像其他静态分析工具(如Checker Framework)一样,“查找安全错误”是否允许通过注释定义敏感的源和接收器?现在,我只能看到在配置文件中定义的源/接收器,例如:https://github.com/find-sec-bugs/find-sec-bugs/blob/99814871f33ca0484b975f2fe51bae2bc1bcf40a/plugin/src/main/resources/taint-config/taint-sensitive-data.txt
Checker框架具有@Tainted和@Untainted批注,可以在整个代码(https://checkerframework.org/manual/#tainting-many-uses)中通用使用
您还可以创建自定义注释,文档显示了如何将其应用于信息泄漏案例(https://checkerframework.org/manual/#subtyping-example)
package myPackage.qual;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;
/**
* Denotes that the representation of an object is encrypted.
*/
@SubtypeOf(PossiblyUnencrypted.class)
@ImplicitFor(literal={LiteralKind.NULL})
@DefaultFor({TypeUseLocation.LOWER_BOUND})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface Encrypted {}
package myPackage.qual;
import org.checkerframework.framework.qual.DefaultQualifierInHierarchy;
import org.checkerframework.framework.qual.SubtypeOf;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;
/**
* Denotes that the representation of an object might not be encrypted.
*/
@DefaultQualifierInHierarchy
@SubtypeOf({})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface PossiblyUnencrypted {}
import myPackage.qual.Encrypted;
...
public @Encrypted String encrypt(String text) {
// ...
}
// Only send encrypted data!
public void sendOverInternet(@Encrypted String msg) {
// ...
}
void sendText() {
// ...
@Encrypted String ciphertext = encrypt(plaintext);
sendOverInternet(ciphertext);
// ...
}
void sendPassword() {
String password = getUserPassword();
sendOverInternet(password);
}
因此,它会吐出类似的内容:
YourProgram.java:42: incompatible types.
found : @myPackage.qual.PossiblyUnencrypted java.lang.String
required: @myPackage.qual.Encrypted java.lang.String
sendOverInternet(password);
“查找安全错误”中是否有类似内容?谢谢!