-
Notifications
You must be signed in to change notification settings - Fork 28
End to End REST and Stitching Example
Here we describe how users of REST API such as build integration tools can use FASTEN Knowledge-base and Core libraries to do their desired analysis.
As an example let's assume a user wants to investigate if his/her application a:a:0 is using any vulnerability in method-level.
The following steps should be taken to perform such analysis:
Users can request the REST API to resolve their dependencies. In case that a:a:0 is private, the user can provide his direct dependencies for the REST API and it will automatically create an artificial node to hold the place of a:a:0 in the resolution process. The endpoint that should be used for this purpose is /resolve_dependencies. This endpoint returns a list of dependency ids and their corresponding RCG URLs. Users can download JSON files from the provided URL and instantiate RCG objects for them.
Users can also do the resolution themselves locally instead of using this endpoint and then by providing coordinates of their dependencies they can download their RCGs from /packages/{pkg}/{pkg_ver}/rcg.
After resolution, a list of all RCGs that are present in the classpath should be created. It means RCG of a:a:0 should be created locally and the dependencies should be received from the server. For example, if direct dependencies of a:a:0 are b:b:1 and c:c:1 and REST API returns d:d:2 and e:e:2 as transitive dependencies, the following list should be created:
List<ExtendedRevisionJavaCallGraph> depSet = new ArrayList<>(Arrays.asList(aa0RCG, bb1RCG, cc1RCG, dd2RCG, ee2RCG));Once we have all RCGs we Stitch them as follows:
var merger = new CGMerger(depSet);
var mergedDirectedGraph = merger.mergeAllDeps();
var allUris = merger.getAllUris();mergedDirectedGraph includes the whole Stitched call graph of application and dependencies and users can do reachability analysis on top of it. Note that ids in this graph are local ids.
After Stitching is done, one can request REST API endpoint /metadata/callables to receive meta-data of the callables. To achieve this, users can use allUris variable. This provides a BiMap of all fully qualified FASTEN URIs and their respective local ids. Note that REST API endpoint receives a list fully qualified FastenUris as request parameters. The retuned list of Meta-data also has fully qualified FastenURIs and users can get the respective local id of a given meta-data from allURIs.
Implemented reachability analyzers are DirectedGraph-based, hence mergedDirectedGraph makes it possible to do reachability analysis. On the other hand, REST API returns all meta-data from the FASTEN Knowledge-base. This makes it possible for any analyzer (e.g. Risk, vulnerability, etc.) to extract needed meta-data from received records and analyze them considering the call graph.