Plugging into JeSS
It is possible to design and use your own visitors with the JeSS plug-in. In order to do so a visitor of the appropriate form is required. There is a more detailed description of the requirements is in the following sections. In order to plug in your visitor you must enable the use of external visitors in the preferences page. To do so open up the JeSS Preferences page, this can be done through the JeSS menu or WindowˆPreferencesˆJeSS Preferences. Once in the preference page select the Boolean checkbox corresponding to the ÒUse external visitors found in the JeSS plug-in folderÓ option.
JeSS Preferences: Enable the use of external visitors and select
the directory where they are to be found
This causes JeSS to search for visitors in the specified directory. The next field allows the user to specify the directory that JeSS searches for the visitors in. The default directory is a folder labeled ÒpluginsÓ in the local JeSS plug-in directory. For example from the eclipse folder the plugins would be found on the path:
~/eclipse/plugins/edu.colby.JeSS_1.0/plugins
If another directory is desired then it can be specified in the Preference page.
Requirements
Once the use of external visitors has been enabled there are a few requirements for an external visitor. JeSS requires the following of an external visitor:
- The visitor must be a Ò.classÓ file. JeSS will NOT compile the visitor for you
- The visitor must extend JeSSVisitor.
- The visitor must have a constructor that takes type edu.colby.JeSS.scanner.VisitorManager as a parameter.
- The visitor Ò.classÓ file must be in the directory specified in the preference page
Design
In order to uncover security bugs a JeSSVisitor must be designed to recognize and flag certain code structures that signify the security bug. The signature that the Visitor searches for is specific for each security bug, but the process of reporting this problem is built into the JeSSVisitor class. Implementing your own JeSSVisitor can be done very easily. The basic process can be broken down into the following steps:
á Identify a security bug and determine what the signature looks like in the AST
á Create
a visitor class that can recognize this signature
á Make
the visitor a subclass of JeSSVisitor
and use the reportProblem() method to mark the problematic sections of the code
The hardest part of creating your own visitor is the
automated recognition of the problematic AST structure. An example of a visitor that
identifies unhandled exceptions can be found in the following section. However,
once this is done it is a simple matter to report a problem using the
reportProblem() method.