Does Find Sec Bugs allow one to define sensitive sources and sinks via annotations, like other static analysis tools such as the Checker Framework? Right now I only see sources/sinks being defined in config files like so: https://github.com/find-sec-bugs/find-sec-bugs/blob/99814871f33ca0484b975f2fe51bae2bc1bcf40a/plugin/src/main/resources/taint-config/taint-sensitive-data.txt
The Checker Framework has a @Tainted and @Untainted annotation that can be used generically throughout the code (https://checkerframework.org/manual/#tainting-many-uses)
You can also create custom annotations, the documentation shows how it can be applied to the information leakage case (https://checkerframework.org/manual/#subtyping-example)
package myPackage.qual;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;
/**
* Denotes that the representation of an object is encrypted.
*/
@SubtypeOf(PossiblyUnencrypted.class)
@ImplicitFor(literal={LiteralKind.NULL})
@DefaultFor({TypeUseLocation.LOWER_BOUND})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface Encrypted {}
package myPackage.qual;
import org.checkerframework.framework.qual.DefaultQualifierInHierarchy;
import org.checkerframework.framework.qual.SubtypeOf;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;
/**
* Denotes that the representation of an object might not be encrypted.
*/
@DefaultQualifierInHierarchy
@SubtypeOf({})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface PossiblyUnencrypted {}
import myPackage.qual.Encrypted;
...
public @Encrypted String encrypt(String text) {
// ...
}
// Only send encrypted data!
public void sendOverInternet(@Encrypted String msg) {
// ...
}
void sendText() {
// ...
@Encrypted String ciphertext = encrypt(plaintext);
sendOverInternet(ciphertext);
// ...
}
void sendPassword() {
String password = getUserPassword();
sendOverInternet(password);
}
As a result it'll spit out something like:
YourProgram.java:42: incompatible types.
found : @myPackage.qual.PossiblyUnencrypted java.lang.String
required: @myPackage.qual.Encrypted java.lang.String
sendOverInternet(password);
Anything similar in Find Sec Bugs? Thanks!