DEVHIDE
Login Or Sign up

Detecting information leakage in Find Sec Bugs via taint analysis and custom annotations

204 Views Asked by At

Does Find Sec Bugs allow one to define sensitive sources and sinks via annotations, like other static analysis tools such as the Checker Framework? Right now I only see sources/sinks being defined in config files like so: https://github.com/find-sec-bugs/find-sec-bugs/blob/99814871f33ca0484b975f2fe51bae2bc1bcf40a/plugin/src/main/resources/taint-config/taint-sensitive-data.txt

The Checker Framework has a @Tainted and @Untainted annotation that can be used generically throughout the code (https://checkerframework.org/manual/#tainting-many-uses)

You can also create custom annotations, the documentation shows how it can be applied to the information leakage case (https://checkerframework.org/manual/#subtyping-example)

package myPackage.qual;

import java.lang.annotation.ElementType;
import java.lang.annotation.Target;

/**
 * Denotes that the representation of an object is encrypted.
 */
@SubtypeOf(PossiblyUnencrypted.class)
@ImplicitFor(literal={LiteralKind.NULL})
@DefaultFor({TypeUseLocation.LOWER_BOUND})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface Encrypted {}

package myPackage.qual;

import org.checkerframework.framework.qual.DefaultQualifierInHierarchy;
import org.checkerframework.framework.qual.SubtypeOf;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;

/**
 * Denotes that the representation of an object might not be encrypted.
 */
@DefaultQualifierInHierarchy
@SubtypeOf({})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface PossiblyUnencrypted {}

import myPackage.qual.Encrypted;

...

public @Encrypted String encrypt(String text) {
    // ...
}

// Only send encrypted data!
public void sendOverInternet(@Encrypted String msg) {
    // ...
}

void sendText() {
    // ...
    @Encrypted String ciphertext = encrypt(plaintext);
    sendOverInternet(ciphertext);
    // ...
}

void sendPassword() {
    String password = getUserPassword();
    sendOverInternet(password);
}

As a result it'll spit out something like:

YourProgram.java:42: incompatible types.
found   : @myPackage.qual.PossiblyUnencrypted java.lang.String
required: @myPackage.qual.Encrypted java.lang.String
    sendOverInternet(password);

Anything similar in Find Sec Bugs? Thanks!

java spotbugs find-sec-bugs
Original Q&A
0

There are 0 best solutions below

Related Questions in JAVA

Related Questions in SPOTBUGS

Related Questions in FIND-SEC-BUGS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.