Skip to content

Java codeql requires Precise data-flow for collections and Field-sensitive data-flow analysis capabilities #9597

Open
Open
Java codeql requires Precise data-flow for collections and Field-sensitive data-flow analysis capabilities#9597
Labels
questionFurther information is requested
@jn61129052

Description

@jn61129052
jn61129052
opened on Jun 18, 2022

Like this issus:#3366

Java codeql engine cannot model data flow through collections precisely. Example:

class Demo
{
    private static final String PSFS = "1111";
    void M1(source)
    {
        Obj obj = new Obj();
        obj.setA(source);
        obj.setB(PSFS);
        Sink(obj.getA()); // vul
        Sink(obj.getB()); // not vul
    }
}

codeql marked obj is tainted,not obj.A

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions