MagpieBridge: A General Approach to Integrating Static Analyses into IDEs and Editors (Tool Insights Paper)

Authors Linghui Luo, Julian Dolby, Eric Bodden



PDF
Thumbnail PDF

File

LIPIcs.ECOOP.2019.21.pdf
  • Filesize: 5.68 MB
  • 25 pages

Document Identifiers

Author Details

Linghui Luo
  • Heinz Nixdorf Institute, Paderborn University, Paderborn, Germany
Julian Dolby
  • IBM Research, New York, USA
Eric Bodden
  • Heinz Nixdorf Institute, Paderborn University, Paderborn, Germany
  • Fraunhofer IEM, Paderborn, Germany

Cite AsGet BibTex

Linghui Luo, Julian Dolby, and Eric Bodden. MagpieBridge: A General Approach to Integrating Static Analyses into IDEs and Editors (Tool Insights Paper). In 33rd European Conference on Object-Oriented Programming (ECOOP 2019). Leibniz International Proceedings in Informatics (LIPIcs), Volume 134, pp. 21:1-21:25, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2019)
https://doi.org/10.4230/LIPIcs.ECOOP.2019.21

Abstract

In the past, many static analyses have been created in academia, but only a few of them have found widespread use in industry. Those analyses which are adopted by developers usually have IDE support in the form of plugins, without which developers have no convenient mechanism to use the analysis. Hence, the key to making static analyses more accessible to developers is to integrate the analyses into IDEs and editors. However, integrating static analyses into IDEs is non-trivial: different IDEs have different UI workflows and APIs, expertise in those matters is required to write such plugins, and analysis experts are not typically familiar with doing this. As a result, especially in academia, most analysis tools are headless and only have command-line interfaces. To make static analyses more usable, we propose MagpieBridge - a general approach to integrating static analyses into IDEs and editors. MagpieBridge reduces the mxn complexity problem of integrating m analyses into n IDEs to m+n complexity because each analysis and type of plugin need be done just once for MagpieBridge itself. We demonstrate our approach by integrating two existing analyses, Ariadne and CogniCrypt, into IDEs; these two analyses illustrate the generality of MagpieBridge, as they are based on different program analysis frameworks - WALA and Soot respectively - for different application areas - machine learning and security - and different programming languages - Python and Java. We show further generality of MagpieBridge by using multiple popular IDEs and editors, such as Eclipse, IntelliJ, PyCharm, Jupyter, Sublime Text and even Emacs and Vim.

Subject Classification

ACM Subject Classification
  • Software and its engineering → Software notations and tools
Keywords
  • IDE
  • Tool Support
  • Static Analysis
  • Language Server Protocol

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads

References

  1. Android Studio. https://developer.android.com/studio. Accessed: 2019-01-10.
  2. AppScan. https://www.ibm.com/security/application-security/appscan. Accessed: 2019-01-10.
  3. Atom. https://atom.io/. Accessed: 2019-01-10.
  4. Clang Static Analyzer. https://clang-analyzer.llvm.org/. Accessed: 2019-01-10.
  5. CodeSonar. https://www.grammatech.com/products/codesonar. Accessed: 2019-01-10.
  6. Cppcheck. http://cppcheck.sourceforge.net/. Accessed: 2019-01-10.
  7. Doop. http://doop.program-analysis.org/. Accessed: 2019-01-10.
  8. Eclipse. https://www.eclipse.org/. Accessed: 2019-01-10.
  9. Eclipse LSP4J. https://projects.eclipse.org/proposals/eclipse-lsp4j. Accessed: 2019-01-10.
  10. Emacs. https://www.gnu.org/software/emacs/. Accessed: 2019-01-10.
  11. Facebook Infer. https://fbinfer.com/. Accessed: 2019-01-10.
  12. IBM WebSphere. https://www.ibm.com/cloud/websphere-application-platform. Accessed: 2019-01-10.
  13. IntelliJ. https://www.jetbrains.com/idea/. Accessed: 2019-01-10.
  14. JSON-RPC. https://www.jsonrpc.org/. Accessed: 2019-01-10.
  15. Language Server Protocol. https://microsoft.github.io/language-server-protocol/. Accessed: 2019-01-10.
  16. Monaco. https://microsoft.github.io/monaco-editor/index.html. Accessed: 2019-01-10.
  17. PMD. https://pmd.github.io/. Accessed: 2019-01-10.
  18. PyCharm. https://www.jetbrains.com/pycharm/. Accessed: 2019-01-10.
  19. Safe. https://github.com/sukyoung/safe. Accessed: 2019-01-10.
  20. SARIF Specification. https://github.com/oasis-tcs/sarif-spec. Accessed: 2019-01-10.
  21. Soot. https://github.com/Sable/soot. Accessed: 2019-01-10.
  22. Souffle. https://github.com/oracle/souffle/wiki . Accessed: 2019-01-10.
  23. SpotBugs. https://spotbugs.github.io/. Accessed: 2019-01-10.
  24. Spyder. https://www.spyder-ide.org/. Accessed: 2019-01-10.
  25. Static Analysis Results: A Format and a Protocol: SARIF and SASP. http://blogs.grammatech.com/static-analysis-results-a-format-and-a-protocol-sarif-sasp. Accessed: 2019-01-10.
  26. Sublime. https://www.sublimetext.com/. Accessed: 2019-01-10.
  27. Vim. https://www.vim.org/. Accessed: 2019-01-10.
  28. Visual Studio Code. https://code.visualstudio.com/. Accessed: 2019-01-10.
  29. WALA. https://github.com/wala/WALA. Accessed: 2019-01-10.
  30. Xanitizer. https://www.rigs-it.com/xanitizer/. Accessed: 2019-01-10.
  31. Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick D. McDaniel. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, Edinburgh, United Kingdom - June 09 - 11, 2014, pages 259-269, 2014. URL: http://dx.doi.org/10.1145/2594291.2594299.
  32. Eric Bodden, Társis Tolêdo, Márcio Ribeiro, Claus Brabrand, Paulo Borba, and Mira Mezini. SPLLIFT: statically analyzing software product lines in minutes instead of years. In Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation (PLDI), pages 355-364, 2013. URL: http://www.bodden.de/pubs/bmb+13spllift.pdf.
  33. Martin Bravenboer and Yannis Smaragdakis. Exception analysis and points-to analysis: better together. In Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, ISSTA 2009, Chicago, IL, USA, July 19-23, 2009, pages 1-12, 2009. URL: http://dx.doi.org/10.1145/1572272.1572274.
  34. Hongyi Chen, Ho-fung Leung, Biao Han, and Jinshu Su. Automatic privacy leakage detection for massive android apps via a novel hybrid approach. In IEEE International Conference on Communications, ICC 2017, Paris, France, May 21-25, 2017, pages 1-7, 2017. URL: http://dx.doi.org/10.1109/ICC.2017.7996335.
  35. Maria Christakis and Christian Bird. What developers want and need from program analysis: an empirical study. In ASE, pages 332-343, 2016. Google Scholar
  36. Lisa Nguyen Quang Do, Karim Ali, Benjamin Livshits, Eric Bodden, Justin Smith, and Emerson Murphy-Hill. Just-in-time Static Analysis. In Proceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2017, pages 307-317, New York, NY, USA, 2017. ACM. URL: http://dx.doi.org/10.1145/3092703.3092705.
  37. Lisa Nguyen Quang Do, Karim Ali, Benjamin Livshits, Eric Bodden, Justin Smith, and Emerson R. Murphy-Hill. Cheetah: just-in-time taint analysis for Android apps. In Proceedings of the 39th International Conference on Software Engineering, ICSE 2017, Buenos Aires, Argentina, May 20-28, 2017 - Companion Volume, pages 39-42, 2017. URL: http://dx.doi.org/10.1109/ICSE-C.2017.20.
  38. Julian Dolby, Avraham Shinnar, Allison Allain, and Jenna Reinen. Ariadne: Analysis for Machine Learning Programs. In Proceedings of the 2Nd ACM SIGPLAN International Workshop on Machine Learning and Programming Languages, MAPL 2018, pages 1-10, New York, NY, USA, 2018. ACM. URL: http://dx.doi.org/10.1145/3211346.3211349.
  39. Moritz Eysholdt and Heiko Behrens. Xtext: implement your language faster than the quick and dirty way. In Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion, pages 307-309. ACM, 2010. Google Scholar
  40. Stephen Fink and Julian Dolby. WALA-The TJ Watson Libraries for Analysis, 2012. Google Scholar
  41. Stephen Fink, Julian Dolby, and L Colby. Semi-automatic J2EE transaction configuration, January 2019. Google Scholar
  42. Xi Ge and Emerson R. Murphy-Hill. Manual refactoring changes with automated refactoring validation. In 36th International Conference on Software Engineering, ICSE '14, Hyderabad, India - May 31 - June 07, 2014, pages 1095-1105, 2014. URL: http://dx.doi.org/10.1145/2568225.2568280.
  43. Dennis Giffhorn and Gregor Snelting. A new algorithm for low-deterministic security. International Journal of Information Security, 14(3):263-287, June 2015. URL: http://dx.doi.org/10.1007/s10207-014-0257-6.
  44. Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. Information Flow Analysis of Android Applications in DroidSafe. In NDSS, volume 15, page 110, 2015. Google Scholar
  45. Christian Hammer and Gregor Snelting. Flow-Sensitive, Context-Sensitive, and Object-sensitive Information Flow Control Based on Program Dependence Graphs. International Journal of Information Security, 8(6):399-422, December 2009. URL: http://dx.doi.org/10.1007/s10207-009-0086-1.
  46. David Hovemeyer and William Pugh. Finding More Null Pointer Bugs, but Not Too Many. In Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, PASTE '07, pages 9-14, New York, NY, USA, 2007. ACM. URL: http://dx.doi.org/10.1145/1251535.1251537.
  47. Brittany Johnson, Yoonki Song, Emerson R. Murphy-Hill, and Robert W. Bowdidge. Why don't software developers use static analysis tools to find bugs? In ICSE, pages 672-681, 2013. Google Scholar
  48. Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, et al. CogniCrypt: supporting developers in using cryptography. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, pages 931-936. IEEE Press, 2017. Google Scholar
  49. Patrick Lam, Eric Bodden, Ondrej Lhoták, and Laurie Hendren. The Soot framework for Java program analysis: a retrospective. In Cetus Users and Compiler Infastructure Workshop (CETUS 2011), volume 15, page 35, 2011. Google Scholar
  50. Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick D. McDaniel. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, Florence, Italy, May 16-24, 2015, Volume 1, pages 280-291, 2015. URL: http://dx.doi.org/10.1109/ICSE.2015.48.
  51. Alfonso Murolo, Fabian Stutz, Maria Husmann, and Moira C. Norrie. Improved Developer Support for the Detection of Cross-Browser Incompatibilities. In Web Engineering - 17th International Conference, ICWE 2017, Rome, Italy, June 5-8, 2017, Proceedings, pages 264-281, 2017. URL: http://dx.doi.org/10.1007/978-3-319-60131-1_15.
  52. Duc-Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl. A Stitch in Time: Supporting Android Developers in Writing Secure Code. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 1065-1077, 2017. URL: http://dx.doi.org/10.1145/3133956.3133977.
  53. Damien Octeau, Patrick D. McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis. In Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14-16, 2013, pages 543-558, 2013. URL: https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/octeau.
  54. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The Emperor’s New Security Indicators. In 2007 IEEE Symposium on Security and Privacy (SP '07), pages 51-65, May 2007. URL: http://dx.doi.org/10.1109/SP.2007.35.
  55. Johannes Späth, Karim Ali, and Eric Bodden. Context-, Flow-, and Field-sensitive Data-flow Analysis Using Synchronized Pushdown Systems. Proc. ACM Program. Lang., 3(POPL):48:1-48:29, January 2019. URL: http://dx.doi.org/10.1145/3290361.
  56. Thomas Thüm, Christian Kästner, Fabian Benduhn, Jens Meinicke, Gunter Saake, and Thomas Leich. FeatureIDE: An extensible framework for feature-oriented software development. Science of Computer Programming, 79:70-85, 2014. Google Scholar
  57. Emina Torlak and Satish Chandra. Effective Interprocedural Resource Leak Detection. In Proceedings of the 32Nd ACM/IEEE International Conference on Software Engineering - Volume 1, ICSE '10, pages 535-544, New York, NY, USA, 2010. ACM. URL: http://dx.doi.org/10.1145/1806799.1806876.
  58. Omer Tripp, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. Andromeda: Accurate and Scalable Security Analysis of Web Applications. In Fundamental Approaches to Software Engineering - 16th International Conference, FASE 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24, 2013. Proceedings, pages 210-225, 2013. URL: http://dx.doi.org/10.1007/978-3-642-37057-1_15.
  59. Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. TAJ: Effective Taint Analysis of Web Applications. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '09, pages 87-97, New York, NY, USA, 2009. ACM. URL: http://dx.doi.org/10.1145/1542476.1542486.
  60. Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. Soot: A Java bytecode optimization framework. In CASCON First Decade High Impact Papers, pages 214-224. IBM Corp., 2010. Google Scholar
  61. Christos V. Vrachas. Integration of static analysis results with ProGuard optimizer for Android applications. Bachelor Thesis, 2017. Google Scholar
  62. Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages 1329-1341, 2014. URL: http://dx.doi.org/10.1145/2660267.2660357.
  63. Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton. ASIDE: IDE support for web application security. In Twenty-Seventh Annual Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, 5-9 December 2011, pages 267-276, 2011. URL: http://dx.doi.org/10.1145/2076732.2076770.
Questions / Remarks / Feedback
X

Feedback for Dagstuhl Publishing


Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail