Find Sec Bugs 是否允许通过注释定义敏感的源和接收器,就像 Checker Framework 等其他静态分析工具一样?现在我只看到在配置文件中定义了源/接收器,如下所示:https ://github.com/find-sec-bugs/find-sec-bugs/blob/99814871f33ca0484b975f2fe51bae2bc1bcf40a/plugin/src/main/resources/taint-配置/污点敏感数据.txt
Checker 框架有一个 @Tainted 和 @Untainted 注释,可以在整个代码中通用(https://checkerframework.org/manual/#tainting-many-uses)
您还可以创建自定义注释,文档显示了如何将其应用于信息泄漏案例(https://checkerframework.org/manual/#subtyping-example)
package myPackage.qual;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;
/**
* Denotes that the representation of an object is encrypted.
*/
@SubtypeOf(PossiblyUnencrypted.class)
@ImplicitFor(literal={LiteralKind.NULL})
@DefaultFor({TypeUseLocation.LOWER_BOUND})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface Encrypted {}
package myPackage.qual;
import org.checkerframework.framework.qual.DefaultQualifierInHierarchy;
import org.checkerframework.framework.qual.SubtypeOf;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;
/**
* Denotes that the representation of an object might not be encrypted.
*/
@DefaultQualifierInHierarchy
@SubtypeOf({})
@Target({ElementType.TYPE_USE, ElementType.TYPE_PARAMETER})
public @interface PossiblyUnencrypted {}
import myPackage.qual.Encrypted;
...
public @Encrypted String encrypt(String text) {
// ...
}
// Only send encrypted data!
public void sendOverInternet(@Encrypted String msg) {
// ...
}
void sendText() {
// ...
@Encrypted String ciphertext = encrypt(plaintext);
sendOverInternet(ciphertext);
// ...
}
void sendPassword() {
String password = getUserPassword();
sendOverInternet(password);
}
结果它会吐出类似的东西:
YourProgram.java:42: incompatible types.
found : @myPackage.qual.PossiblyUnencrypted java.lang.String
required: @myPackage.qual.Encrypted java.lang.String
sendOverInternet(password);
Find Sec Bugs 中有类似的东西吗?谢谢!