Closed RabbitDong-on closed 2 months ago
How did you define your sources and sinks? If the return value of method flow1
is tainted, this will taint variable data1
. The variable is never passed to a sink. In your example, I thinkyou should rather define the method that produces flowdata1
as your source.
In my code,
List
You mean that flowdroid can tranfer taint variable data1 via assign stmt| call parameter | call return value instead of shared memory data1.
There is no flow from data1
to flowdata1
. Keep in mind that FlowDroid is flow-sensitive, i.e., the order of statements matters. data1
is derived from flowdata1
, but not the other way around.
As I wrote, you should define the method that computes flowdata1
as your source and the flow will be found.
Thanks! I will close this issue.
public class Flow { public static int data1=-1; public static int flow1(int count){ data1++; if(count<1){ count++; } return count; } public static int flow2(int count){ count=count+data1; if(count<2){ count++; } return count; }
}
Source: flow1 Sink: flow2 Entry: entryMethod data1 is modified by flow1. data1 is used by flow2. Flowdroid does not support taint analysis for class field? or I need add more rule for taint analysis? Please help me figure out this problem. thanks.