feat(slicing): extract HttpStatus enum constants from ResponseEntity patterns#244
feat(slicing): extract HttpStatus enum constants from ResponseEntity patterns#244abdul-levo wants to merge 1 commit intoAppThreat:mainfrom
Conversation
| @abdul-levo could you rebase and fix the conflict? |
abdul-levo force-pushed the feat/emit-httpstatus-response-codes branch from ee10738 to 3c1620e Compare 
| method: Method, | ||
| typeMap: Map[String, String] | ||
| ): List[(Method, ObjectUsageSlice)] = | ||
| method.ast.isCall |
There was a problem hiding this comment.
Replace method.ast.isCall with method.call. In general, going down the ast layer and trying to come back up will be too slow.
There was a problem hiding this comment.
Done. Replaced method.ast.isCall with method.call and added .methodFullName(".HttpStatus.") regex filter
| val fieldId = call.argument.collectFirst { case fi: FieldIdentifier => fi } | ||
| val isHttpStatus = call.argument.exists { | ||
| case id: Identifier => | ||
| id.typeFullName.contains("HttpStatus") || id.name == "HttpStatus" |
There was a problem hiding this comment.
I think this query will be too slow and can be rewritten using regex. Can you share the below document with claude and ask it to rewrite? Also tell claude this is atom-chen and not joern.
https://github.com/AppThreat/chen/blob/main/docs/TRAVERSAL.md
There was a problem hiding this comment.
Rewritten. Removed the manual call.argument.exists check and replaced with .methodFullName(".HttpStatus.") regex at the query level.
| Can you share the repo and what values are needed in the slice? Probably best done in chen directly instead since this query will make every usage slicing quite slow. |
Extract HttpStatus.XXX static field accesses (e.g., BAD_REQUEST, UNAUTHORIZED) from method bodies and emit them as additional ObjectUsageSlice entries. This enables downstream tools to infer multiple HTTP response codes per endpoint for OpenAPI generation.
abdul-levo force-pushed the feat/emit-httpstatus-response-codes branch from 3c1620e to 00866f5 Compare
The values needed in the slice are the HttpStatus enum constant names (e.g., BAD_REQUEST, UNAUTHORIZED) so downstream tools can map them to response codes in OpenAPI specs |
3 participants
Summary
httpStatusFieldAccessSlicesto extractHttpStatus.XXXenum fieldaccesses from controller method bodies (e.g.,
HttpStatus.BAD_REQUEST,HttpStatus.UNAUTHORIZED)ObjectUsageSliceentries withresolvedMethod: "org.springframework.http.HttpStatus.BAD_REQUEST"etc.multiple response codes per endpoint instead of only the default 200/201
Test plan
sbt stagecompiles successfully"resolvedMethod": "org.springframework.http.HttpStatus.BAD_REQUEST"