infer quandary question

[niuzhi]

Hello,Infer developers! I am trying to use the quandary under infer for taint analysis. My test sample is as follows.

The content of the inferconfigure file is as follows,

but the analysis cannot find the tainted process from a to c.

What is the reason for this? How to solve? Thank you, looking forward to your big reply

[sblackshear]

I think the problem is that kind is supposed to be a classification for the source/sinks (e.g. UserControlledData, not a local variable name.

In the Quandary config, quandary-sources taints the return value of the given procedure and quandary-sinks taints the input parameter s of the given procedure. I suspect that if you rewrite your example code to something like this:

public class SqlInjection {
  public static void Test() {
    int a = source();
    int b = a + 2;
    int c = b;
    sink(c);
  }

  native int source();

 native void sink(int i);

, Quandary will report.

[niuzhi]

I think the problem is that kind is supposed to be a classification for the source/sinks (e.g. UserControlledData, not a local variable name.

In the Quandary config, quandary-sources taints the return value of the given procedure and quandary-sinks taints the input parameter s of the given procedure. I suspect that if you rewrite your example code to something like this:

public class SqlInjection {
  public static void Test() {
    int a = source();
    int b = a + 2;
    int c = b;
    sink(c);
  }

  native int source();

 native void sink(int i);

, Quandary will report.

infer not report.Can you give a detailed example of infer quandary analysis?thanks