-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can someone explain what isAdditionalTaintStep means? #6729
Comments
Hi there, thanks for your question.
When doing flow and taint analysis, CodeQL only analyzes paths that go through user code. Calls into third party methods are considered black boxes, unless you add some additional modeling steps. That's where Complete docs for Java are here. There are many examples of its usage in this repository. For example: Here, the additional taint step is saying that the output of a call to Here is a detailed article that walks through taint analysis using CodeQL: https://msrc-blog.microsoft.com/2019/03/19/vulnerability-hunting-with-semmle-ql-part-2/ |
将数据流断掉的地方连接起来的东西 |
This issue is stale because it has been open 14 days with no activity. Comment or remove the |
This issue was closed because it has been inactive for 7 days. |
连起来好实现,主要是不知道哪些点会断。。。就会有漏报 |
|
针对这个点,我有一个思路,但是我自己还没完全实现(你也可以思考下我这个思路是否可行); 我的思路:写一个比较通用的
假设Option类是第三方jar内的类,这里CodeQL就会出现污点数据流断开,这种场景可以总结成一个模型:污点进入实例,又从实例流出;那么就可以构造如下通用的写法:
当然,可以继续完善这个写法,比如一般污点流入是通过setter方法,污点流出是通过getter方法,那么可以再这个基础上再加上方法名限定等等; 上面提到的只是一种数据流断开的模型,可能还有很多其他的模型,持续完善即可,最终写成一个通用的isAdditionalTaintStep方法; |
那除了这类进入jar包导致数据流断开,还有其他场景会使得数据流断开嘛 |
应该没有了(可能是我还没遇到);这个问题我也思考过,我想到了另外一种场景:不同maven模块之间的调用;但是测试发现并不会导致数据流断开(按道理不同maven模块会被编译成各个独立的jar,所以针对这种场景测试了一下);所以目前已知就发现调用第三方jar会有这个问题; |
好的 |
I don't understand what isAdditionalTaintStep means
Can someone explain what that means and when it can be used, hope you can give me an example for that
The text was updated successfully, but these errors were encountered: