### Install Vul4J and Initialize Data Directory Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Install Vul4J using uv sync, activate the virtual environment, and initialize the default data directory. Ensure the data directory is empty before initialization. ```shell uv sync source .venv/bin/activate vul4j init ``` -------------------------------- ### Start Vul4J Docker Container Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Starts a pre-built Vul4J Docker image, naming the container 'vul4j' for interactive use. ```shell $ docker run -it --name vul4j tuhhsoftsec/vul4j ``` -------------------------------- ### Check Vul4J Installation Status Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Verify that Vul4J has been installed correctly and all dependencies are recognized by running the status command. ```shell vul4j status ``` -------------------------------- ### Install Spotbugs with Vul4J Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Ensures Spotbugs is installed and configured correctly for Vul4J. If Spotbugs is not found, Vul4J can install it automatically. ```shell vul4j get-spotbugs ``` -------------------------------- ### Configure Vul4J with Java Home Paths Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Configure the JAVA_HOME paths for different Java versions in the `~/vul4j_data/vul4j.ini` file. This is crucial for Vul4J to locate your Java installations. ```ini JAVA7_HOME = JAVA8_HOME = JAVA11_HOME = JAVA16_HOME = ``` -------------------------------- ### Run Vul4J Docker Container Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Start a standalone container from the locally built Vul4J Docker image. This provides an isolated environment with all necessary tools pre-installed. ```shell ./run_docker.sh ``` -------------------------------- ### Vulnerability Test Results JSON Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Example JSON output detailing the results of running a vulnerability's test suite, including metrics and specific test failures. ```json { "vul_id": "VUL4J-10", "cve_id": "CVE-2013-2186", "repository": { "name": "apache_commons-fileupload", "url": "https://github.com/apache/commons-fileupload", "human_patch_url": "https://github.com/apache/commons-fileupload/commit/163a6061fbc077d4b6e4787d26857c2baba495d1" }, "tests": { "overall_metrics": { "number_running": 69, "number_passing": 67, "number_error": 0, "number_failing": 2, "number_skipping": 0 }, "failures": [ { "test_class": "org.apache.commons.fileupload.DiskFileItemSerializeTest", "test_method": "testInvalidRepositoryWithNullChar", "failure_name": "java.lang.AssertionError", "detail": "Expected exception: java.io.IOException", "is_error": false }, { "test_class": "org.apache.commons.fileupload.DiskFileItemSerializeTest", "test_method": "testInvalidRepository", "failure_name": "java.lang.AssertionError", "detail": "Expected exception: java.io.IOException", "is_error": false } ], "passing_tests": [ "org.apache.commons.fileupload.util.mime.QuotedPrintableDecoderTestCase#invalidQuotedPrintableEncoding", "org.apache.commons.fileupload.util.mime.QuotedPrintableDecoderTestCase#unsafeDecodeLowerCase", ... "org.apache.commons.fileupload.DefaultFileItemTest#testBelowThreshold" ], "skipping_tests": [] } } ``` -------------------------------- ### Vul4J Command-Line Interface Help Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Displays the help message for the `vul4j` command-line tool, outlining available subcommands and options for managing and analyzing vulnerabilities. ```bash $ vul4j --help usage: vul4j [-h] [-l LOG] {init,status,checkout,compile,test,apply,sast,reproduce,verify,info,classpath,get-spotbugs,evaluate} ... A Dataset of Java vulnerabilities. positional arguments: {init,status,checkout,compile,test,apply,sast,reproduce,verify,info,classpath,get-spotbugs,evaluate} init Create the Vul4J data directory and default config. status Lists vul4j requirements and their availability. checkout Checkout a vulnerability into the specified directory. compile Compile the checked out vulnerability. test Run testsuite for the checked out vulnerability. apply Apply the specified file versions. sast Run Spotbugs analysis. reproduce (verify) Verify the reproducibility of vulnerabilities in the dataset. info Print information about a vulnerability. classpath Print the classpath of the checked out vulnerability. get-spotbugs Download Spotbugs into the user directory. evaluate Evaluate candidate patches from unified git diffs. options: -h, --help show this help message and exit -l, --log LOG Specify displayed log level for this command. ``` -------------------------------- ### Build Vul4J Local Docker Image Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Build a local Docker image for Vul4J that includes Maven, SpotBugs, and JDK 7/8/11/16. This image can be used for consistent development and testing environments. ```shell docker build --platform linux/amd64 -t vul4j:local . ``` -------------------------------- ### Build Standalone Vul4J Docker Image Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Builds the Vul4J Docker image, populating it with the repository, build tools, and dependencies. This process includes warming up dependency caches. ```shell docker build --platform linux/amd64 --progress=plain \ -t vul4j:local . ``` -------------------------------- ### Run Vul4J Docker Container Interactively Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Run the Vul4J Docker image interactively, allowing you to execute commands within the container. The container is removed upon exit. ```shell docker run --platform linux/amd64 -it --rm \ vul4j:local ``` -------------------------------- ### Run Test Suite for Vulnerability Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Executes the test suite for a given vulnerability project and stores results in a JSON file. ```shell $ vul4j test -d /tmp/vul4j/VUL4J-10 ``` -------------------------------- ### Reproduce a Vulnerability with Vul4J Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Command to reproduce a specific vulnerability by its ID. This process involves checking out the project, applying the vulnerable version, cleaning, compiling, and running tests. It then applies the human patch, cleans, compiles, and runs tests again to verify the fix. ```shell $ vul4j reproduce --id VUL4J-10 ``` ```text 2024-06-13 20:35:31 | ===================== START REPRODUCE ====================== 2024-06-13 20:35:31 | Reproducing 1 vulnerabilities... 2024-06-13 20:35:31 | --------------------------VUL4J-10-------------------------- 2024-06-13 20:35:31 | Checking out project... 2024-06-13 20:35:31 | --> Applying version: vulnerable 2024-06-13 20:35:31 | Cleaning project... 2024-06-13 20:35:33 | Compiling... 2024-06-13 20:35:41 | Running PoV tests... 2024-06-13 20:35:46 | Number of running tests: 1 2024-06-13 20:35:46 | Failing tests: [ "org.apache.commons.fileupload.DiskFileItemSerializeTesttestInvalidRepositoryWithNullChar" ] 2024-06-13 20:35:46 | No fixed warnings found in the dataset for VUL4J-10. Skipping Spotbugs... 2024-06-13 20:35:46 | --> Applying version: human_patch 2024-06-13 20:35:46 | Cleaning project... 2024-06-13 20:35:48 | Compiling... 2024-06-13 20:35:56 | Running PoV tests... 2024-06-13 20:36:01 | Number of running tests: 1 2024-06-13 20:36:01 | Number of passing tests: 1 2024-06-13 20:36:01 | No fixed warnings found in the dataset for VUL4J-10. Skipping Spotbugs... 2024-06-13 20:36:01 | Vulnerabilities: PASS, Spotbugs: SKIP! 2024-06-13 20:36:01 | ====================== END REPRODUCE ======================= ``` -------------------------------- ### Run Vul4J Patch Evaluation Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Executes the patch evaluation process using a JSON file containing patch candidates and outputs the results to a specified file and directory. ```shell vul4j evaluate patches.json -o evaluation_results.json --output-dir evaluation_artifacts ``` -------------------------------- ### Run SAST Analysis Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Performs Static Application Security Testing (SAST) analysis using Spotbugs on the compiled project. ```shell $ vul4j sast -d /tmp/vul4j/VUL4J-10 ``` -------------------------------- ### Clone Vul4J Repository Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Clone the Vul4J repository to your local machine using Git. ```shell git clone https://github.com/tuhh-softsec/vul4j ``` -------------------------------- ### Verify Docker Image Reproducibility Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Verifies the integrity of the built Vul4J Docker image by checking for failed reproductions. The first command ensures no vulnerabilities failed to reproduce, and the second checks for specific error messages in the reproduction log. ```shell docker run --rm vul4j:local sh -lc 'test ! -s /root/vul4j_data/failed_vulnerabilities.txt' ``` ```shell docker run --rm vul4j:local sh -lc 'grep -E "Vulnerabilities: ERROR|Spotbugs: ERROR|did not reproduce successfully|Failed vulnerabilities" /root/vul4j_data/reproduction.txt || true' ``` -------------------------------- ### Checkout Vulnerability Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Checks out a specific vulnerability (e.g., VUL4J-10) into a designated directory. ```shell $ vul4j checkout --id VUL4J-10 -d /tmp/vul4j/VUL4J-10 ``` -------------------------------- ### Compile Vulnerability Project Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Compiles the project associated with a checked-out vulnerability. ```shell $ vul4j compile -d /tmp/vul4j/VUL4J-10 ``` -------------------------------- ### Apply Candidate Patches Only Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md Applies candidate patch diffs without compiling or testing, exporting the applied patches to a specified directory. ```shell vul4j evaluate patches.json --apply-only --output-dir applied_patches ``` -------------------------------- ### Vul4J Evaluate Input JSON Source: https://github.com/tuhh-softsec/vul4j/blob/main/README.md This JSON structure defines the input for the `vul4j evaluate` command, specifying vulnerability IDs and candidate patches. ```json [ { "vul_id": "VUL4J-10", "candidates": [ { "name": "candidate1", "diff": "diff --git a/src/main/java/Example.java b/src/main/java/Example.java\n--- a/src/main/java/Example.java\n+++ b/src/main/java/Example.java\n@@ -1 +1 @@\n-old\n+new\n" } ] } ] ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.