search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.03k stars 293 forks source link

false negative caused by method summery #521

Open mengjianwei12345 opened 1 year ago

mengjianwei12345 commented 1 year ago

Hello, I would like to ask why the methods with parameters of the java.lang. class in the function summary are not recognized during analysis? For example: stringBuilder.append(132323).append(tainted); ConnectionManager cm = new ConnectionManager(); cm.publish((stringBuilder.toString())); The above code will not be missed, because 132323 is not a class starting with java.lang, stringBuilder.append("132323").append(tainted); ConnectionManager cm = new ConnectionManager(); cm.publish((stringBuilder.toString())); The above code will be underreported because "132323" is java.lang.StringBuffer

StevenArzt commented 1 year ago

How do you use FlowDroi? Do you use the API or do you run the command-line tool? If so, with which parameters?

Note that you need to configure a proper taint wrapper when using the API.