From d06fb76322186b954c28425fb8fb6caa1d164564 Mon Sep 17 00:00:00 2001 From: Nikita Stroganov <54814796+mmvpm@users.noreply.github.com> Date: Thu, 31 Jul 2025 15:12:20 +0300 Subject: [PATCH 1/2] Add default taint configuration file (#2280) --- .../src/main/resources/taint/config.yaml | 121 +++++++++++++++++- 1 file changed, 117 insertions(+), 4 deletions(-) diff --git a/utbot-framework/src/main/resources/taint/config.yaml b/utbot-framework/src/main/resources/taint/config.yaml index 428fda9d5a..bc708767de 100644 --- a/utbot-framework/src/main/resources/taint/config.yaml +++ b/utbot-framework/src/main/resources/taint/config.yaml @@ -2,10 +2,123 @@ sources: - java.util.Scanner.next: add-to: return marks: user-input + - java.io.BufferedReader.readLine: + add-to: return + marks: user-input + - javax.servlet.http.HttpServletRequest.getParameter: + add-to: return + marks: user-input + - java.util.Properties.getProperty: + add-to: return + marks: user-input + - java.sql.ResultSet.getString: + add-to: return + marks: user-input + - javax.servlet.http.HttpServletRequest.getQueryString: + add-to: return + marks: user-input -sinks: - - java.lang.RuntimeException.: - check: arg1 - marks: [] +cleaners: + - java.lang.String.isEmpty: + remove-from: this + marks: [ ] + conditions: + return: true + +passes: + - java.lang.String.getBytes: + get-from: this + add-to: return + marks: [ ] + conditions: + this: { not: "" } + - java.lang.String.split: + get-from: this + add-to: return + marks: [ ] + conditions: + this: { not: "" } + - java.lang.String.concat: + get-from: this + add-to: return + marks: [ ] + conditions: + this: { not: "" } + - java.lang.String.concat: + get-from: arg1 + add-to: return + marks: [ ] conditions: arg1: { not: "" } + - java.lang.StringBuilder.append: + get-from: arg1 + add-to: this + marks: [ ] + conditions: + arg1: { not: "" } + - java.lang.StringBuilder.toString: + get-from: this + add-to: return + marks: [ ] + + - java.sql.Connection.prepareStatement: + get-from: arg1 + add-to: [ this, return ] + marks: [ ] + - java.sql.PreparedStatement.setString: + get-from: arg2 + add-to: this + marks: [ ] + + - java.sql.Statement.addBatch: + get-from: arg1 + add-to: this + marks: [ ] + + - java.io.ByteArrayOutputStream.writeData: + get-from: arg1 + add-to: this + marks: [ ] + - java.io.ByteArrayOutputStream.toByteArray: + get-from: this + add-to: return + marks: [ ] + - java.io.ByteArrayInputStream.: + get-from: arg1 + add-to: [ this, return ] + marks: [ ] + - java.io.ObjectInputStream.: + get-from: arg1 + add-to: [ this, return ] + marks: [ ] + - java.io.ObjectInputStream.readObject: + get-from: this + add-to: return + marks: [ ] + +sinks: + - java.sql.Statement.execute: + check: arg1 + marks: user-input + - java.sql.Statement.executeUpdate: + check: arg1 + marks: user-input + - java.sql.Statement.executeBatch: + check: this + marks: user-input + - java.sql.Statement.executeQuery: + check: arg1 + marks: user-input + + - java.sql.PreparedStatement.execute: + check: this + marks: user-input + - java.sql.PreparedStatement.executeUpdate: + check: this + marks: user-input + - java.sql.PreparedStatement.executeBatch: + check: this + marks: user-input + - java.sql.PreparedStatement.executeQuery: + check: this + marks: user-input From 73bd2b2aed09ba94e7cbd875c662f78db10c2da8 Mon Sep 17 00:00:00 2001 From: ZouPanPan Date: Thu, 31 Jul 2025 20:18:19 +0800 Subject: [PATCH 2/2] add dependbot and modify the github token permission (#2747) * Create dependabot.yml * modify token permission --- .github/dependabot.yml | 13 +++++++++++++ .../workflows/build-and-run-tests-from-branch.yml | 5 +++++ .github/workflows/build-and-run-tests.yml | 2 ++ .github/workflows/collect-statistics.yml | 2 ++ .github/workflows/issue-to-project.yml | 2 ++ .github/workflows/night-statistics-monitoring.yml | 2 ++ .github/workflows/public-rider-plugin.yml | 2 ++ .github/workflows/publish-cli-from-branch.yml | 2 ++ .github/workflows/publish-cli-image-from-branch.yml | 2 ++ .github/workflows/publish-on-github-packages.yml | 2 ++ .github/workflows/publish-plugin-from-branch.yml | 2 ++ .github/workflows/run-chosen-tests-from-branch.yml | 2 ++ 12 files changed, 38 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..90ca761682 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "gradle" # See documentation for possible values + directories: + - "/utbot-intellij" + - "/utbot-framework" + schedule: + interval: "weekly" diff --git a/.github/workflows/build-and-run-tests-from-branch.yml b/.github/workflows/build-and-run-tests-from-branch.yml index 0d7155d9fb..f93be3be31 100644 --- a/.github/workflows/build-and-run-tests-from-branch.yml +++ b/.github/workflows/build-and-run-tests-from-branch.yml @@ -1,5 +1,7 @@ name: "[M] UTBot Java: build and run tests" +permissions: read-all + on: workflow_dispatch: inputs: @@ -42,6 +44,7 @@ env: jobs: prepare-matrices: + permissions: read-all runs-on: ubuntu-latest # Outputs are used for passing data to dependent jobs. outputs: @@ -72,6 +75,7 @@ jobs: framework-tests: + permissions: read-all needs: prepare-matrices # Using matrices let create multiple jobs runs based on the combinations of the variables from matrices. # https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs @@ -161,6 +165,7 @@ jobs: spring-tests: + permissions: read-all runs-on: ubuntu-20.04 container: image: unittestbot/java-env:java17-zulu-jdk-gradle7.6.1-kotlinc1.8.0 diff --git a/.github/workflows/build-and-run-tests.yml b/.github/workflows/build-and-run-tests.yml index 0779d05638..51d5a8b330 100644 --- a/.github/workflows/build-and-run-tests.yml +++ b/.github/workflows/build-and-run-tests.yml @@ -1,5 +1,7 @@ name: "UTBot Java: build and run tests" +permissions: read-all + on: push: branches: diff --git a/.github/workflows/collect-statistics.yml b/.github/workflows/collect-statistics.yml index ff10bd2906..e330927f95 100644 --- a/.github/workflows/collect-statistics.yml +++ b/.github/workflows/collect-statistics.yml @@ -1,5 +1,7 @@ name: "[M] UTBot Java: collect statistics" +permissions: read-all + on: workflow_call: inputs: diff --git a/.github/workflows/issue-to-project.yml b/.github/workflows/issue-to-project.yml index 3a0b7edb3a..fc53eb2da5 100644 --- a/.github/workflows/issue-to-project.yml +++ b/.github/workflows/issue-to-project.yml @@ -1,5 +1,7 @@ name: Add issues to UTBot Java project +permissions: read-all + on: issues: types: diff --git a/.github/workflows/night-statistics-monitoring.yml b/.github/workflows/night-statistics-monitoring.yml index 99af44d6ac..b0b134521f 100644 --- a/.github/workflows/night-statistics-monitoring.yml +++ b/.github/workflows/night-statistics-monitoring.yml @@ -1,5 +1,7 @@ name: "UTBot Java: night statistics monitoring" +permissions: read-all + on: schedule: - cron: '0 0 * * *' diff --git a/.github/workflows/public-rider-plugin.yml b/.github/workflows/public-rider-plugin.yml index a2f28de7ea..587a7cf7bb 100644 --- a/.github/workflows/public-rider-plugin.yml +++ b/.github/workflows/public-rider-plugin.yml @@ -2,6 +2,8 @@ name: Publish Rider plugin +permissions: read-all + # Controls when the action will run. Workflow runs when manually triggered using the UI # or API. on: diff --git a/.github/workflows/publish-cli-from-branch.yml b/.github/workflows/publish-cli-from-branch.yml index 0f2256a242..217407d92e 100644 --- a/.github/workflows/publish-cli-from-branch.yml +++ b/.github/workflows/publish-cli-from-branch.yml @@ -1,5 +1,7 @@ name: "[M] CLI: publish as archive" +permissions: read-all + on: workflow_call: inputs: diff --git a/.github/workflows/publish-cli-image-from-branch.yml b/.github/workflows/publish-cli-image-from-branch.yml index 1c01fb85ff..d53b47dd87 100644 --- a/.github/workflows/publish-cli-image-from-branch.yml +++ b/.github/workflows/publish-cli-image-from-branch.yml @@ -1,5 +1,7 @@ name: "[M] CLI: publish docker image" +permissions: read-all + on: workflow_call: workflow_dispatch: diff --git a/.github/workflows/publish-on-github-packages.yml b/.github/workflows/publish-on-github-packages.yml index ff3becd8f9..31bbbfd47f 100644 --- a/.github/workflows/publish-on-github-packages.yml +++ b/.github/workflows/publish-on-github-packages.yml @@ -1,5 +1,7 @@ name: "[M] Publish on GitHub Packages" +permissions: read-all + on: workflow_dispatch: inputs: diff --git a/.github/workflows/publish-plugin-from-branch.yml b/.github/workflows/publish-plugin-from-branch.yml index 755ade4a60..7fcb8c56c6 100644 --- a/.github/workflows/publish-plugin-from-branch.yml +++ b/.github/workflows/publish-plugin-from-branch.yml @@ -1,5 +1,7 @@ name: "[M] Plugin: publish as archive" +permissions: read-all + on: workflow_call: inputs: diff --git a/.github/workflows/run-chosen-tests-from-branch.yml b/.github/workflows/run-chosen-tests-from-branch.yml index e1304d5c5e..2e24f6fbd1 100644 --- a/.github/workflows/run-chosen-tests-from-branch.yml +++ b/.github/workflows/run-chosen-tests-from-branch.yml @@ -1,5 +1,7 @@ name: "[M] Run chosen tests" +permissions: read-all + on: workflow_dispatch: inputs: