/test && go install
+      - name: Test with pytest
+        run: |
+          pip install pytest
+          pytest golang/test/go_cg_test.py
diff --git a/.github/workflows/javascript.yml b/.github/workflows/javascript.yml
@@ -0,0 +1,27 @@
+name: JavaScript test
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.8'
+      - name: Display Python version
+        run: python -c "import sys; print(sys.version)"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r javascript/src/requirements.txt
+          sudo npm install -g @persper/js-callgraph
+          sudo apt-get install dos2unix
+      - name: Test with pytest
+        run: |
+          pip install pytest
+          pytest 
diff --git a/.github/workflows/vulnfunc_go.yml b/.github/workflows/vulnfunc_go.yml
@@ -0,0 +1,14 @@
+name: Vulnerable Functionality test golang
+
+on: [push]
+
+jobs:
+  vulnfunc:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: TeodorBucht1729/vulnerable-functionality/golang@go-vuln-func
+      with:
+        root-mainpackage-directory: 'golang/test'
+
diff --git a/.github/workflows/vulnfunc_js.yml b/.github/workflows/vulnfunc_js.yml
@@ -0,0 +1,14 @@
+name: Vulnerable Functionality test javascript
+
+on: [push]
+
+jobs:
+  vulnfunc:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: debricked/vulnerable-functionality/javascript@master
+      with:
+        root-packagejson-directory: 'javascript/test/fresh_install'
+
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,10 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+.pytest_cache/
+
+# results from generating js callgraph
+final_cg.json
+partial_cg.json
+cg.json
diff --git a/java/common/commonWrapper.sh → common/commonWrapper.sh b/java/common/commonWrapper.sh → common/commonWrapper.sh
diff --git a/golang/Dockerfile b/golang/Dockerfile
@@ -0,0 +1,12 @@
+# syntax=docker/dockerfile:1
+
+FROM golang:1.16
+
+COPY ./src /vulnfunc/golang/src
+
+RUN apt-get update ; apt-get install --no-install-recommends -y zip
+RUN add-apt-repository ppa:deadsnakes/ppa ; apt-get update ; apt-get install --no-install-recommends -y python3
+RUN go get -u golang.org/x/tools/cmd/callgraph
+
+COPY ./entrypoint.sh /vulnfunc/golang/entrypoint.sh
+RUN chmod +x /vulnfunc/golang/entrypoint.sh
diff --git a/golang/action.yml b/golang/action.yml
@@ -0,0 +1,18 @@
+name: Debricked Vulnerable Functionality for Golang
+author: Debricked
+description: Calculates the call graph for a Golang main package
+inputs: 
+  root-mainpackage-directory:
+    description: Directory containing the .go with the main package and function. 
+    required: true
+
+runs:
+  using: docker
+  # image: docker://debricked/vulnerable-functionality:golang
+  image: Dockerfile
+  entrypoint: /vulnfunc/golang/entrypoint.sh
+  args:
+    - ${{ inputs.root-mainpackage-directory }}
+branding:
+  color: purple
+  icon: filter
diff --git a/golang/entrypoint.sh b/golang/entrypoint.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -e
+
+# Check if the givet root directory exists
+if ! [ -d "$1" ] ; then
+    echo "Root project dir not found."
+    echo "USAGE: "$0" <rootGoModDir>"
+    exit 1
+fi
+
+pathToCommonDirectory="./common"
+. $pathToCommonDirectory"/commonWrapper.sh"
+
+# Check that package.json is provided
+if ! [ -e "$1/go.mod" ] ; then
+    echo "go.mod not found in $1"
+    exit 1
+fi
+
+module_dir="${1%/}"
+module_dir="/github/workspace/$module_dir"
+
+# install dependencies
+cd $module_dir && go install
+
+exitIfNotInstalled python3
+
+exitIfNotInstalled go
+
+outputFileName=".debricked-call-graph-golang"
+
+# Run the actual script that generates the call graph
+echo "Running call graph generator"
+/vulnfunc/golang/src/gen_callgraph.sh "$module_dir" $outputFileName
+
+formatOutput "/vulnfunc/golang/src/$outputFileName"
diff --git a/golang/src/combine_ast_ssa.py b/golang/src/combine_ast_ssa.py
@@ -0,0 +1,82 @@
+import json
+import getopt
+import sys
+import os
+
+def combine_ast_ssa(ast_symbols, ssa_dump, output_file):
+    """ combine_ast_ssa takes two lists of the same symbols (ast_symbols
+    and ssa_dump), combines the information and saves it in the given
+    output_file.
+
+    Paramaters:
+    ast_symbols (list[dict]): A list of all the symbols from the ast_parser.
+    ssa_dump (list[dict]): A list of all the symbols from the ssa build.
+    output_file (string): The file where the combined symbols list will 
+    be saved. 
+
+    Returns:
+    void
+    """
+    # add easy access to the symbols in ssa_dump through the 'Location'
+    ssa_by_location = {}
+    for symbol in ssa_dump:
+        if 'Location' in symbol and 'Synthetic' not in symbol:
+            ssa_by_location[symbol['Location']] = symbol
+
+    # For each symbol in ast_symbols add a footprint given by the 
+    # ssa_dump 'Name'
+    if ast_symbols != None:
+        for i in range(len(ast_symbols)):
+            Location = ast_symbols[i]['file'] + ":" + ast_symbols[i]['line_start'] + ":" +  ast_symbols[i]['column_start']
+            if Location not in ssa_by_location:
+                if ast_symbols[i]['file'][-8:] != '_test.go':
+                    # print a warning if a symbol was found in the AST-parser
+                    # bit not in the ssa build. 
+                    print("Warning! " + Location + " not found when building")
+            else:
+                ast_symbols[i]['footprint'] = ssa_by_location[Location]['Name']
+    else:
+        ast_symbols = []
+
+    with open(output_file, "w") as f:
+        f.write(json.dumps(ast_symbols, indent=4, sort_keys=True))
+
+
+def main(argv):
+    """ main takes command line arguments and calls combine_ast_ssa
+    accordingly.
+
+    Paramaters:
+    argv (list[string]) all the given command line arguments  
+
+    Returns:
+    void
+    """    
+    try:
+        opts, args = getopt.getopt(argv, "ho:", ["parsed_ssadump=", "ast_symbols="])
+    except getopt.GetoptError:
+        print("combine_ast_ssa.py --parsed_ssadump=<parsed_ssadump_file> --ast_symbols=<parsed_ast_symbols> -o <symbols.json>")
+        sys.exit(2)
+
+    # set default values
+    ast_symbols = {}
+    ssa_dump = {}
+    output_file = "symbols.json"
+
+    # parse the flags
+    for opt, arg in opts:
+        if opt == '--parsed_ssadump':
+            with open(arg, "r") as f:
+                ssa_dump = json.load(f)
+        elif opt == '--ast_symbols':
+            with open(arg, "r") as f:
+                ast_symbols = json.load(f)
+        elif opt == '-o':
+            output_file = os.path.abspath(arg)
+        elif opt == '-h':
+            print("Usage: combine_ast_ssa.py --parsed_ssadump <parsed_ssadump_file> --ast_symbols <parsed_ast_symbols> -o <symbols.json>")
+
+    combine_ast_ssa(ast_symbols, ssa_dump, output_file)
+
+if __name__ == "__main__":
+    main(sys.argv[1:])