UnitTestBot
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/Dumpable.kt‎
Lines changed: 0 additions & 38 deletions b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/Dumpable.kt‎
Lines changed: 0 additions & 38 deletions
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/MainIfdsUnitManager.kt‎
Lines changed: 1 addition & 1 deletion b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/MainIfdsUnitManager.kt‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/SummaryStorage.kt‎
Lines changed: 2 additions & 1 deletion b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/SummaryStorage.kt‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/TraceGraph.kt‎
Lines changed: 0 additions & 13 deletions b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/TraceGraph.kt‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/VulnerabilityInstance.kt‎
Lines changed: 4 additions & 20 deletions b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/engine/VulnerabilityInstance.kt‎
Lines changed: 4 additions & 20 deletions
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/RunnersLibrary.kt‎
Lines changed: 1 addition & 24 deletions b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/RunnersLibrary.kt‎
Lines changed: 1 addition & 24 deletions
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/analyzers/AliasAnalyzer.kt‎
Lines changed: 7 additions & 49 deletions b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/analyzers/AliasAnalyzer.kt‎
Lines changed: 7 additions & 49 deletions
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/analyzers/NpeAnalyzer.kt‎
Lines changed: 6 additions & 2 deletions b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/analyzers/NpeAnalyzer.kt‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/analyzers/SqlInjectionAnalyzer.kt‎
Lines changed: 38 additions & 11 deletions b/‎jacodb-analysis/src/main/kotlin/org/jacodb/analysis/library/analyzers/SqlInjectionAnalyzer.kt‎
Lines changed: 38 additions & 11 deletions
@@ -152,7 +152,7 @@ class MainIfdsUnitManager<UnitType>(
         logger.info { "Restoring traces..." }
 
         foundVulnerabilities
-            .map { VulnerabilityInstance(it.vulnerabilityType, extendTraceGraph(it.sink.traceGraph)) }
+            .map { VulnerabilityInstance(it.vulnerabilityDescription, extendTraceGraph(it.sink.traceGraph)) }
             .filter {
                 it.traceGraph.sources.any { source ->
                     graph.methodOf(source.statement) in startMethods || source.domainFact == ZEROFact
 
@@ -19,6 +19,7 @@ package org.jacodb.analysis.engine
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.MutableSharedFlow
 import kotlinx.coroutines.flow.SharedFlow
+import org.jacodb.analysis.sarif.VulnerabilityDescription
 import org.jacodb.api.JcMethod
 import java.util.concurrent.ConcurrentHashMap
 
@@ -33,7 +34,7 @@ sealed interface SummaryFact {
 /**
  * [SummaryFact] that denotes a possible vulnerability at [sink]
  */
-data class VulnerabilityLocation(val vulnerabilityType: String, val sink: IfdsVertex) : SummaryFact {
+data class VulnerabilityLocation(val vulnerabilityDescription: VulnerabilityDescription, val sink: IfdsVertex) : SummaryFact {
     override val method: JcMethod = sink.method
 }
 
 
@@ -16,8 +16,6 @@
 
 package org.jacodb.analysis.engine
 
-import org.jacodb.analysis.DumpableVulnerabilityInstance
-
 /**
  * A directed graph with selected [sink] and [sources], where each path from one of [sources] to [sink] is a trace.
  *
@@ -56,17 +54,6 @@ data class TraceGraph(
         }
     }
 
-    fun toVulnerability(vulnerabilityType: String, maxTracesCount: Int = 100): DumpableVulnerabilityInstance {
-        return DumpableVulnerabilityInstance(
-            vulnerabilityType,
-            sources.map { it.statement.toString() },
-            sink.statement.toString(),
-            getAllTraces().take(maxTracesCount).map { intermediatePoints ->
-                intermediatePoints.map { it.statement.toString() }
-            }.toList()
-        )
-    }
-
     /**
      * Merges two graphs.
      *
 
@@ -16,31 +16,15 @@
 
 package org.jacodb.analysis.engine
 
-import org.jacodb.analysis.DumpableVulnerabilityInstance
-import org.jacodb.api.cfg.JcInst
+import org.jacodb.analysis.sarif.VulnerabilityDescription
 
 /**
  * Represents a vulnerability (issue) found by analysis
  *
- * @property vulnerabilityType type of vulnerability as a string (e.g. "Possible NPE", "Unused variable")
+ * @property vulnerabilityDescription type of vulnerability as a string (e.g. "Possible NPE", "Unused variable")
  * @property traceGraph contains sink, sources and traces that lead to occurrence of vulnerability
  */
 data class VulnerabilityInstance(
-    val vulnerabilityType: String,
+    val vulnerabilityDescription: VulnerabilityDescription,
     val traceGraph: TraceGraph
-) {
-    private fun JcInst.prettyPrint(): String {
-        return "${toString()} (${location.method}:${location.lineNumber})"
-    }
-
-    fun toDumpable(maxPathsCount: Int): DumpableVulnerabilityInstance {
-        return DumpableVulnerabilityInstance(
-            vulnerabilityType,
-            traceGraph.sources.map { it.statement.prettyPrint() },
-            traceGraph.sink.statement.prettyPrint(),
-            traceGraph.getAllTraces().take(maxPathsCount).map { intermediatePoints ->
-                intermediatePoints.map { it.statement.prettyPrint() }
-            }.toList()
-        )
-    }
-}
+)
@@ -25,11 +25,8 @@ import org.jacodb.analysis.library.analyzers.NpePrecalcBackwardAnalyzerFactory
 import org.jacodb.analysis.library.analyzers.SqlInjectionAnalyzerFactory
 import org.jacodb.analysis.library.analyzers.SqlInjectionBackwardAnalyzerFactory
 import org.jacodb.analysis.library.analyzers.TaintAnalysisNode
-import org.jacodb.analysis.library.analyzers.TaintAnalyzerFactory
-import org.jacodb.analysis.library.analyzers.TaintBackwardAnalyzerFactory
 import org.jacodb.analysis.library.analyzers.TaintNode
 import org.jacodb.analysis.library.analyzers.UnusedVariableAnalyzerFactory
-import org.jacodb.api.JcMethod
 import org.jacodb.api.cfg.JcExpr
 import org.jacodb.api.cfg.JcInst
 
@@ -52,24 +49,4 @@ fun newAliasRunnerFactory(
     sanitizes: (JcExpr, TaintNode) -> Boolean,
     sinks: (JcInst) -> List<TaintAnalysisNode>,
     maxPathLength: Int = 5
-) = BaseIfdsUnitRunnerFactory(AliasAnalyzerFactory(generates, sanitizes, sinks, maxPathLength))
-
-fun newTaintRunnerFactory(
-    isSourceMethod: (JcMethod) -> Boolean,
-    isSanitizeMethod: (JcMethod) -> Boolean,
-    isSinkMethod: (JcMethod) -> Boolean,
-    maxPathLength: Int = 5
-) = BidiIfdsUnitRunnerFactory(
-    BaseIfdsUnitRunnerFactory(TaintAnalyzerFactory(isSourceMethod, isSanitizeMethod, isSinkMethod, maxPathLength)),
-    BaseIfdsUnitRunnerFactory(TaintBackwardAnalyzerFactory(isSourceMethod, isSinkMethod, maxPathLength))
-)
-
-fun newTaintRunnerFactory(
-    sourceMethodMatchers: List<String>,
-    sanitizeMethodMatchers: List<String>,
-    sinkMethodMatchers: List<String>,
-    maxPathLength: Int = 5
-) = BidiIfdsUnitRunnerFactory(
-    BaseIfdsUnitRunnerFactory(TaintAnalyzerFactory(sourceMethodMatchers, sanitizeMethodMatchers, sinkMethodMatchers, maxPathLength)),
-    BaseIfdsUnitRunnerFactory(TaintBackwardAnalyzerFactory(sourceMethodMatchers, sinkMethodMatchers, maxPathLength))
-)
+) = BaseIfdsUnitRunnerFactory(AliasAnalyzerFactory(generates, sanitizes, sinks, maxPathLength))
@@ -21,15 +21,10 @@ import org.jacodb.analysis.engine.AnalyzerFactory
 import org.jacodb.analysis.engine.DomainFact
 import org.jacodb.analysis.engine.IfdsResult
 import org.jacodb.analysis.engine.IfdsVertex
-import org.jacodb.analysis.engine.NewSummaryFact
-import org.jacodb.analysis.engine.VulnerabilityLocation
-import org.jacodb.analysis.paths.FieldAccessor
+import org.jacodb.analysis.sarif.VulnerabilityDescription
 import org.jacodb.api.analysis.JcApplicationGraph
-import org.jacodb.api.cfg.JcArgument
 import org.jacodb.api.cfg.JcExpr
 import org.jacodb.api.cfg.JcInst
-import org.jacodb.api.cfg.JcLocal
-import org.jacodb.api.cfg.values
 
 fun AliasAnalyzerFactory(
     generates: (JcInst) -> List<DomainFact>,
@@ -42,49 +37,12 @@ fun AliasAnalyzerFactory(
 
 private class AliasAnalyzer(
     graph: JcApplicationGraph,
-    generates: (JcInst) -> List<DomainFact>,
-    sanitizes: (JcExpr, TaintNode) -> Boolean,
-    sinks: (JcInst) -> List<TaintAnalysisNode>,
+    override val generates: (JcInst) -> List<DomainFact>,
+    override val sanitizes: (JcExpr, TaintNode) -> Boolean,
+    override val sinks: (JcInst) -> List<TaintAnalysisNode>,
     maxPathLength: Int,
-) : TaintAnalyzer(graph, generates, sanitizes, sinks, maxPathLength) {
-
-    override fun handleIfdsResult(ifdsResult: IfdsResult): List<AnalysisDependentEvent> = buildList {
-        ifdsResult.resultFacts.map { (inst, facts) ->
-            facts.filterIsInstance<TaintAnalysisNode>().forEach { fact ->
-                if (fact in sinks(inst)) {
-                    fact.variable.let {
-                        val name = when (val x = it.value) {
-                            is JcArgument -> x.name
-                            is JcLocal -> inst.location.method.flowGraph().instructions
-                                .first { x in it.operands.flatMap { it.values } }
-                                .lineNumber
-                                .toString()
-                            null -> (it.accesses[0] as FieldAccessor).field.enclosingClass.simpleName
-                            else -> error("Unknown local type")
-                        }
-
-                        val fullPath = buildString {
-                            append(name)
-                            if (it.accesses.isNotEmpty()) {
-                                append(".")
-                            }
-                            append(it.accesses.joinToString("."))
-                        }
-
-                        verticesWithTraceGraphNeeded.add(IfdsVertex(inst, fact))
+) : TaintAnalyzer(graph, maxPathLength) {
+    override fun generateDescriptionForSink(sink: IfdsVertex): VulnerabilityDescription = TODO()
 
-                        add(
-                            NewSummaryFact(
-                                VulnerabilityLocation(
-                                    vulnerabilityType,
-                                    IfdsVertex(inst, fact)
-                                )
-                            )
-                        )
-                    }
-                }
-            }
-        }
-        addAll(super.handleIfdsResult(ifdsResult))
-    }
+    override fun handleIfdsResult(ifdsResult: IfdsResult): List<AnalysisDependentEvent> = TODO()
 }
@@ -35,6 +35,8 @@ import org.jacodb.analysis.paths.minus
 import org.jacodb.analysis.paths.startsWith
 import org.jacodb.analysis.paths.toPath
 import org.jacodb.analysis.paths.toPathOrNull
+import org.jacodb.analysis.sarif.SarifMessage
+import org.jacodb.analysis.sarif.VulnerabilityDescription
 import org.jacodb.api.JcArrayType
 import org.jacodb.api.JcClasspath
 import org.jacodb.api.JcMethod
@@ -67,14 +69,16 @@ class NpeAnalyzer(graph: JcApplicationGraph, maxPathLength: Int) : AbstractAnaly
         get() = true
 
     companion object {
-        const val vulnerabilityType: String = "npe-analysis"
+        const val ruleId: String = "npe-deref"
     }
 
     override fun handleNewEdge(edge: IfdsEdge): List<AnalysisDependentEvent> = buildList {
         val (inst, fact0) = edge.v
 
         if (fact0 is NpeTaintNode && fact0.activation == null && fact0.variable.isDereferencedAt(inst)) {
-            add(NewSummaryFact((VulnerabilityLocation(vulnerabilityType, edge.v))))
+            val message = "Dereference of possibly-null ${fact0.variable}"
+            val desc = VulnerabilityDescription(SarifMessage(message), ruleId)
+            add(NewSummaryFact((VulnerabilityLocation(desc, edge.v))))
             verticesWithTraceGraphNeeded.add(edge.v)
         }
 
 
@@ -16,18 +16,45 @@
 
 package org.jacodb.analysis.library.analyzers
 
-fun SqlInjectionAnalyzerFactory(maxPathLength: Int) = TaintAnalyzerFactory(
-    sqlSourceMatchers,
-    sqlSanitizeMatchers,
-    sqlSinkMatchers,
-    maxPathLength
-)
+import org.jacodb.analysis.engine.AnalyzerFactory
+import org.jacodb.analysis.engine.IfdsVertex
+import org.jacodb.analysis.sarif.SarifMessage
+import org.jacodb.analysis.sarif.VulnerabilityDescription
+import org.jacodb.api.analysis.JcApplicationGraph
 
-fun SqlInjectionBackwardAnalyzerFactory(maxPathLength: Int) = TaintBackwardAnalyzerFactory(
-    sqlSourceMatchers,
-    sqlSinkMatchers,
-    maxPathLength
-)
+class SqlInjectionAnalyzer(
+    graph: JcApplicationGraph,
+    maxPathLength: Int
+) : TaintAnalyzer(graph, maxPathLength) {
+    override val generates = isSourceMethodToGenerates(sqlSourceMatchers.asMethodMatchers)
+    override val sanitizes = isSanitizeMethodToSanitizes(sqlSanitizeMatchers.asMethodMatchers)
+    override val sinks = isSinkMethodToSinks(sqlSinkMatchers.asMethodMatchers)
+
+    companion object {
+        private const val ruleId: String = "SQL-injection"
+        private val vulnerabilityMessage = SarifMessage("SQL query with unchecked injection")
+
+        val vulnerabilityDescription = VulnerabilityDescription(vulnerabilityMessage, ruleId)
+    }
+
+    override fun generateDescriptionForSink(sink: IfdsVertex): VulnerabilityDescription = vulnerabilityDescription
+}
+
+class SqlInjectionBackwardAnalyzer(
+    graph: JcApplicationGraph,
+    maxPathLength: Int
+) : TaintBackwardAnalyzer(graph, maxPathLength) {
+    override val generates = isSourceMethodToGenerates(sqlSourceMatchers.asMethodMatchers)
+    override val sinks = isSinkMethodToSinks(sqlSinkMatchers.asMethodMatchers)
+}
+
+fun SqlInjectionAnalyzerFactory(maxPathLength: Int) = AnalyzerFactory { graph ->
+    SqlInjectionAnalyzer(graph, maxPathLength)
+}
+
+fun SqlInjectionBackwardAnalyzerFactory(maxPathLength: Int) = AnalyzerFactory { graph ->
+    SqlInjectionBackwardAnalyzer(graph, maxPathLength)
+}
 
 private val sqlSourceMatchers = listOf(
     "java\\.io.+",
Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,6 @@`
`16`	`16`
`17`	`17`	`package org.jacodb.analysis.engine`
`18`	`18`
`19`		`-import org.jacodb.analysis.DumpableVulnerabilityInstance`
`20`		`-`
`21`	`19`	`/**`
`22`	`20`	`* A directed graph with selected [sink] and [sources], where each path from one of [sources] to [sink] is a trace.`
`23`	`21`	`*`
`@@ -56,17 +54,6 @@ data class TraceGraph(`
`56`	`54`	`}`
`57`	`55`	`}`
`58`	`56`
`59`		`- fun toVulnerability(vulnerabilityType: String, maxTracesCount: Int = 100): DumpableVulnerabilityInstance {`
`60`		`- return DumpableVulnerabilityInstance(`
`61`		`- vulnerabilityType,`
`62`		`- sources.map { it.statement.toString() },`
`63`		`- sink.statement.toString(),`
`64`		`- getAllTraces().take(maxTracesCount).map { intermediatePoints ->`
`65`		`- intermediatePoints.map { it.statement.toString() }`
`66`		`- }.toList()`
`67`		`- )`
`68`		`- }`
`69`		`-`
`70`	`57`	`/**`
`71`	`58`	`* Merges two graphs.`
`72`	`59`	`*`