The goal of this workshop is to help researchers take their research developments and integrate them easily into existing IDE tools. We are seeking participation from researchers who have developed novel analysis technology and would like an easy way to deploy this technology in existing IDE tools. For example, a new, more-precise taint analysis is nice, but it will be potentially much easier to use and to evaluate if it is available in popular IDE’s—e.g. IntelliJ, VisualStudio Code—in editors—e.g. Sublime Text, Atom—and traditional editors used by programmers—e.g. Emacs, Vim.
We welcome researchers who are interested in IDE integration of program analyses to submit talk proposals (see Call for Talks). We will also host a hands-on Panathon session (Call for Participation in Panathon) where participants will be using MagpieBridge to integrate their own program analysis tools. MagpieBridge provides support for accomplishing this: it provides a framework in which a research analysis can be invoked from standard IDE’s. The underlying mechanism makes use of the Language Server Protocol (LSP), but that is completely hidden by a straightforward API that allows analyses to be invoked on source projects from IDE’s and report results that get displayed in idioms natural to each IDE. Such functionality could benefit a wide range of research tools, and so we encourage participation by bringing either your own research analysis or any analysis that you would like to see in a tool.
Speaker: Julian Thome (GitLab, Luxembourg)
Abstract: GitLab integrates 14 different SAST tools for different purposes and languages. These tools are available under https://gitlab.com/gitlab-org/security-products/analyzers as docker images. In this presentation we will explore how we developed a proof-of-concept language-agnostic IDE integration for GitLab based on MagpieBridge that leverages the dockerized SAST tools and the GitLab API to highlight SAST results in the IDE. In addition, we will show how we used the MagpieBridge HTTP server in order to provide a birds-eye view of security findings (severity, CWE, location) that are part of the analyzed project sources.
Speakers: Karoliine Holter (University of Tartu, Estonia), Sarah Tilscher (Technical University of Munich, Germany)
Abstract: Goblint is a static analysis tool for C-programs based on abstract interpretation. It supports the sound analysis of multithreaded code, with an extensive value analysis. This includes analyses for pointers, held locks, as well as tracking interval, bounded set and relational information about integers. Goblint can generate warnings about possible data races, NULL-dereferences, out-of-bounds accesses of arrays, and (signed) integer overflows, among others. Due to its modular architecture, extending the framework with further analyses only requires implementing transfer functions for the new analysis. All analyses can communicate with each other to share and refine their information. Previously, it was only possible to use Goblint via the command line, producing an HTML- or SARIF-output. We aimed for better usability by making an IDE integration available. As a result, we started developing GobPie, a MagpieBridge interface for Goblint. GobPie can display warnings produced by Goblint in the supported IDEs. For better integration, a server mode was developed for Goblint that communicates with GobPie via IPC-sockets. This way, restarting the analyzer and processing the configuration for every command can be avoided. For better usability, care was taken to communicate to the user the current processing status of the analyzer. In our presentation, we also report on further modifications applied to Goblint to improve IDE integration and sketch directions for future development.
Speaker: Goran Piskachev (Fraunhofer IEM, Germany)
Abstract: SecuCheck is a taint analysis built on top of the Soot framework. The tool is designed to assist software developers in detecting security vulnerabilities during development time within the IDE. To enable configurability, the tool provides an internal Java domain-specific language (DSL), called fluentTQL. In this talk, I will share insights from our experience in creating a MagpieBrigde instance for SecuCheck. In particular, I will focus on the integration of fluentTQL and the configurability of the analysis through the creation of HTTP pages supported by MagpieBridge.
Speaker: Ranjith Krishnamurthy (Fraunhofer IEM, Germany)
Abstract: SecuCheck-Kotlin is an extension of the existing Java taint analysis tool called SecuCheck to support taint analysis for Kotlin programs. In this talk, I will present the important lessons learned from creating a MagpieBridge instance for SecuCheck-Kotlin. Specifically, I will present the engineering challenges that we faced while integrating the Kotlin taint analysis tool with the IDE.
Speaker: Idriss Riouak (Lund University, Sweden)
Abstract: Static program analysis plays an essential role in software development and helps prevent bugs such as null pointer exceptions or security vulnerabilities. In this talk, we will discuss the static source-code analyser IntraJ, and its integration with one of the most used IDE, i.e., VSCode. IntraJ is built as an extension of the ExtendJ Java compiler. It superimposes the control-flow graph on top of the Abstract Syntax Tree, enabling the programmers to develop accurate (low false-positive rate) and efficient (competitive with existing static analysers, e.g., SonarQube) dataflow analyses. We used the MagpieBridge framework, which provides a level of abstraction on top of LSP, to export IntraJ’s functionality into a VSCode plug-in, unlocking new opportunities for an enhanced user experience, e.g., quick fixes. MagpieBridge drastically simplified the integration between our CLI utility and VSCode.
Speaker: Anton Risberg Alaküla (Lund University, Sweden)
Abstract: Viewing program analysis results in an editor is useful, both for ordinary developers and for developers of the analyses. Existing protocols for editor-analyzer communication, like LSP, are, however, typically limited to specific kinds of analysis results and do not support the exploration of analysis sub-steps. We propose a new mechanism: “property probes”, allowing users to explore analysis results for individual nodes in an abstract syntax tree (AST). Property probes are intended for language tools that represent analysis results as computed properties of AST nodes and are thus particularly suited for tools built using attribute grammars. The approach is general in that any property of an AST node can be viewed, e.g., types, dataflow information, pretty-print representation, etc. Notably, references to other AST nodes can be viewed and further explored, for example, supporting control-flow graphs. We will demonstrate a prototype tool for property probes, built with a client/server architecture and with Monaco as the client-side text editor. We will demonstrate usage of the tool on ExtendJ, an extensible Java compiler built using attribute grammars, as well as on extensions of ExtendJ, for example, supporting control-flow and dataflow analysis.
Tue 7 JunDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
09:00 - 10:30
|Welcome by the Organizers|
|A GitLab IDE Integration Based on MagpieBridge|
Julian Thome GitLab Inc.File Attached
|GobPie: An IDE Integration for Goblint Using MagpieBridge|
10:30 - 11:00
11:00 - 12:30
|Secucheck: Building a Configurable Taint Analysis|
Goran Piskachev Fraunhofer IEMFile Attached
|Experience From Integrating Secucheck-Kotlin Into IDE|
Ranjith Krishnamurthy Fraunhofer IEMFile Attached
13:30 - 15:00
|Source-Level Dataflow-Based Fixes: Experiences From Using Intraj and Magpiebridge|
Idriss Riouak Department of Computer Science, Lund University, SwedenFile Attached
|Property Probes: Source Code Based Exploration of Program Analysis Results|
Anton Risberg Alaküla Department of Computer Science, Lund University, SwedenFile Attached
15:00 - 15:30
Call for Talks
We look for talk proposals for the Invited Talks session. We welcome submissions addressing the following topics:
Past experience with integrating program analyses into IDEs. E.g, it would describe an integration into an IDE, and discuss how MagpieBridge simplified it. It could contrast MagpieBridge with other integrations, or it could show issues using MagpieBridge and possible improvements,
Tool demonstration. A tool demonstration should show a running analysis integrated into IDEs, and the talk would focus on how the information is displayed and how the mechanisms are used to show the analysis.
Report of user experience and expectation. A report of user experience would discuss user studies of IDE integration of program analyses. It should focus on how the integration works, what informations is displayed, how the study was designed and results.
Explainability of analysis result. Explainability of analysis results would describe novel IDE mechanisms for displaying results, and how that was done. For instance, mechanisms for showing interprocedural data-flow paths.
Authors of accepted proposals will be invited to give a talk (10 - 15 mins + 5 mins Q&A) at the workshop.
All submissions must confirm to the ECOOP 2022 formatting instructions and must not exceed 2 pages for the main text, inclusive of all figures and tables. Reference has no page limit.
The submission is non-blind. Please include your name, e-mail and affiliation in the submission. The proposal should describe: motivation, background about the program analysis tool, lessons learned or features of the IDE integration, looks of the analysis result in IDE, user feedbacks, challenges for future research.
- Submission deadline: 15. April 2022
- Submission website: click here
- Accepted talk proposals will be notified by 1. May 2022
Call for Participation in Panathon (Canceled)
Researchers who want to integrate their program analysis tools into IDEs are welcome to participate in the Panathon session, get cool Swag and win the Best IDE Integration Award with prize money.
Before the Panathon session, participants will be given a tutorial on how to use MagpieBridge for integrating program analysis tools into IDEs. During the Panathon session, participants will be given three hours to build an IDE integration of their analysis tools using MagpieBridge.
Afterwards, each participant will be given 5 minutes to demonstrate an integrated analysis tool. The demonstration will be evaluated by a panel of judges. A winner will be chosen and receive the Best IDE Integration Award. All participants will get cool Swag as a gift from the organizers. For participation, the idea is to create integration, so the ideal analysis will already work on code and produce some kind of result amenable to displaying in an IDE, such as issues or warnings about specific code constructs or variables.
Participants first need to register their interests by providing some basic information such as the background of the analysis tool that needs to be integrated into IDEs.
- Registration link: click here
- Registration deadline: 15. April 2022.
- Selected participants for the Panathonn session will be notified by 1. May 2022.
- Selected participants come to the workshop and build IDE integration for their analysis tools.
- A winner will be selected after the demonstration of integrated analysis tools.
MagpieBridge is designed to be broadly useful, but there are a few guidelines as to what sort of analysis would likely work best. Consult these guidelines to understand whether your analysis would be easy to integrate and whether you could display information as you would like:
- The MagpieBridge wiki provides documentation and tutorials.
- MagpieBridge is available on Maven Central. It can be easily added to projects using common build tools such as Maven and Gradle.
- MagpieBridge is largely asynchronous with respect to the IDE, so analysis computation time will never block the IDE and results are reported when they are ready. Latency-sensitive features such as hovers can have results computed during analysis, so analysis computation time can be hidden even there. This increases the amount of analysis time that is tolerable compared to on-demand analysis; however, analyses that take excessive amounts of time would not be suitable.
- MagpieBridge is written in Java, which makes integrating analyses also written in Java simplest. However, the protocol for communicating with analyses is straightforward, and we will support projects communicating with other languages with JNI bindings when appropriate and also with JSON messaging when that is most convenient. As such, the language in which your analysis is written should not be an issue for taking part in the hackathon.
- Diagnostics are the kind of error, warning and informational messages commonly supported in IDE’s. MagpieBridge provides an API for returning these kinds of messages, which then get displayed by the IDE using its usual mechanisms.
- Hovers are messages that pop up when the mouse hovers over a specific code segment . Note that LSP in most IDE’s integrates its hovers seamlessly with any other hover messages that the IDE generates.
- Code lenses are comments injected into program buffers by the IDE, typically accentuated by means of different fonts or colors. These lenses can be linked to actions that interact with the analysis.
- Code actions such as quick fixes, displaying a HTML page which presents more complex information.
MagpieBridge does not support wholesale changes to the IDE, but, using the HTML integration mechanism, it allows non-trivial views to e.g. configure an analysis or display results. This HTML integration is robust across all IDE’s supported: if an IDE provides such a mechanism (e.g. VS Code), MagpieBridge uses it; otherwise these views would show up in the user’s Web browser.
MagpieBridge supports the LSP notion of code actions, in which an analysis provides a code range from the program and the text with which it would like to replace that range. This is the primary mechanism, but it is straightforward to extend it to multiple ranges for a single fix. MagpieBridge supports arbitrary HTML documents, which can be used by an analysis to display more complex information than can be easily rendered in a hover. For example, a detailed description of a security warning could be displayed for a brief error message, a data-flow path could be displayed in a graph-like structure.
We encourage student participants with limited funding to apply for student volunteers at ECOOP.