fasten
fasten copied to clipboard
fasten-project
We need a tool which create a graph/tree taking a product as entry point and follow the calls in provided dependencies
Fasten Core provide a LocalMerger which takes as input an product graph and it's dependencies graphs to produce what its calling a merged graph but which in practice just complete the external calls located in the product's graph with the name of the product which actually contain the targeted call. Note that it's what is behind the javacg-opal --stitch CLI parameter documented as "Stitch artifact CG to dependencies" which I find a bit misleading.
In order to do most of the planned analysis (security, license, broken calls, etc.) we also need to follow each external call to produce a tree which start from the main product and produce a tree/graph of all the calls that may be directly or indirectly called through the main product.
We need a tool which provided with the same kind of parameters that LocalMerger gets (test1 graph and then a list of all its direct and transitive dependencies graphs) and produces a graph which contains test1 graph plus all the calls that could be found by recursively following the externals calls located in test1 graph.
Such a graph can then be be used as basis for various analysis.
Of course this is just a basic version and we might want to expose an API with a better memory footprint (we might have quite a lot of dependencies and associated graphs to parse).
An implement of such a tool has been started in the Maven plugin, see https://github.com/fasten-project/fasten-maven-plugin/blob/master/src/main/java/eu/fasten/maven/StitchedGraph.java.
Not sure how up-to-date this request is, but @ashkboos has provided similar functionality... he can extract the shortest-paths from all callables of a library to vulnerable nodes in its dependencies. It sounds like this approach could be extended to what you are asking for here...
If this request is obsolete though, please feel free to close the issue.
