Merge remote-tracking branch 'origin/master'

Author: oshando

swan-javadoc-coverage/pom.xml

@@ -104,7 +104,7 @@
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>4.13.1</version>
+            <version>4.13.2</version>
             <scope>test</scope>
         </dependency>
         <!--dependency>
@@ -117,13 +117,14 @@
         <dependency>
             <groupId>jdk.tools</groupId>
             <artifactId>jdk.tools</artifactId>
+            <version>1.8</version>
             <scope>system</scope>
             <systemPath>${java.home}/../lib/tools.jar</systemPath>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>2.7</version>
+            <version>2.11.0</version>
             <scope>compile</scope>
         </dependency>
     </dependencies>
@@ -133,7 +134,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.7.0</version>
+                <version>3.10.0</version>
                 <configuration>
                     <source>1.8</source>
                     <target>1.8</target>
@@ -155,7 +156,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
-                <version>3.0.0</version>
+                <version>3.3.2</version>
                 <executions>
                     <!-- Exports JavaDocs of the JavaDoc Coverage Plugin to regular HTML files -->
                     <execution>

swan-pipeline/pom.xml

@@ -9,11 +9,16 @@
     <packaging>jar</packaging>
 
 
-    <name>SWAN Core</name>
-    <description>SWAN uses fully automated machine-learning approaches to classify Java methods into security-relevant methods (SRM) and software vulnerabilities categories.
-        The methods are classified into the following security-relevant method categories sources, sinks, sanitizers and authentication. For the software vulnerability classes,
-        the following Common Weakness Enumeration (CWE) vulnerabilities are supported: OS Command Injection, Cross-site Scripting, SQL Injection, Missing Authentication, Open Redirect, Missing Authorisation, and Incorrect Authorisation.
-        SWAN detects methods from the provided source code and outputs a list of methods that can be used to configure static analysis tools.
+    <name>SWAN</name>
+    <description>SWAN uses fully automated machine-learning approaches to classify Java methods into security-relevant
+        methods (SRM) and software vulnerabilities categories.
+        The methods are classified into the following security-relevant method categories sources, sinks, sanitizers and
+        authentication. For the software vulnerability classes,
+        the following Common Weakness Enumeration (CWE) vulnerabilities are supported: OS Command Injection, Cross-site
+        Scripting, SQL Injection, Missing Authentication, Open Redirect, Missing Authorisation, and Incorrect
+        Authorisation.
+        SWAN detects methods from the provided source code and outputs a list of methods that can be used to configure
+        static analysis tools.
     </description>
     <url>https://github.com/secure-software-engineering/swan</url>
 
@@ -80,7 +85,7 @@
         <dependency>
             <groupId>nz.ac.waikato.cms.weka</groupId>
             <artifactId>weka-stable</artifactId>
-            <version>3.8.5</version>
+            <version>3.8.6</version>
         </dependency>
         <dependency>
             <groupId>com.googlecode.json-simple</groupId>
@@ -100,13 +105,13 @@
         <dependency>
             <groupId>edu.stanford.nlp</groupId>
             <artifactId>stanford-corenlp</artifactId>
-            <version>4.3.0</version>
+            <version>4.4.0</version>
         </dependency>
         <dependency>
             <groupId>edu.stanford.nlp</groupId>
             <artifactId>stanford-corenlp</artifactId>
-            <version>4.3.0</version>
-            <classifier>models</classifier>
+            <version>4.4.0</version>
+            <classifier>models-english</classifier>
         </dependency>
         <dependency>
             <groupId>org.jsoup</groupId>
@@ -121,9 +126,8 @@
         <dependency>
             <groupId>dev.jeka</groupId>
             <artifactId>jeka-core</artifactId>
-            <version>0.9.0.M10</version>
+            <version>0.9.15.RELEASE</version>
         </dependency>
-        <!-- deeplearning4j-core: contains swanPipeline functionality and neural networks -->
         <dependency>
             <groupId>org.deeplearning4j</groupId>
             <artifactId>deeplearning4j-core</artifactId>
@@ -152,7 +156,7 @@
         <dependency>
             <groupId>ai.libs</groupId>
             <artifactId>mlplan-weka</artifactId>
-            <version>0.2.3</version>
+            <version>0.2.7</version>
         </dependency>
         <dependency>
             <groupId>org.graphstream</groupId>
@@ -162,24 +166,22 @@
         <dependency>
             <groupId>ai.libs</groupId>
             <artifactId>hasco-core</artifactId>
-            <version>0.2.5</version>
+            <version>0.2.7</version>
         </dependency>
-        <!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api -->
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>1.7.32</version>
+            <version>1.7.36</version>
         </dependency>
-        <!-- https://mvnrepository.com/artifact/org.slf4j/slf4j-simple -->
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-simple</artifactId>
-            <version>1.7.32</version>
+            <version>1.7.36</version>
         </dependency>
         <dependency>
             <groupId>info.picocli</groupId>
             <artifactId>picocli</artifactId>
-            <version>4.6.2</version>
+            <version>4.6.3</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
@@ -192,7 +194,6 @@
             <artifactId>jackson-databind</artifactId>
             <version>2.13.1</version>
         </dependency>
-        <!-- https://mvnrepository.com/artifact/net.sf.meka/meka --><!-- https://mvnrepository.com/artifact/net.sf.meka/meka -->
         <dependency>
             <groupId>net.sf.meka</groupId>
             <artifactId>meka</artifactId>
@@ -244,17 +245,6 @@
                     <target>1.8</target>
                 </configuration>
             </plugin>
-            <plugin>
-                <artifactId>maven-clean-plugin</artifactId>
-                <configuration>
-                    <filesets>
-                        <fileset>
-                            <directory>${basedir}/target</directory>
-                            <followSymlinks>false</followSymlinks>
-                        </fileset>
-                    </filesets>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-source-plugin</artifactId>
@@ -268,28 +258,55 @@
                     </execution>
                 </executions>
             </plugin>
-
-            <!-- This creates a runnable JAR that can be used from the command line. -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-assembly-plugin</artifactId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.2.4</version>
                 <executions>
                     <execution>
                         <phase>package</phase>
                         <goals>
-                            <goal>single</goal>
+                            <goal>shade</goal>
                         </goals>
                         <configuration>
-                            <archive>
-                                <manifest>
-                                    <mainClass>
-                                        de.fraunhofer.iem.swan.Main
-                                    </mainClass>
-                                </manifest>
-                            </archive>
-                            <descriptorRefs>
-                                <descriptorRef>jar-with-dependencies</descriptorRef>
-                            </descriptorRefs>
+                            <transformers>
+                                <!-- adding Main-Class to manifest file -->
+                                <transformer
+                                        implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                                    <mainClass>de.fraunhofer.iem.swan.Main</mainClass>
+                                </transformer>
+                            </transformers>
+                            <minimizeJar>true</minimizeJar>
+                            <filters>
+                                <filter>
+                                    <artifact>*:*</artifact>
+                                    <excludes>
+                                        <exclude>META-INF/*.SF</exclude>
+                                        <exclude>META-INF/*.DSA</exclude>
+                                        <exclude>META-INF/*.RSA</exclude>
+                                    </excludes>
+                                </filter>
+                                <filter>
+                                    <artifact>edu.stanford.nlp:stanford-corenlp:models-english</artifact>
+                                    <excludes>
+                                        <exclude>edu/stanford/nlp/models/srparser/**</exclude>
+                                        <exclude>edu/stanford/nlp/models/ner/**</exclude>
+                                        <exclude>edu/stanford/nlp/models/sentiment/**</exclude>
+                                    </excludes>
+                                </filter>
+                                <filter>
+                                    <artifact>org.bytedeco</artifact>
+                                    <excludes>
+                                        <exclude>**</exclude>
+                                    </excludes>
+                                </filter>
+                                <!--filter>
+                                    <artifact>org.nd4j</artifact>
+                                    <excludes>
+                                        <exclude>**</exclude>
+                                    </excludes>
+                                </filter-->
+                            </filters>
                         </configuration>
                     </execution>
                 </executions>
@@ -306,7 +323,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-javadoc-plugin</artifactId>
-                        <version>3.3.1</version>
+                        <version>3.3.2</version>
                         <executions>
                             <execution>
                                 <id>attach-javadocs</id>
@@ -332,7 +349,7 @@
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-gpg-plugin</artifactId>
-                        <version>1.6</version>
+                        <version>3.0.1</version>
                         <executions>
                             <execution>
                                 <id>sign-artifacts</id>

swan-pipeline/src/main/java/de/fraunhofer/iem/swan/SwanPipeline.java

@@ -1,17 +1,20 @@
 package de.fraunhofer.iem.swan;
 
 import de.fraunhofer.iem.swan.cli.SwanOptions;
+import de.fraunhofer.iem.swan.data.Method;
 import de.fraunhofer.iem.swan.features.FeatureSetSelector;
 import de.fraunhofer.iem.swan.features.IFeatureSet;
-import de.fraunhofer.iem.swan.features.code.soot.SourceFileLoader;
+import de.fraunhofer.iem.swan.io.dataset.Dataset;
 import de.fraunhofer.iem.swan.io.dataset.SrmList;
 import de.fraunhofer.iem.swan.io.dataset.SrmListUtils;
 import de.fraunhofer.iem.swan.model.ModelEvaluator;
+import de.fraunhofer.iem.swan.soot.Soot;
 import de.fraunhofer.iem.swan.util.Util;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
+import java.util.Set;
 
 /**
  * Runner for SWAN
@@ -23,6 +26,7 @@ public class SwanPipeline {
 
     private static final Logger logger = LoggerFactory.getLogger(SwanPipeline.class);
     public static SwanOptions options;
+    private ModelEvaluator modelEvaluator;
 
     public SwanPipeline(SwanOptions options) {
         SwanPipeline.options = options;
@@ -38,24 +42,37 @@ public void run() throws IOException, InterruptedException {
 
         long startAnalysisTime = System.currentTimeMillis();
 
+        //Run Soot
+        Soot soot = new Soot(options.getTrainDataDir(), options.getTestDataDir());
+
         // Load methods in training dataset
-        SrmList dataset = SrmListUtils.importFile(options.getDatasetJson(), options.getTrainDataDir());
-        logger.info("Loaded {} training methods, distribution={}", dataset.getMethods().size(), Util.countCategories(dataset.getMethods()));
+        Dataset dataset = new Dataset();
+        dataset.setTrain(SrmListUtils.importFile(options.getDatasetJson()));
+
+        if (!options.getTrainDataDir().isEmpty())
+            soot.cleanupList(dataset.getTrain());
+
+        logger.info("Loaded {} training methods, distribution={}", dataset.getTrainMethods().size(), Util.countCategories(dataset.getTrainMethods()));
 
         //Load methods from the test set
-        logger.info("Loading test JARs in {}", options.getTestDataDir());
-        SourceFileLoader testDataset = new SourceFileLoader(options.getTestDataDir());
-        testDataset.load(dataset.getMethods());
+        dataset.setTest(new SrmList(options.getTestDataDir()));
+        Set<Method> testMethods = soot.loadMethods(dataset.getTest().getTestClasses());
+        dataset.getTest().setMethods(testMethods);
+        logger.info("Loaded {} methods from {}", testMethods.size(), options.getTestDataDir());
 
         //Initialize and populate features
         FeatureSetSelector featureSetSelector = new FeatureSetSelector();
-        IFeatureSet featureSet = featureSetSelector.select(dataset, testDataset, options);
+        IFeatureSet featureSet = featureSetSelector.select(dataset, options);
 
         //Train and evaluate model for SRM and CWE categories
-        ModelEvaluator modelEvaluator = new ModelEvaluator(featureSet, options, testDataset.getMethods());
+        modelEvaluator = new ModelEvaluator(featureSet, options, dataset.getTestMethods());
         modelEvaluator.trainModel();
 
         long analysisTime = System.currentTimeMillis() - startAnalysisTime;
         logger.info("Total runtime {} minutes", analysisTime / 60000);
     }
+
+    public ModelEvaluator getModelEvaluator() {
+        return modelEvaluator;
+    }
 }

swan-pipeline/src/main/java/de/fraunhofer/iem/swan/cli/CliRunner.java

@@ -2,6 +2,7 @@
 
 import picocli.CommandLine;
 
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.Callable;
@@ -11,16 +12,19 @@
 public class CliRunner implements Callable<Integer> {
 
     @CommandLine.Option(names = {"-test", "--test-data"}, description = {"Path of test JARs or class files"})
-    private String testDataDir = "/input/test-data";
+    private String testDataDir = "";
 
     @CommandLine.Option(names = {"-train", "--train-data"}, description = {"Path of training JARs or class files"})
-    private String trainDataDir = "/input/train-data";
+    private String trainDataDir = "";
 
     @CommandLine.Option(names = {"-d", "--dataset"}, description = {"Path to JSON dataset file"})
-    private String datasetJson = "/input/dataset/swan-dataset.json";
+    private String datasetJson = "/dataset/swan-dataset.json";
+
+    @CommandLine.Option(names = {"-in", "--train-instances"}, description = {"Path to ARFF files that contain training instances"})
+    private List<String> instancesArff = new ArrayList<>();
 
     @CommandLine.Option(names = {"-o", "--output"}, description = {"Directory to save output files"})
-    private String outputDir = "/swan-output";
+    private String outputDir = "";
 
     @CommandLine.Option(names = {"-f", "--feature"}, description = {"Select one or more feature sets: all, code, doc-auto or doc-manual"})
     private List<String> featureSet =  Collections.singletonList("code");
@@ -52,9 +56,7 @@ public class CliRunner implements Callable<Integer> {
     @CommandLine.Option(names = {"-pt", "--prediction-threshold"}, description = {"Threshold for predicting categories"})
     private double predictionThreshold = 0.5;
 
-
-    @Override
-    public Integer call() throws Exception {
+    public SwanOptions initializeOptions(){
 
         SwanOptions options = new SwanOptions(testDataDir,
                 trainDataDir,
@@ -70,7 +72,14 @@ public Integer call() throws Exception {
                 split,
                 phase);
         options.setPredictionThreshold(predictionThreshold);
+        options.setInstances(instancesArff);
+
+        return options;
+    }
+
+    @Override
+    public Integer call() throws Exception {
 
-        return new SwanCli().run(options);
+        return new SwanCli().run(initializeOptions());
     }
 }