Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

We need a tool which create a graph/tree taking a product as entry point and follow the calls in provided dependencies #112

Open
tmortagne opened this issue Nov 10, 2020 · 3 comments

Comments

@tmortagne
Copy link
Member

tmortagne commented Nov 10, 2020

Fasten Core provide a LocalMerger which takes as input an product graph and it's dependencies graphs to produce what its calling a merged graph but which in practice just complete the external calls located in the product's graph with the name of the product which actually contain the targeted call. Note that it's what is behind the javacg-opal --stitch CLI parameter documented as "Stitch artifact CG to dependencies" which I find a bit misleading.

In order to do most of the planned analysis (security, license, broken calls, etc.) we also need to follow each external call to produce a tree which start from the main product and produce a tree/graph of all the calls that may be directly or indirectly called through the main product.

We need a tool which provided with the same kind of parameters that LocalMerger gets (test1 graph and then a list of all its direct and transitive dependencies graphs) and produces a graph which contains test1 graph plus all the calls that could be found by recursively following the externals calls located in test1 graph.

Such a graph can then be be used as basis for various analysis.

Of course this is just a basic version and we might want to expose an API with a better memory footprint (we might have quite a lot of dependencies and associated graphs to parse).

@tmortagne
Copy link
Member Author

An implement of such a tool has been started in the Maven plugin, see https://github.com/fasten-project/fasten-maven-plugin/blob/master/src/main/java/eu/fasten/maven/StitchedGraph.java.

@proksch
Copy link
Contributor

proksch commented May 19, 2022

Not sure how up-to-date this request is, but @ashkboos has provided similar functionality... he can extract the shortest-paths from all callables of a library to vulnerable nodes in its dependencies. It sounds like this approach could be extended to what you are asking for here...

If this request is obsolete though, please feel free to close the issue.

@ashkboos
Copy link
Contributor

Yes, it is in the vuln-chain-finder plugin in data-processing repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants