update soot to 4.6.0. Trim unwanted commons-io and csv packages (#93)

* update soot to 4.6.0. Trim unwanted commons-io and csv packages Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Reuse existing xBOM tags Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> * Update commons-io which is needed for apk Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
AppThreat · Nov 18, 2024 · 3a859cf · 3a859cf
1 parent 83680ac
commit 3a859cf
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 9 deletions.
diff --git a/build.sbt b/build.sbt
@@ -1,6 +1,6 @@
 name                     := "chen"
 ThisBuild / organization := "io.appthreat"
-ThisBuild / version      := "2.2.2"
+ThisBuild / version      := "2.2.3"
 ThisBuild / scalaVersion := "3.5.2"
 
 val cpgVersion = "1.0.1"
@@ -38,6 +38,12 @@ ThisBuild / libraryDependencies ++= Seq(
   "org.slf4j"                % "slf4j-nop"         % "2.0.16" % Optional,
 )
 
+ThisBuild / excludeDependencies ++= Seq(
+  ExclusionRule("com.google.protobuf", "protobuf-java-util"),
+  ExclusionRule("com.github.tototoshi", "scala-csv_3"),
+  ExclusionRule("au.com.bytecode", "opencsv")
+)
+
 ThisBuild / compile / javacOptions ++= Seq(
   "-g", // debug symbols
   "-Xlint",

diff --git a/codemeta.json b/codemeta.json
@@ -7,7 +7,7 @@
   "downloadUrl": "https://github.com/AppThreat/chen",
   "issueTracker": "https://github.com/AppThreat/chen/issues",
   "name": "chen",
-  "version": "2.2.2",
+  "version": "2.2.3",
   "description": "Code Hierarchy Exploration Net (chen) is an advanced exploration toolkit for your application source code and its dependency hierarchy.",
   "applicationCategory": "code-analysis",
   "keywords": [

diff --git a/meta.yaml b/meta.yaml
@@ -1,4 +1,4 @@
-{% set version = "2.2.2" %}
+{% set version = "2.2.3" %}
 
 package:
   name: chen

diff --git a/platform/frontends/jimple2cpg/build.sbt b/platform/frontends/jimple2cpg/build.sbt
@@ -4,7 +4,8 @@ dependsOn(Projects.dataflowengineoss, Projects.x2cpg % "compile->compile;test->t
 
 libraryDependencies ++= Seq(
   "io.appthreat"           %% "cpg2"              % Versions.cpg,
-  "org.soot-oss"           % "soot"               % "4.5.0",
+  "commons-io"             % "commons-io"         % "2.17.0",
+  "org.soot-oss"           % "soot"               % "4.6.0",
   "org.scala-lang.modules" % "scala-asm"          % "9.7.0-scala-2",
   "org.ow2.asm"            % "asm"                % "9.7.1",
   "org.ow2.asm"            % "asm-analysis"       % "9.7.1",

diff --git a/platform/frontends/x2cpg/src/main/resources/tags-vocab.txt b/platform/frontends/x2cpg/src/main/resources/tags-vocab.txt
@@ -90,3 +90,20 @@ jdbm
 kerberos
 oidc
 oauth2
+bluetooth
+wifi
+wireless
+driver
+graphics
+firmware
+gyroscope
+accelerometer
+mobile
+network
+battery
+registry
+payment
+stripe
+apple-pay
+icloud
+azure
diff --git a/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala b/platform/frontends/x2cpg/src/main/scala/io/appthreat/x2cpg/passes/taggers/CdxPass.scala
@@ -19,7 +19,7 @@ class CdxPass(atom: Cpg) extends CpgPass(atom):
   val language: String = atom.metaData.language.head
 
   // Number of tags needed
-  private val TAGS_COUNT: Int = 2
+  private val TAGS_COUNT: Int = 3
 
   // Number of dots to use in the package namespace
   // Example: org.apache.logging.* would be used for tagging purposes
@@ -94,9 +94,14 @@ class CdxPass(atom: Cpg) extends CpgPass(atom):
           val compType  = comp.hcursor.downField("type").as[String].getOrElse("")
           val compDescription: String =
               comp.hcursor.downField("description").as[String].getOrElse("")
-          val descTags = keywords.filter(k =>
-              compDescription.toLowerCase().contains(" " + k)
-          ).take(TAGS_COUNT)
+          // Reuse existing tags from the xBOM
+          val compTags: List[String] =
+              comp.hcursor.downField("tags").as[List[String]].getOrElse(List.empty)
+          val descTags = if compTags.nonEmpty then compTags.take(TAGS_COUNT)
+          else
+            keywords.filter(k =>
+                compDescription.toLowerCase().contains(" " + k)
+            ).take(TAGS_COUNT)
           if (language == Languages.PYTHON || language == Languages.PYTHONSRC) && compPurl.startsWith(
               "pkg:pypi"
             )

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "appthreat-chen"
-version = "2.2.2"
+version = "2.2.3"
 description = "Code Hierarchy Exploration Net (chen)"
 authors = ["Team AppThreat <cloud@appthreat.com>"]
 license = "Apache-2.0"