how to get potentially or actually executable of vuln. code when scan source code?

[momo-tong]

Question how to get potentially or actually executable of vuln. code when scan pom.xml, and where do i need to put the source code?

To Reproduce Analyzed project: ch.qos.logback : logback-classic : 1.1.11 Pom.xml from: https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.pom and i put pom.xml in ../app path

Same info in steady-custom.properties vulas.core.appContext.group = ch.qos.logback vulas.core.appContext.artifact = logback-classic vulas.core.appContext.version = 1.1.11 vulas.core.app.appPrefixes = logback-classic vulas.core.app.sourceDir = app vulas.core.uploadEnabled = true vulas.reach.wala.callgraph.reflection = NO_FLOW_TO_CASTS_NO_METHOD_INVOKE vulas.reach.timeout = 120 vulas.core.instr.sourceDir = vulas.core.instr.targetDir = vulas/target vulas.core.instr.includeDir = vulas/include vulas.core.instr.libDir = vulas/lib vulas.core.instr.instrumentorsChoosen = org.eclipse.steady.java.monitor.trace.SingleTraceInstrumentor vulas.core.instr.searchRecursive = true

Command that i use sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal app sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal a2c sudo cd app sudo mvn compile org.eclipse.steady:plugin-maven:3.2.5:prepare-agent sudo cd .. sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal instr sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal t2c sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal checkcode sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal upload sudo java -Xms2048m -Xmx2048m -jar steady-cli-3.2.5-jar-with-dependencies.jar -goal report

In case of bugs in a Web frontend:

1. Vulnerabilities: 2
2. Inclusion of vulnerable code display "Yellow hourglass"
3. Static Analysis and Dynamic Analysis display nothing