search

awslabs / ar-go-tools

ar-go-tools (Argot) is a collection of analysis tools for Go
Apache License 2.0
9 stars 1 forks source link

Fix `fmt.Errorf` false-positives #44

Closed samarth-aws closed 9 months ago

samarth-aws commented 10 months ago

There are some cases where the taint analysis reports data flows through fmt.Errorf as false-positives:

All examples refer to the file testdata/src/taint/agent-example/main.go

Example 1 (no taint flow reported):

    docState, _ := messaging.ParseSendCommandMessage(context.Background(), msg, "tmp", "mds")
    sink(fmt.Errorf(""))

Example 2 (taint flow reported):

    docState, err := messaging.ParseSendCommandMessage(context.Background(), msg, "tmp", "mds")
    _ = err
    sink(fmt.Errorf(""))

Example 3 (no taint flow reported):

    docState, err := messaging.ParseSendCommandMessage(context.Background(), msg, "tmp", "mds")
    _ = err
    sink(fmt.Sprintf(""))

Examples 1 and 2 are semantically equivalent yet example 2 has a false-positive. Example 3 is identical to example 2, but uses fmt.Sprintf instead of fmt.Errorf. Both have identical pre-defined summaries in the summaries package (FormatterPropagation).

victornicolet commented 9 months ago

Looking into this, it seems this bug only occurs in the testing suite. If I use the taint tool, no taint flow is reported for Example 2.