feat: Initial implementation of RNG detector (aws#5)

feat: Initial implementation of RNG detector

Author: valerena

README.md

@@ -1,11 +1,78 @@
-## My Project
+# AWS Lambda SnapStart Bug Scanner
 
-TODO: Fill this README out!
+SnapStart Bug Scanner is the [SpotBugs](https://spotbugs.github.io/) plugin for helping AWS Lambda customers inspect
+their functions against potential bugs unique to AWS Lambda SnapStart environment.
 
-Be sure to:
+## How to use
 
-* Change the title in this README
-* Edit your repository description on GitHub
+Following sections explain how to enable this plugin in your Gradle and Maven projects.
+
+### Gradle Builds
+
+After SpotBugs is [enabled in the Gradle project](https://spotbugs.readthedocs.io/en/latest/gradle.html) declaring a dependency on SnapStart bug scanner is sufficient. 
+
+Example:
+
+```kotlin
+plugins {
+    id("com.github.spotbugs") version "4.7.1"
+}
+
+spotbugs {
+    ignoreFailures.set(false)
+    showStackTraces.set(true)
+}
+
+dependencies {
+    spotbugs("com.github.spotbugs:spotbugs:4.7.1")
+    spotbugsPlugins("software.amazon.lambda.snapstart:aws-lambda-snapstart-java-rules:0.1")
+}
+```
+
+### Maven Builds
+
+After SpotBugs is [enabled in the Maven project](https://spotbugs.readthedocs.io/en/latest/maven.html) declaring a dependency on SnapStart bug scanner is sufficient.
+
+Example:
+
+```xml
+<build>
+    <plugins>
+        <plugin>
+            <groupId>com.github.spotbugs</groupId>
+            <artifactId>spotbugs-maven-plugin</artifactId>
+            <version>${spotbugs.version}</version>
+            <configuration>
+                <effort>Max</effort>
+                <threshold>medium</threshold>
+                <failOnError>true</failOnError>
+                <plugins>
+                    <plugin>
+                        <groupId>software.amazon.lambda.snapstart</groupId>
+                        <artifactId>aws-lambda-snapstart-java-rules</artifactId>
+                        <version>0.1</version>
+                    </plugin>
+                </plugins>
+            </configuration>
+        </plugin>
+    </plugins>
+</build>
+```
+
+## Bug Descriptions
+
+### SNAP_START: Detected handler state that is potentially not resilient to VM snapshot and restore operations. (AWS_LAMBDA_SNAP_START_BUG)
+
+Our analysis shows that AWS Lambda handler class initialization creates state that might have adverse effects
+on the output of the function when it uses SnapStart. Lambda functions that use SnapStart are
+snapshotted at their initialized state and all execution environments created afterwards share the same initial
+state. This means that if the Lambda function relies on state that is not resilient to snapshot and restore
+operations, it might manifest an unexpected behavior by using SnapStart.
+
+Note that there are countless ways of initializing a Lambda function handler such that it’s not compatible
+with SnapStart. This tool helps you as much as possible but please use your own judgement to and refer
+to [the documentation](https://github.com/aws/aws-lambda-snapstart-java-rules/wiki) for
+understanding how to avoid making your Lambda function SnapStart incompatible.
 
 ## Security
 

pom.xml

@@ -4,8 +4,27 @@
 
   <groupId>software.amazon.lambda.snapstart</groupId>
   <artifactId>aws-lambda-snapstart-java-rules</artifactId>
-  <version>0.1-SNAPSHOT</version>
+  <version>0.1</version>
+  <name>${project.groupId}:${project.artifactId}</name>
   <description>AWS Lambda SnapStart SpotBugs Rules</description>
+  <url>https://github.com/aws/aws-lambda-snapstart-java-rules</url>
+  <issueManagement>
+    <system>GitHub Issues</system>
+    <url>https://github.com/aws/aws-lambda-snapstart-java-rules/issues</url>
+  </issueManagement>
+
+  <scm>
+    <connection>scm:git:https://github.com/aws/aws-lambda-snapstart-java-rules.git</connection>
+    <url>https://github.com/aws/aws-lambda-snapstart-java-rules.git</url>
+  </scm>
+
+  <developers>
+    <developer>
+      <name>AWS Lambda Tooling team</name>
+      <organization>Amazon Web Services</organization>
+      <organizationUrl>https://aws.amazon.com/</organizationUrl>
+    </developer>
+  </developers>
 
   <properties>
     <maven.compiler.target>1.8</maven.compiler.target>
@@ -14,6 +33,13 @@
     <spotBugsVersion>4.7.2</spotBugsVersion>
   </properties>
 
+  <distributionManagement>
+    <snapshotRepository>
+      <id>ossrh</id>
+      <url>https://aws.oss.sonatype.org/content/repositories/snapshots</url>
+    </snapshotRepository>
+  </distributionManagement>
+
   <licenses>
     <license>
       <name>The Apache Software License, Version 2.0</name>
@@ -60,6 +86,12 @@
       <version>1.2.1</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>io.github.crac</groupId>
+      <artifactId>org-crac</artifactId>
+      <version>0.1.3</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
@@ -112,4 +144,34 @@
       </plugin>
     </plugins>
   </build>
+
+  <profiles>
+    <profile>
+      <id>release-sign-artifacts</id>
+      <activation>
+        <property>
+          <name>performRelease</name>
+          <value>true</value>
+        </property>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-gpg-plugin</artifactId>
+            <version>3.0.1</version>
+            <executions>
+              <execution>
+                <id>sign-artifacts</id>
+                <phase>verify</phase>
+                <goals>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 </project>

src/main/java/software/amazon/lambda/snapstart/BuildRandomReturningMethodsDatabase.java

@@ -0,0 +1,170 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.amazon.lambda.snapstart;
+
+import edu.umd.cs.findbugs.BugAccumulator;
+import edu.umd.cs.findbugs.BugReporter;
+import edu.umd.cs.findbugs.Detector;
+import edu.umd.cs.findbugs.ba.AnalysisContext;
+import edu.umd.cs.findbugs.ba.CFGBuilderException;
+import edu.umd.cs.findbugs.ba.ClassContext;
+import edu.umd.cs.findbugs.ba.DataflowAnalysisException;
+import edu.umd.cs.findbugs.ba.Location;
+import edu.umd.cs.findbugs.ba.MissingClassException;
+import edu.umd.cs.findbugs.ba.SignatureConverter;
+import edu.umd.cs.findbugs.ba.ca.Call;
+import edu.umd.cs.findbugs.ba.ca.CallList;
+import edu.umd.cs.findbugs.ba.ca.CallListDataflow;
+import edu.umd.cs.findbugs.classfile.CheckedAnalysisException;
+import edu.umd.cs.findbugs.classfile.DescriptorFactory;
+import edu.umd.cs.findbugs.classfile.Global;
+import edu.umd.cs.findbugs.classfile.MethodDescriptor;
+import edu.umd.cs.findbugs.log.Profiler;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import org.apache.bcel.Const;
+import org.apache.bcel.classfile.Method;
+import org.apache.bcel.generic.ConstantPoolGen;
+import org.apache.bcel.generic.Instruction;
+import org.apache.bcel.generic.InvokeInstruction;
+import org.apache.bcel.generic.ReturnInstruction;
+
+/**
+ * This class is a detector implementation which runs in the first pass of analysis. With a very simplistic assumption
+ * this identifies whether a method might return a pseudo-random value purely based on the fact that it calls a method
+ * that's already known to return a pseudo-random value. A better approach is doing proper dataflow analysis to
+ * understand whether the pseudo-random value makes it to the return instruction.
+ */
+public class BuildRandomReturningMethodsDatabase implements Detector {
+
+    private final BugReporter bugReporter;
+    private final BugAccumulator bugAccumulator;
+    private final ReturnValueRandomnessPropertyDatabase database;
+    private final ByteCodeIntrospector introspector;
+
+    // Transient state
+    private ClassContext classContext;
+    private Method method;
+    private MethodDescriptor methodDescriptor;
+    private CallListDataflow callListDataflow;
+    private Map<Call, MethodDescriptor> callMethodDescriptorMap;
+    private CallGraph callGraph;
+
+    public BuildRandomReturningMethodsDatabase(BugReporter reporter) {
+        this.bugReporter = reporter;
+        this.bugAccumulator = new BugAccumulator(reporter);
+        database = new ReturnValueRandomnessPropertyDatabase();
+        Global.getAnalysisCache().eagerlyPutDatabase(ReturnValueRandomnessPropertyDatabase.class, database);
+        callGraph = new CallGraph();
+        callMethodDescriptorMap = new HashMap<>();
+        introspector = new ByteCodeIntrospector();
+    }
+
+    @Override
+    public void visitClassContext(ClassContext classContext) {
+        this.classContext = classContext;
+
+        String currentMethod = null;
+        List<Method> methodsInCallOrder = classContext.getMethodsInCallOrder();
+        for (Method method : methodsInCallOrder) {
+            try {
+                if (method.isAbstract() || method.isNative() || method.getCode() == null) {
+                    continue;
+                }
+                currentMethod = SignatureConverter.convertMethodSignature(classContext.getJavaClass(), method);
+                analyzeMethod(method);
+            } catch (MissingClassException e) {
+                bugReporter.reportMissingClass(e.getClassNotFoundException());
+            } catch (DataflowAnalysisException | CFGBuilderException e) {
+                bugReporter.logError("While analyzing " + currentMethod + ": BuildRandomReturningMethodsDatabase caught an exception", e);
+            }
+            bugAccumulator.reportAccumulatedBugs();
+        }
+    }
+
+    private void analyzeMethod(Method method) throws DataflowAnalysisException, CFGBuilderException {
+        if ((method.getAccessFlags() & Const.ACC_BRIDGE) != 0) {
+            return;
+        }
+
+        this.method = method;
+        this.methodDescriptor = DescriptorFactory.instance().getMethodDescriptor(classContext.getJavaClass(), method);
+        callListDataflow = classContext.getCallListDataflow(method);
+
+        checkInvokeAndReturnInstructions();
+    }
+
+    private void checkInvokeAndReturnInstructions() {
+        Profiler profiler = Global.getAnalysisCache().getProfiler();
+        profiler.start(BuildRandomReturningMethodsDatabase.class);
+        try {
+            for (Iterator<Location> i = classContext.getCFG(method).locationIterator(); i.hasNext();) {
+                Location location = i.next();
+                Instruction ins = location.getHandle().getInstruction();
+
+                if (ins instanceof ReturnInstruction) {
+                    examineReturnInstruction(location);
+                } else if (ins instanceof InvokeInstruction) {
+                    examineInvokeInstruction((InvokeInstruction) ins);
+                }
+            }
+        } catch (CheckedAnalysisException e) {
+            AnalysisContext.logError("error:", e);
+        } finally {
+            profiler.end(BuildRandomReturningMethodsDatabase.class);
+        }
+    }
+
+    private void examineInvokeInstruction(InvokeInstruction inv) {
+        ConstantPoolGen cpg = classContext.getConstantPoolGen();
+        MethodDescriptor md = new MethodDescriptor(inv, classContext.getConstantPoolGen());
+        Call call = new Call(inv.getClassName(cpg), inv.getName(cpg), inv.getSignature(cpg));
+        callMethodDescriptorMap.put(call, md);
+    }
+
+    private void examineReturnInstruction(Location location) throws DataflowAnalysisException {
+        // We have a crude assumption here that is any method call effects the return value of the caller method.
+        CallList callList = callListDataflow.getFactAtLocation(location);
+        if (!callList.isValid()) {
+            return;
+        }
+
+        Iterator<Call> callIterator = callList.callIterator();
+        while (callIterator.hasNext()) {
+            Call call = callIterator.next();
+            MethodDescriptor caller = methodDescriptor;
+            MethodDescriptor called = callMethodDescriptorMap.get(call);
+            if (called != null) {
+                recordCalledMethod(caller, called);
+            }
+        }
+    }
+
+    private void recordCalledMethod(MethodDescriptor caller, MethodDescriptor called) {
+        Boolean returnsRandom = database.getProperty(called);
+        if (returnsRandom != null && returnsRandom) {
+            callGraph.flushCallersToDatabase(caller, database, true);
+        } else {
+            if (callGraph.isInCallGraph(caller) || isLambdaHandlerInitMethod()) {
+                // Call chain from Lambda event handler checks out
+                callGraph.record(caller, called);
+            }
+        }
+    }
+
+    private boolean isLambdaHandlerInitMethod() {
+        if (introspector.isLambdaHandler(classContext.getXClass())) {
+            return Const.STATIC_INITIALIZER_NAME.equals(method.getName())
+                    || Const.CONSTRUCTOR_NAME.equals(method.getName());
+        }
+        return false;
+    }
+
+    @Override
+    public void report() {
+        // this is a non-reporting detector
+    }
+}