Tuesday 24 July 2007

Running DeepWeaver from the command line

Calling DeepWeaver from the command line is pretty similar to any other Java program, ie. not very pretty! The basic format is:
java -cp CLASSPATH dw.DW script.dw org.mytarget.Target

where
  • CLASSPATH contains all the JARs required by DeepWeaver (these may be contained in the $CLASSPATH environment variable if you prefer) - should be separated by a colon. For more info, run java -help
  • script.dw is the name of the predicate script you want to run
  • org.mytarget.Target is the name of the class file on which you want to run it, and you can specify as many targets as you like
Commonly used paramaters are
  • -javac "javac -cp ~/workspace/dw/build/classes"
    • Instructs the use custom java compiler parameters, which is nearly always necessary. In this case the java compiler will add my classes directory to its classpath.
  • -addcp /home/user/lib
    • Adds a custom class path for inclusion in Deepweaver execution. All the libraries you need, if they're not directly locatable from your current execution directory need to be added. This should point to either a root folder (eg. looking for org.apache.catalina.Role then it must be in /home/user/lib/org/apache/catalina/Role.class) or a JAR file. The easy way around this, if you have lots of JAR files is to create a library folder and just inflate all your JAR files there, that way you only ever have to specify one -addcp parameter
  • -time
    • displays timing information
  • -v
    • verbose output
You can also specify targets for execution en masse by using the + symbol on pacakages
+org.apache.catalina

Anything linked to code that is analysed will be loaded dynamically if it can be found.

Confused? Here's a sample command for Linux
java -cp jars/antlr-2.7.5.jar:jars/sootclasses-2534-1.jar:jars/jasminclasses-2327.jar:jars/polyglotclasses-1.3.2.jar:build/classes dw.DW -javac "javac -cp ${workspace_loc}/dw/build/classes" -addcp ~/workspace/webgoat_src/build/WEB-INF/classes/ -addcp ~/jars transact.dw +org.owasp.webgoat

This isn't as bad as it may seem!
  • Our classpath requires 4 DW jar files and the build/classes folder, which we've specified using -cp (Eclipse adds this automatically if you run using it).
  • -javac tells the java compiler to look inside /dw/build/classes for compile info
  • The -addcp parameters add the webgoat compiled classes and library of extracted JAR files to the path
  • transact.dw is the script to be called on the source code
  • We want to analyse all code within org.owasp.webgoat
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)