How Pom xml is parsed by CxSAST - checkmarx-ts/CxDOM-Types GitHub Wiki
More on How POM xml is parsed in CxSAST
XML files are transpiled into Java code during the pre-processing stage.
This conversion is language-agnostic:
Each XML tag opening <tag becomes an IfStmt if (TAG) {
Each attribute <tag attr=”x” becomes an assignment TAG.attr = “x”; inside the above IfStmt.
The content of a Y becomes an assignment TAG.TEXT = “Y”; inside the above IfStmt.
Each XML tag closing becomes an ExpressionStmt PARENT_TAGS.TAG;}, together with the } closing the open IfStmt, where PARENT_TAGS is the stack of parent tags separated by .
These conversions are then put into the constructor of a randomly named class CxXmlConfigClass. ss
Sample pom.XML file content:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.checkmarx</groupId>
<artifactId>mybatis-test</artifactId>
<version>1.0.0-SNAPSHOT</version>
<packaging>war</packaging>
<name>mybatis-test</name>
<description>Configuration via XML</description>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<!-- https://mvnrepository.com/artifact/junit/junit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>The above pom.xml file is converted to a Java Class:
public class CxXmlConfigClass1622594767 {
public CxXmlConfigClass() {
if (PROJECT) {
PROJECT.XMLNS = "http://maven.apache.org/POM/4.0.0";
PROJECT.XMLNS_XSI = "http://www.w3.org/2001/XMLSchema-instance";
PROJECT.XSI_SCHEMALOCATION = "http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";
PROJECT;
if (MODELVERSION) {
PROJECT.MODELVERSION.TEXT = "4.0.0";
PROJECT.MODELVERSION;
}
if (GROUPID) {
PROJECT.GROUPID.TEXT = "com.checkmarx";
PROJECT.GROUPID;
}
if (ARTIFACTID) {
PROJECT.ARTIFACTID.TEXT = "mybatis-test";
PROJECT.ARTIFACTID;
}
if (PROPERTIES) {
if (PROJECT.BUILD.SOURCEENCODING) {
PROJECT.PROPERTIES.PROJECT.BUILD.SOURCEENCODING.TEXT = "UTF-8";
PROJECT.PROPERTIES.PROJECT.BUILD.SOURCEENCODING;
}
if (MAVEN.COMPILER.SOURCE) {
PROJECT.PROPERTIES.MAVEN.COMPILER.SOURCE.TEXT = "1.7";
PROJECT.PROPERTIES.MAVEN.COMPILER.SOURCE;
}
if (MAVEN.COMPILER.TARGET) {
PROJECT.PROPERTIES.MAVEN.COMPILER.TARGET.TEXT = "1.7";
PROJECT.PROPERTIES.MAVEN.COMPILER.TARGET;
}
}
if (DEPENDENCIES) {
if (DEPENDENCY) {
if (GROUPID) {
PROJECT.DEPENDENCIES.DEPENDENCY.GROUPID.TEXT = "junit";
PROJECT.DEPENDENCIES.DEPENDENCY.GROUPID;
}
if (ARTIFACTID) {
PROJECT.DEPENDENCIES.DEPENDENCY.ARTIFACTID.TEXT = "junit";
PROJECT.DEPENDENCIES.DEPENDENCY.ARTIFACTID;
}
if (VERSION) {
PROJECT.DEPENDENCIES.DEPENDENCY.VERSION.TEXT = "4.12"; // Something wrong here in CxSAST 9.3
PROJECT.DEPENDENCIES.DEPENDENCY.VERSION;
}
if (SCOPE) {
PROJECT.DEPENDENCIES.DEPENDENCY.SCOPE.TEXT = “test";
PROJECT.DEPENDENCIES.DEPENDENCY.SCOPE;
}
}
}
}
}
}