feat(new version): Merge corax v2.10.1 into community/main

Dockerfile

@@ -1,5 +1,5 @@
 FROM openjdk:17
-ENV CORAX_VERSION 2.8
+ENV CORAX_VERSION 2.10.1
 ENV CORAX_JAVA_ARTIFACT_NAME "corax-java-cli-community-$CORAX_VERSION"
 ENV CORAX_JAVA_ARTIFACT_ZIP "$CORAX_JAVA_ARTIFACT_NAME.zip"
 ENV CORAX_JAVA_CLI_NAME "corax-cli-community-${CORAX_VERSION}.jar"

Readme-zh.md

@@ -184,23 +184,23 @@ $ gradlew build
 │   │                                                      // 仅当修改后的主配置文件存在部分配置缺失或者一些配置无法对应到已有插件，
 │   ├── default-config.normalize.yml                       // 以及存在风格问题时，引擎将会自动进行修补和规范化主配置并输出到此文件
 │   ├── plugins                                            // 插件存放目录
-│   │   ├── feysh-config-community-plugin-2.8               // 第一次运行分析后，自动解压，按需删除
-│   │   ├── feysh-config-community-plugin-2.8.zip           // 编译产物，corax-config-community module 编译后生成的规则检查器插件
-│   │   ├── feysh-config-general-plugin-2.8                 // 第一次运行分析后，自动解压，按需删除
-│   │   └── feysh-config-general-plugin-2.8.zip             // 编译产物, corax-config-general module 编译后生成的规则检查器插件
+│   │   ├── feysh-config-community-plugin-2.10.1               // 第一次运行分析后，自动解压，按需删除
+│   │   ├── feysh-config-community-plugin-2.10.1.zip           // 编译产物，corax-config-community module 编译后生成的规则检查器插件
+│   │   ├── feysh-config-general-plugin-2.10.1                 // 第一次运行分析后，自动解压，按需删除
+│   │   └── feysh-config-general-plugin-2.10.1.zip             // 编译产物, corax-config-general module 编译后生成的规则检查器插件
 │   └── rules                                              // 规则检查器的一些静态数据，用户可以自定义进行配置
 │       ├── **.sources.json                                   // taint sources
 │       ├── **.summaries.json                                 // taint summaries,sanitizers
 │       ├── **.sinks.json                                     // taint sinks
 │       ├── **.access-path.json                               // method signature and sink data
 ```
-> 注意：`feysh-config-community-plugin-2.8.zip` 为 `corax-config-community` 模块编译后生成的规则检查器插件，主要包含了自定义规则检查器的实现，`feysh-config-general-plugin-2.8.zip` 为 `corax-config-general` 模块编译后生成的规则检查器插件，主要包含了一些通用的内建检查器模型，一般不需要修改。
+> 注意：`feysh-config-community-plugin-2.10.1.zip` 为 `corax-config-community` 模块编译后生成的规则检查器插件，主要包含了自定义规则检查器的实现，`feysh-config-general-plugin-2.10.1.zip` 为 `corax-config-general` 模块编译后生成的规则检查器插件，主要包含了一些通用的内建检查器模型，一般不需要修改。
 
 ### 参数配置
 
 ​        **第一步**：分析引擎需要载入 `CoraxJava规则检查器插件`（如：`analysis-config/plugins/feysh-config-*-plugin-*.*.*.zip`）及依赖的一些配置文件（如` analysis-config/rules`），所以需要准备好 `analysis-config` (规则配置文件夹) **：**
 
-  - 可以使用从 [release](https://github.com/Feysh-Group/corax-community/releases) 下载并解压zip得到已生成好的 `analysis-config`目录： `{corax-java-cli-community-2.8.zip解压位置}/analysis-config/`
+  - 可以使用从 [release](https://github.com/Feysh-Group/corax-community/releases) 下载并解压zip得到已生成好的 `analysis-config`目录： `{corax-java-cli-community-2.10.1.zip解压位置}/analysis-config/`
   - 或者使用[编译构建](#编译构建)步骤中生成的[build/analysis-config](build%2Fanalysis-config)目录：`./build/analysis-config/`
 
 
@@ -220,20 +220,20 @@ $ gradlew build
 - ​        设置分析目标所在路径，此处以本项目所包含的测试用例举例 `--auto-app-classes ./corax-config-tests`，此参数要求该路径或子目录下必须包含项目源码及编译后的字节码产物（class文件或 jar 包都可），
 
 - ​        指定配置的参数格式为 `--config (yaml文件名字.yml)@(规则配置文件夹)`，yml 文件名可以任意命名不必一定存在。`(规则配置文件夹)`就是前面所准备好的 `analysis-config` 的路径。例如
-  - `--config default-config.yml@{corax-java-cli-community-2.8.zip解压位置}/analysis-config/`
+  - `--config default-config.yml@{corax-java-cli-community-2.10.1.zip解压位置}/analysis-config/`
   - `--config default-config.yml@./build/analysis-config/`
 
 
 
   分析命令模板：
 
 ```bash
-$ java -jar corax-cli-x.x.x.jar --verbosity info --output build/output --enable-data-flow true --target java --result-type sarif --auto-app-classes {项目根目录（包含源码和编译产物）} --config default-config.yml@{corax-java-cli-community-2.8.zip解压位置}/analysis-config/
+$ java -jar corax-cli-x.x.x.jar --verbosity info --output build/output --enable-data-flow true --target java --result-type sarif --auto-app-classes {项目根目录（包含源码和编译产物）} --config default-config.yml@{corax-java-cli-community-2.10.1.zip解压位置}/analysis-config/
 ```
 
 ​        **tips**: 如果项目根目录没有编译产物，可以再增加任意个数的 `--auto-app-classes` 参数指向编译产物所在的位置或文件夹
 
-​		执行此命令时，如果分析引擎无法在指定的 `{corax-java-cli-community-2.8.zip解压位置}/analysis-config/` 目录中找到名为`default-config.yml`的 yml 文件，将自动根据插件中的默认参数生成一个同名的默认yaml主要配置文件到规则配置文件夹：`{corax-java-cli-community-2.8.zip解压位置}/analysis-config/default-config.yml`，如果需要更改配置，请复制整个 `analysis-config` 文件夹到您的工作目录，并适当按照您的需求自定义修改配置，在下次的分析前指定参数 `--config 配置文件名.yml@新的规则配置文件夹` ，使其生效。
+​		执行此命令时，如果分析引擎无法在指定的 `{corax-java-cli-community-2.10.1.zip解压位置}/analysis-config/` 目录中找到名为`default-config.yml`的 yml 文件，将自动根据插件中的默认参数生成一个同名的默认yaml主要配置文件到规则配置文件夹：`{corax-java-cli-community-2.10.1.zip解压位置}/analysis-config/default-config.yml`，如果需要更改配置，请复制整个 `analysis-config` 文件夹到您的工作目录，并适当按照您的需求自定义修改配置，在下次的分析前指定参数 `--config 配置文件名.yml@新的规则配置文件夹` ，使其生效。
 
 
 

Readme.md

@@ -177,17 +177,17 @@ After a successful build, multiple zip files of plugins and configuration files
 │   │                                                      // Only when the modified main configuration file has some missing configurations or some configurations cannot be mapped to existing plugins,
 │   ├── default-config.normalize.yml                       // and when there are style issues, the engine will automatically repair and normalize the main configuration and output it to this file
 │   ├── plugins                                            // Plugin storage directory
-│   │   ├── feysh-config-community-plugin-2.8               // Automatically unzipped after the first analysis run, delete as needed
-│   │   ├── feysh-config-community-plugin-2.8.zip           // Compilation artifact, rule checker plugin generated after compiling corax-config-community module
-│   │   ├── feysh-config-general-plugin-2.8                 // Automatically unzipped after the first analysis run, delete as needed
-│   │   └── feysh-config-general-plugin-2.8.zip             // Compilation artifact, rule checker plugin generated after compiling corax-config-general module
+│   │   ├── feysh-config-community-plugin-2.10.1               // Automatically unzipped after the first analysis run, delete as needed
+│   │   ├── feysh-config-community-plugin-2.10.1.zip           // Compilation artifact, rule checker plugin generated after compiling corax-config-community module
+│   │   ├── feysh-config-general-plugin-2.10.1                 // Automatically unzipped after the first analysis run, delete as needed
+│   │   └── feysh-config-general-plugin-2.10.1.zip             // Compilation artifact, rule checker plugin generated after compiling corax-config-general module
 │   └── rules                                              // Some static data of rule checker, users can customize configuration
 │       ├── **.sources.json                                   // taint sources
 │       ├── **.summaries.json                                 // taint summaries, sanitizers
 │       ├── **.sinks.json                                     // taint sinks
 │       ├── **.access-path.json                               // method signature and sink data
 ```
-> Note: `feysh-config-community-plugin-2.8.zip` is the rule checker plugin generated after compiling the `corax-config-community` module, mainly containing the implementation of custom rule checkers. `feysh-config-general-plugin-2.8.zip` is the rule checker plugin generated after compiling the `corax-config-general` module, mainly containing some common built-in checker models that generally do not need to be modified.
+> Note: `feysh-config-community-plugin-2.10.1.zip` is the rule checker plugin generated after compiling the `corax-config-community` module, mainly containing the implementation of custom rule checkers. `feysh-config-general-plugin-2.10.1.zip` is the rule checker plugin generated after compiling the `corax-config-general` module, mainly containing some common built-in checker models that generally do not need to be modified.
 
 
 
@@ -197,7 +197,7 @@ After a successful build, multiple zip files of plugins and configuration files
 
 The analysis engine needs to load the `CoraxJava rule checker plugin` (e.g., `analysis-config/plugins/feysh-config-*-plugin-*.*.*.zip`) and some dependent configuration files (e.g., `analysis-config/rules`). Therefore, you need to prepare the `analysis-config` (rule configuration folder):
 
-- You can download and unzip the pre-generated `analysis-config` directory from the [release](https://github.com/Feysh-Group/corax-community/releases): `{corax-java-cli-community-2.8.zip extraction location}/analysis-config/`
+- You can download and unzip the pre-generated `analysis-config` directory from the [release](https://github.com/Feysh-Group/corax-community/releases): `{corax-java-cli-community-2.10.1.zip extraction location}/analysis-config/`
 - Or use the [build/analysis-config](build%2Fanalysis-config) directory generated in the [Compilation and Build](#compilation-and-build) step: `./build/analysis-config/`
 
 **Step 2: Start Analysis! Manually configure `CoraxJava` with the following essential parameters:**
@@ -210,18 +210,18 @@ The analysis engine needs to load the `CoraxJava rule checker plugin` (e.g., `an
 - Set the path of the analysis target. For example, for this project's test cases: `--auto-app-classes ./corax-config-tests`, this parameter requires that the path or subdirectory must contain project source code and compiled bytecode artifacts (class files or jar files).
 
 - Specify the configuration parameters in the format `--config (yaml file name.yml)@(rule configuration folder)`, where the yaml file name can be arbitrary. The `(rule configuration folder)` is the path to the previously prepared `analysis-config`. For example:
-- `--config default-config.yml@{corax-java-cli-community-2.8.zip extraction location}/analysis-config/`
+- `--config default-config.yml@{corax-java-cli-community-2.10.1.zip extraction location}/analysis-config/`
 - `--config default-config.yml@./build/analysis-config/`
 
 Analysis command template:
 
 ```bash
-$ java -jar corax-cli-x.x.x.jar --verbosity info --output build/output --enable-data-flow true --target java --result-type sarif --auto-app-classes {project root directory (containing source code and build artifacts)} --config default-config.yml@{corax-java-cli-community-2.8.zip extraction location}/analysis-config/
+$ java -jar corax-cli-x.x.x.jar --verbosity info --output build/output --enable-data-flow true --target java --result-type sarif --auto-app-classes {project root directory (containing source code and build artifacts)} --config default-config.yml@{corax-java-cli-community-2.10.1.zip extraction location}/analysis-config/
 ```
 
 **Tips**: If there are no build artifacts in the project root directory, you can add any number of `--auto-app-classes` parameters pointing to the location or folder of the build artifacts.
 
-When executing this command, if the analysis engine cannot find a yaml file named `default-config.yml` in the specified `{corax-java-cli-community-2.8.zip extraction location}/analysis-config/` directory, it will automatically generate a default yaml main configuration file with the same name based on default parameters in the plugin in the rules configuration folder: `{corax-java-cli-community-2.8.zip extraction location}/analysis-config/default-config.yml`. If you need to change the configuration, copy the entire `analysis-config` folder to your working directory and customize the configuration according to your requirements. Specify the parameters `--config configuration file name.yml@new rule configuration folder` before the next analysis to make it effective.
+When executing this command, if the analysis engine cannot find a yaml file named `default-config.yml` in the specified `{corax-java-cli-community-2.10.1.zip extraction location}/analysis-config/` directory, it will automatically generate a default yaml main configuration file with the same name based on default parameters in the plugin in the rules configuration folder: `{corax-java-cli-community-2.10.1.zip extraction location}/analysis-config/default-config.yml`. If you need to change the configuration, copy the entire `analysis-config` folder to your working directory and customize the configuration according to your requirements. Specify the parameters `--config configuration file name.yml@new rule configuration folder` before the next analysis to make it effective.
 
 The final report will be generated in the folder path specified by `--output`.
 

build.gradle.kts

@@ -14,15 +14,15 @@ val sootVersion: String by rootProject
 val cpgVersion: String by rootProject
 val junit4Version: String by project
 val junit4PlatformVersion: String by project
-val commonsLangVersion: String by rootProject
+val apacheCommonsLang3Version: String by rootProject
 val kotlinLoggingVersion: String? by rootProject
 val kotlinSerializationVersion: String by rootProject
 val kamlVersion: String by rootProject
 val guavaVersion: String by rootProject
 val semVer: String? by project
 val configDir by extra { file("${layout.buildDirectory.get()}/analysis-config") }
 val pluginDir by extra { file("${layout.buildDirectory.get()}/analysis-config/plugins") }
-version = semVer ?: "2.8"
+version = semVer ?: "2.10.1"
 
 plugins {
     `java-library`
@@ -235,7 +235,7 @@ configure(
         testImplementation(group = "org.pf4j", name = "pf4j", version = pf4jVersion)
         testImplementation(group = "org.jetbrains.kotlinx", name = "kotlinx-coroutines-core", version = coroutinesVersion)
         testImplementation(group = "io.github.microutils", name = "kotlin-logging", version = kotlinLoggingVersion)
-        testImplementation(group = "org.apache.commons", name = "commons-lang3", version = commonsLangVersion)
+        testImplementation(group = "org.apache.commons", name = "commons-lang3", version = apacheCommonsLang3Version)
         testImplementation(group = "com.google.guava", name = "guava", version = guavaVersion)
         testImplementation(group = "junit", name = "junit", version = junit4Version)
         testImplementation(group = "org.junit.platform", name = "junit-platform-console-standalone", version = junit4PlatformVersion)
@@ -259,11 +259,17 @@ configure(
 
         // first taking the classes generated by the jar task
         into("classes") {
-            with(tasks.named<Jar>("jar").get())
+            val jarTask = tasks.named<Jar>("jar").get()
+            val jarFile = jarTask.archiveFile.get().asFile
+            from(zipTree(jarFile).matching {
+                include("META-INF/**")
+            })
         }
+
         // and then we also need to include any libraries that are needed by the plugin
         dependsOn(configurations.runtimeClasspath)
         into("lib") {
+            from(tasks.named<Jar>("jar").get())
             from({
                 configurations.runtimeClasspath.get()
                     .filter { it.name.endsWith("jar") }

corax-config-community/build.gradle.kts

@@ -16,18 +16,19 @@
  *  License along with this library; if not, write to the Free Software
  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
  */
-
 @file:Suppress("VulnerableLibrariesLocal")
 
 import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 
-val commonsLangVersion: String by rootProject
+val apacheCommonsLang3Version: String by rootProject
 val kamlVersion: String by rootProject
 val log4j2Version: String by rootProject
 val caffeineVersion: String by rootProject
 val mybatisApacheVersion: String by rootProject
 val javaparserVersion: String by rootProject
 val kotlinSerializationVersion: String by rootProject
+val guavaVersion: String by rootProject
+val apacheCommonsTextVersion: String by rootProject
 
 plugins {
     kotlin("kapt")
@@ -51,9 +52,11 @@ dependencies {
 
     implementation(group = "org.mybatis", name = "mybatis", version = mybatisApacheVersion)
     implementation(group = "com.github.ben-manes.caffeine", name = "caffeine", version = caffeineVersion)
-    implementation(group = "org.apache.commons", name = "commons-lang3", version = commonsLangVersion)
+    implementation(group = "org.apache.commons", name = "commons-lang3", version = apacheCommonsLang3Version)
     implementation(group = "org.jetbrains.kotlinx", name = "kotlinx-serialization-json", version = kotlinSerializationVersion)
     implementation(group = "com.github.javaparser", name = "javaparser-core", version = javaparserVersion)
+    implementation(group = "com.google.guava", name = "guava", version = guavaVersion)
+    implementation(group = "org.apache.commons", name = "commons-text", version = apacheCommonsTextVersion)
 
     implementation("com.google.code.findbugs:jsr305:3.0.2")
     implementation("javax:javaee-api:7.0")
@@ -64,7 +67,9 @@ dependencies {
     testImplementation(project(":corax-config-api"))
     testImplementation(project(":corax-config-general"))
     testImplementation(group = "com.charleskorn.kaml", name = "kaml", version = kamlVersion)
-    testImplementation(group = "org.apache.logging.log4j", name = "log4j-slf4j-impl", version = log4j2Version)
+    testImplementation(group = "org.apache.logging.log4j", name = "log4j-core", version = log4j2Version)
+    testImplementation(group = "org.apache.logging.log4j", name = "log4j-api", version = log4j2Version)
+    testImplementation(group = "org.apache.logging.log4j", name = "log4j-slf4j2-impl", version = log4j2Version)
 }