Merge pull request diffblue#443 from diffblue/ginco_evaluation_bash_script

SEC-432: Introduced bash script for install, built, and analyse Ginco.

Author: marek-trtik

benchmarks/GENUINE/.gitignore

@@ -5,7 +5,7 @@ WebGoat
 Alfresco
 DSpace
 encuestame
-ginco
+Ginco
 jforum3
 libresonic
 onyx

benchmarks/GENUINE/Ginco.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+if [ -z "$SECURITY_SCANNER_HOME" ]; then
+    SECURITY_SCANNER_HOME=../../dist
+    if [ ! -d "$SECURITY_SCANNER_HOME" ]; then
+        echo "Need to set SECURITY_SCANNER_HOME to cmake directory"
+        exit 1
+    fi
+    echo "SECURITY_SCANNER_HOME set to path: $SECURITY_SCANNER_HOME"
+fi
+
+if [[ ! -d "Ginco" ]]; then
+    mkdir Ginco
+    cd Ginco
+
+    git clone https://github.com/culturecommunication/ginco .
+
+    # This is the commit where the XSS issue was fixed: 2fb5a070034deda25b2d50a98e9e6b42754e6425
+    # This is the subsequent commit mentioned in the README.txt file: fb937f67a78a1f01017cee3a12f4d79d325ec82f
+    # Nevertheless, we do not checkout any of them. We actually checkout
+    # latest 'master' branch on 2017-11-17 10:18:50.
+    git checkout e5b62450f61f76feccd2c2d5bf8ed33d1e258d87
+
+    patch -p1 -f < ../Ginco_files/0001-Reverting-XSS-issue-and-adding-generation-of-jar.patch
+
+    mvn package -DskipTests
+    
+    # Now we create an artificial entry-point project and build it
+    cp -r ../Ginco_files/__MAIN__/ .
+    mkdir -p __MAIN__/src/main/java/org/cprover
+    cp ../../LIBRARIES/models/model/src/main/java/org/cprover/* __MAIN__/src/main/java/org/cprover
+    (cd __MAIN__ && mvn package)
+
+    # Finally, we deploy built binaries to the deplyment directory '__dist__'
+    mkdir -p __dist__/ginco-admin/{webapp,lib}
+    mkdir -p __dist__/ginco-webservices/webapp
+    cp __MAIN__/target/classes/Main.class __dist__/ginco-admin/webapp
+    cp ginco-admin/target/ginco-admin-classes.jar __dist__/ginco-admin/lib
+    cp ginco-webservices/target/ginco-webservices.war __dist__/ginco-webservices/webapp
+
+    cd ..
+fi
+
+(cd $SECURITY_SCANNER_HOME && python3 ../driver/run.py -C ../benchmarks/GENUINE/GincoRules.json -I ../benchmarks/GENUINE/Ginco/__dist__/ginco-admin/webapp -L ../benchmarks/GENUINE/Ginco/__dist__/ginco-admin/lib -R GENUINE/Ginco/RESULTS -T GENUINE/Ginco/TEMP --name Ginco --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.main)
+

benchmarks/GENUINE/Ginco_files/0001-Reverting-XSS-issue-and-adding-generation-of-jar.patch

@@ -0,0 +1,39 @@
+From ed369d182a223b53c9ff37bec44b391833b24c7b Mon Sep 17 00:00:00 2001
+From: marek-trtik <[email protected]>
+Date: Fri, 8 Jun 2018 17:41:23 +0100
+Subject: [PATCH] Reverting XSS issue and adding generation of jar
+
+---
+ ginco-admin/pom.xml                                                     | 2 +-
+ .../src/main/java/fr/mcc/ginco/rest/services/ImportRestService.java     | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ginco-admin/pom.xml b/ginco-admin/pom.xml
+index d4f91e5..5b7f18c 100644
+--- a/ginco-admin/pom.xml
++++ b/ginco-admin/pom.xml
+@@ -151,7 +151,7 @@
+ 						</resource>
+ 					</webResources>
+ 					<warSourceExcludes>*.js,app/**/*.js</warSourceExcludes>
+-				</configuration>
++<attachClasses>true</attachClasses><classesClassifier>classes</classesClassifier></configuration>
+ 			</plugin>
+ 			<plugin>
+ 				<groupId>com.googlecode.jslint4java</groupId>
+diff --git a/ginco-admin/src/main/java/fr/mcc/ginco/rest/services/ImportRestService.java b/ginco-admin/src/main/java/fr/mcc/ginco/rest/services/ImportRestService.java
+index 140a5c8..d2ddaf1 100644
+--- a/ginco-admin/src/main/java/fr/mcc/ginco/rest/services/ImportRestService.java
++++ b/ginco-admin/src/main/java/fr/mcc/ginco/rest/services/ImportRestService.java
+@@ -193,7 +193,7 @@ public class ImportRestService {
+ 		response.setExternalConceptIds(externalConceptIds);
+ 		ObjectMapper mapper = new ObjectMapper();
+ 		String serialized = mapper.writeValueAsString(new ExtJsonFormLoadData(response));
+-		return StringEscapeUtils.unescapeHtml4(serialized);
++        return serialized;
+ 	}
+ 
+ 	/**
+-- 
+2.7.4
+

benchmarks/GENUINE/Ginco_files/__MAIN__/pom.xml

@@ -0,0 +1,33 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>__MAIN__</groupId>
+    <artifactId>__MAIN__</artifactId>
+    <packaging>jar</packaging>
+
+	<parent>
+		<groupId>fr.smile.mcc.ginco</groupId>
+		<artifactId>ginco</artifactId>
+		<version>2.0.9-SNAPSHOT</version>
+	</parent>
+
+    <dependencies>
+        <dependency>
+		    <groupId>fr.smile.mcc.ginco</groupId>
+	        <artifactId>ginco-admin</artifactId>
+    		<version>${project.version}</version>
+            <classifier>classes</classifier>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+        </dependency>
+		<dependency>
+			<groupId>org.apache.cxf</groupId>
+			<artifactId>cxf-bundle-jaxrs</artifactId>
+		</dependency>
+    </dependencies>
+
+</project>
+

benchmarks/GENUINE/Ginco_files/__MAIN__/src/main/java/Main.java

@@ -0,0 +1,22 @@
+import org.cprover.CProver;
+import javax.servlet.http.HttpServletRequest;
+import org.apache.cxf.jaxrs.ext.multipart.MultipartBody;
+import fr.mcc.ginco.rest.services.ImportRestService;
+
+public class Main {
+
+    static void sink(String s) {
+    }
+
+    public static void main(String[] args) {
+        MultipartBody arg0 = CProver.nondetWithNull();
+        HttpServletRequest arg1 = CProver.nondetWithNull();
+        ImportRestService obj = CProver.nondetWithNull();
+        try {
+            sink(obj.uploadFile(arg0, arg1));
+        }
+        catch(Exception e) {
+        }
+    }
+
+}