Installation and Configuration
The Joe-E distribution provides a shell script that scans your source tree and produces a plain-text report of all Joe-E security violations found. This is useful for unit testing (as explained above), or if you won't be using Eclipse for programming; some IDEs, such as Emacs, might be able to process the output of this script directly.
- Install Eclipse and install the Joe-E verifier plugin. The easiest way to do this once you have downloaded the commandline JAR is to simply copy the file named like org.joe_e_2.x.x.jar somewhere Eclipse can find it. For a downloaded copy of Eclipse, the best place to do this is the eclipse/dropins directory. For a system-wide package-managed install of Eclipse, you can place it in the per-user plugins directory, which at least on Debian is located at ~/.eclipse/org.eclipse.platform_<version>/plugins. (See the instructions in GettingStarted for more info and options, including how to install the plugin from Eclipse Update.)
- Edit the verify.sh script from the directory where you untarred Joe-E, and fill in the three variables at the top of the file. For ECLIPSE_PLUGINS_DIR, make sure you put the global plugins directory (i.e., the location of the file org.eclipse.equinox.launcher_<someversion>.jar), not a per-user directory. For the other two variables, use the full path to the appropriate file names from the tarball (e.g., /some/where/library-2.x.x.jar and /some/where/taming-200xxxxx respectively).
- Try it out from a command prompt: ./verify.sh -source /your/source/directory This should produce a list of errors on the standard output.
Use
Invoke the verify.sh script from the root of the directory containing Joe-E source code to verify, or use the -source option to specify a directory root for the source code. You may use the CLASSPATH environment variable (or modify verify.sh) to specify additional classpath entries required to compile your code.
The verify.sh script takes the following options. They are actually defined by the underlying program that the script calls, but their behavior here is described assuming that verify.sh is used.
| -source PATH | The path to the source classes to be verified. Defaults to the current directory. |
| -taming PATH | The location of the taming database. This overrides the setting in verify.sh |
| -classpath PATH_OR_JAR[:PATH_OR_JAR]... | The compilation classpath, which must include the Joe-E library. Overrides the setting for the Joe-E library in verify.sh and the CLASSPATH environment variable |
| -markasjoee | Mark all packages as Joe-E packages. |
| -fail | Fail if any package isn't Joe-E. |
| -verbose | Enable additional debugging output. |
Interpreting the Output
The output currently contains all warnings and errors generated by the Eclipse and Joe-E build tasks.
The final line gives a total number of errors encountered (compilation or Joe-E verification errors). If it says "Build terminated with no errors" your code passed the verifier. Note that unless you used the -fail or -markasjoee flag, some of the code analyzed may not have been declared as Joe-E and thus not verified.
At first I got:
Unable to access jarfile /usr/lib/eclipse/plugins/org.eclipse.equinox.launcher.source_1.0.201.R35x_v20090715.jar /usr/lib/eclipse/plugins/org.eclipse.equinox.launcher_1.0.201.R35x_v20090715.jar
After making it ignore the source file, it now does nothing:
$ ./verify.sh -source /my/java -markasjoee -verbose java -cp /usr/lib/eclipse/plugins -jar /usr/lib/eclipse/plugins/org.eclipse.equinox.launcher_1.0.201.R35x_v20090715.jar -application org.joe_e.Main -taming /home/tal/langs/joe-e-commandline-2.2.2/taming-20100421 -classpath /home/tal/langs/joe-e-commandline-2.2.2/library-2.2.2.jar: -source /my/java -markasjoee -verbose $
(the code isn't Joe-E, so I was expecting lots of errors)
@tal: It sounds like Eclipse can't find the verifier and thus is ignoring the "-application org.joe_e.Main". Is the org.joe_e.2.x.x.jar in the system-wide or per-user plugins directory? I have changed the instructions to make the installation requirement clearer and hint at where to find these directories.