Palladio-ReverseEngineering-SoMoX-Vulnerability

GitHub license GitHub top language

This project implements a Eclipse Plug-In for static security code analysis. The results of the code analysis is done with the help of the Snyk command line interface. Analysis results are annotated to the traced PCM entities. Therefore, a software security analysis is made possible without building a new security model. The annotation is made possible by the Palladio-Addon: ContextConfidentiality-Metamodel. For detailed security information the Snyk vulnerability database is used.

The project was originally implemented within the scope of the practical master course Werkzeuge für Agile Modellierung at the Karlsruhe Institute of Technology. Since then, it has been maintained and improved upon.

Table of contents

Technologies:

The project is built with:

  • Eclipse (Version: 2022-12 (4.26.0))
  • Java 17 (OpenJDK version 17.0.6)
  • Maven (Version: 3.8.6)

Following dependencies exist:

Installation

For the installation and further development of plugins follow these steps:

  1. Clone and import the Palladio-ReverseEngineering-SoMoX-Vulnerability repository git clone https://github.com/FluidTrust/Palladio-ReverseEngineering-SoMoX-Vulnerability.git
  2. Download and install maven download
  3. Change to the project directory and run mvn clean install. The build should be successful.

For launching plugins from Eclipse:

  1. Download and install Eclipse download
  2. Download and install Eclipse PDE (Plug-in Development Environment)
    • Go to Eclipse → Help → Eclipse Marketplace
    • Search and install Eclipse PDE (Plug-in Development Environment)
  3. Download and install the newes Palladio Plugin download
  4. Import the project from the maven_project directory together with the nested projetcs.
  5. Clone and import the ContextConfidentality Metamodel repository git clone https://github.com/FluidTrust/Palladio-Addons-ContextConfidentiality-Metamodel.git

Now it should be possible to launch plugins.

Functionalities

The plugin should be used as adaptor. Use the interface bundle to implement the interface and fill the parameters for analysis. The plugin will process the parameters and return a new PCM where the found security vulnerabilities are annotated.

Tests

Since this projects connects multiple projects which are all well tested, there were only a few tests needed to test the parsers. These tests are well implemented and successful.

To run the tests, a Snyk binary is required. Place it in the bin/ directory.

Further development

  • The Snyk CLI should be changed to the actual Snyk API. Therefore, website and CLI Parsing will no longer be needed.