https://github.com/secure-software-engineering/secucheck-core
Taint Analysis on top of Soot.
https://github.com/secure-software-engineering/secucheck-core
Last synced: 10 months ago
JSON representation
Taint Analysis on top of Soot.
- Host: GitHub
- URL: https://github.com/secure-software-engineering/secucheck-core
- Owner: secure-software-engineering
- License: mit
- Created: 2020-07-02T21:52:35.000Z (over 5 years ago)
- Default Branch: SCC-1.1.0
- Last Pushed: 2024-03-25T12:38:19.000Z (almost 2 years ago)
- Last Synced: 2024-04-20T08:57:16.687Z (almost 2 years ago)
- Language: Java
- Homepage:
- Size: 36.3 MB
- Stars: 8
- Watchers: 11
- Forks: 3
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# What is secucheck-core?
This is the core taint analysis of the SecuCheck tool which can be found in [this repository](https://github.com/secure-software-engineering/secucheck/) which also contains further documentation. SecuCheck integrates two data-solvers: Boomerang 3.x, an implementation of SPDS and FlowDroid, an implementation of IFDS.
Boomerang 3.x is the default solver. Our tests are based on Boomerang 3.x. For WebGoat, the catalog, the demo-project and spring-petclinic and it finds all the TaintFlows.
## How to build secucheck-core manually?
- secucheck-core uses Boomerang DemandDriven analysis feature which is not yet realeased. Therefore, we need to build the Boomerang manually to the local maven before building SecuCheck.
- Clone the Boomernag repository using the below command
```shell script
git clone https://github.com/CodeShield-Security/SPDS.git
```
- Change the branch to develop using the below command. Recently used boomerang commit to build SecuCheck is 361a6bc33f7e8311398532a5c444c9e9cc358b0d
```shell script
git checkout develop
```
- Build Boomerang using the below command
```shell script
mvn clean install -DskipTests
```
- Clone secuchek-core
```shell script
git clone https://github.com/secure-software-engineering/secucheck-core.git
```
- change path to root directory of secucheck-core project
```shell script
cd secucheck-core
```
- change the branch to SCC-1.1.0 or SCC-1.0.0
```shell script
git checkout SCC-1.1.0
```
- build the project
```shell script
mvn clean install
```
## secucheck-core structure
| Project | Description | can use in client side? |
| ------- | ----------- | ----------------------- |
| de.fraunhofer.iem.secucheck.analysis | Core analysis API to use secucheck-core analysis | Yes |
| de.fraunhofer.iem.secucheck.analysis.configuration | Lets the client configure secucheck-core analysis | Yes |
| de.fraunhofer.iem.secucheck.analysis.datastructure | used to represent the analysis results | Yes |
| de.fraunhofer.iem.secucheck.analysis.implementation | Implements the different solver (internal to secucheck-core) | No |
| de.fraunhofer.iem.secucheck.analysis.query | TaintFlow query independent of other TaintFlowQuery language | Yes |
| de.fraunhofer.iem.secucheck.analysis.result | Taint analysis results classes | Yes |
| de.fraunhofer.iem.secucheck.analysis.SingleFlowAnalysis | Interface for taint analysis for single taintflow specification | No
## Required maven dependency to use secucheck-core at client side.
- de.fraunhofer.iem.secucheck.analysis
```xml
de.fraunhofer.iem.secucheck
0.0.1-SNAPSHOT
de.fraunhofer.iem.secucheck.analysis
```
- de.fraunhofer.iem.secucheck.analysis.configuration
```xml
de.fraunhofer.iem.secucheck
de.fraunhofer.iem.secucheck.analysis.configuration
0.0.1-SNAPSHOT
```
- de.fraunhofer.iem.secucheck.analysis.result
```xml
de.fraunhofer.iem.secucheck
de.fraunhofer.iem.secucheck.analysis.result
0.0.1-SNAPSHOT
```
- de.fraunhofer.iem.secucheck.analysis.query
```xml
de.fraunhofer.iem.secucheck
de.fraunhofer.iem.secucheck.analysis.query
0.0.1-SNAPSHOT
```
- de.fraunhofer.iem.secucheck.analysis.datastructures
```xml
de.fraunhofer.iem.secucheck
de.fraunhofer.iem.secucheck.analysis.datastructures
0.0.1-SNAPSHOT
```