search

awslabs / ar-go-tools

ar-go-tools (Argot) is a collection of analysis tools for Go
Apache License 2.0
9 stars 1 forks source link

Improving precision (context sensitivity) for some cases with closures #30

Closed victornicolet closed 1 month ago

victornicolet commented 1 year ago

Currently in the example9 function of the test file testadata/src/taint/closures/main.go the taint analyzer reports a false alarm. This is due to the fact that when the bound variable gets tainted, the visitor starts without context inside the example9pre function because it follows an edge from BoundLabelNode to a ClosureNode.

With the context lost, all possible location where example9pre returns must be visited, and both locations in example9 lead to both sinks being tainted. With proper context information, only one return location should be visited and only one sink is reachable.

samarth-aws commented 11 months ago

There are also many false positives in the test file testdata/src/taint/closures_paper/main.go:


        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:27
        with trace: call:example2->call:process->call:example1$1->call:source
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example2->call:process->call:source
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example2->call:process->call:example3$3
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example2->call:process->call:example1$1
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example2->call:process->call:example1$2
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example1->call:process->call:example2$1
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example1->call:process->call:example3$3
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example1->call:process->call:example1$2
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example1->call:process->call:source
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example1->call:process->call:example1$1
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example3->call:process->call:example1$1
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example3->call:process->call:source
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:27
        with trace: call:example3->call:process->call:example1$1->call:source
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example3->call:process->call:example1$2
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
    taint_utils_test.go:93: false positive:
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:20
        with trace: call:example3->call:process->call:example2$1
        flows to
        /Volumes/workplace/argot/testdata/src/taint/closures_paper/main.go:21
github-actions[bot] commented 8 months ago

Stale issue message

github-actions[bot] commented 5 months ago

Stale issue message

github-actions[bot] commented 1 month ago

Stale issue message