Summaries not rewritten, more taint locations added to report

plugin/src/main/java/com/h3xstream/findsecbugs/injection/TaintDetector.java

@@ -158,15 +158,16 @@ private void checkTaintSink(ConstantPoolGen cpg, InvokeInstruction invoke, Taint
             if (finalTaint == null) {
                 continue;
             }
-            if (finalTaint.isTainted()) {
+            if (finalTaint.isTainted() || finalTaint.hasParameters()) {
                 BugInstance bugInstance = sink.getBugInstance();
-                bugInstance.setPriority(Priorities.HIGH_PRIORITY);
                 bugInstance.addSourceLine(sourceLine);
-            } else if (finalTaint.hasParameters()) {
-                assert finalTaint.isUnknown();
-                BugInstance bugInstance = sink.getBugInstance();
-                bugInstance.addSourceLine(sourceLine);
-                delayBugToReport(currentMethod, finalTaint, bugInstance);
+                addSourceLines(finalTaint.getLocations(), bugInstance);
+                if (finalTaint.isTainted()) {
+                    bugInstance.setPriority(Priorities.HIGH_PRIORITY);
+                } else {
+                    assert finalTaint.isUnknown();
+                    delayBugToReport(currentMethod, finalTaint, bugInstance);
+                }
             }
         }
     }

plugin/src/main/java/com/h3xstream/findsecbugs/taintanalysis/TaintAnalysis.java

@@ -103,6 +103,9 @@ public void meetInto(TaintFrame fact, Edge edge, TaintFrame result)
         mergeInto(fact, result);
     }
 
+    /**
+     * This method must be called after executing the data flow
+     */
     public void finishAnalysis() {
         visitor.finishAnalysis();
     }

plugin/src/main/java/com/h3xstream/findsecbugs/taintanalysis/TaintFrameModelingVisitor.java

@@ -479,6 +479,9 @@ public void visitARETURN(ARETURN obj) {
         handleNormalInstruction(obj);
     }
 
+    /**
+     * This method must be called from outside at the end of the method analysis
+     */
     public void finishAnalysis() {
         assert analyzedMethodSummary != null;
         Taint outputTaint = analyzedMethodSummary.getOutputTaint();
@@ -501,7 +504,11 @@ public void finishAnalysis() {
         String methodId = "." + methodDescriptor.getName() + methodDescriptor.getSignature();
         if (analyzedMethodSummary.isInformative()
                 || getSuperMethodSummary(className, methodId) != null) {
-            methodSummaries.put(className.concat(methodId), analyzedMethodSummary);
+            String fullMethodName = className.concat(methodId);
+            if (!methodSummaries.containsKey(fullMethodName)) {
+                // prefer configured summaries to derived
+                methodSummaries.put(fullMethodName, analyzedMethodSummary);
+            }
         }
     }
 }