Open niuzhi opened 3 years ago
I think the problem is that kind
is supposed to be a classification for the source/sinks (e.g. UserControlledData
, not a local variable name.
In the Quandary config, quandary-sources
taints the return value of the given procedure and quandary-sinks
taints the input parameter s of the given procedure. I suspect that if you rewrite your example code to something like this:
public class SqlInjection {
public static void Test() {
int a = source();
int b = a + 2;
int c = b;
sink(c);
}
native int source();
native void sink(int i);
, Quandary will report.
I think the problem is that
kind
is supposed to be a classification for the source/sinks (e.g.UserControlledData
, not a local variable name.In the Quandary config,
quandary-sources
taints the return value of the given procedure andquandary-sinks
taints the input parameter s of the given procedure. I suspect that if you rewrite your example code to something like this:public class SqlInjection { public static void Test() { int a = source(); int b = a + 2; int c = b; sink(c); } native int source(); native void sink(int i);
, Quandary will report.
infer not report.Can you give a detailed example of infer quandary analysis?thanks
Hello,Infer developers! I am trying to use the quandary under infer for taint analysis. My test sample is as follows.
The content of the inferconfigure file is as follows,
but the analysis cannot find the tainted process from a to c.
What is the reason for this? How to solve? Thank you, looking forward to your big reply