JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
Taint sinks are program locations at which some kind of harm will be caused if a tainted value is used.
This section lists the methods that the CodeSonar Java analysis automatically recognizes as sinks, and explains how to specify additional methods that the analysis should treat as sinks.
Taint sinks are program locations at which some kind of harm will be caused if a tainted value is used.
CodeSonar will issue a warning when a value is produced by a taint source and reaches a taint sink without first passing through a suitable taint sanitizer. The warning class will depend on the kind of taint associated with the sink, as described in the table in the Specifying Additional Sinks section, below. For example, if a tainted value is passed into a parameter annotated as @UrlTrusted, CodeSonar will issue a Tainted URL (Java) warning.
If you have a sink that is not automatically recognized, you can instruct the CodeSonar analysis to treat it as a sink by annotating the corresponding parameter with one of the annotations from the following table.
| Parameter annotation | Indicates | Class of warning issued, if value is tainted |
|---|---|---|
| @com.juliasoft.julia.checkers.injection.AddressTrusted | Parameters passed to IP address factory methods such as Inet6Address.getByAddress(). | Tainted Network Address (Java) |
| @com.juliasoft.julia.checkers.injection.AttributeTrusted | Parameters passed as values of javax.naming.directory.BasicAttributes. | Tainted LDAP Attribute (Java) |
| @com.juliasoft.julia.checkers.injection.BoundaryTrusted | Tainted Bundle (Java) | |
| @com.juliasoft.julia.checkers.injection.CodeTrusted | Parameters passed to selected methods of javax.script.ScriptEngine objects. | Code Injection (Java) |
| @com.juliasoft.julia.checkers.injection.CommandTrusted | Parameters passed to command or process execution methods. | Command Injection (Java) |
| @com.juliasoft.julia.checkers.injection.ControlTrusted | Parameters passed as names of native libraries loaded at runtime. | Tainted Control (Java) |
| @com.juliasoft.julia.checkers.injection.CrossSiteTrusted | Parameters passed to the output stream of servlets. | Cross Site Scripting (Java) |
| @com.juliasoft.julia.checkers.injection.DenialTrusted | Parameters passed to methods that might induce an indefinite wait and consequently a denial-of service, such as Thread.sleep(). | DOS Injection (Java) |
| @com.juliasoft.julia.checkers.injection.DeviceTrusted | Tainted Hardware Device Property (Java) | |
| com.juliasoft.julia.checkers.injection.EvalTrusted | Tainted Expression Evaluation (Java) | |
| @com.juliasoft.julia.checkers.injection.FilterTrusted | Parameters passed as filters to javax.naming.directory.DirContext methods, that might induce unconstrained listing of files. | Tainted LDAP Filter (Java) |
| @com.juliasoft.julia.checkers.injection.HttpResponseImmediatelyTrusted | ||
| @com.juliasoft.julia.checkers.injection.HttpResponseTrusted | Parameters passed to the HTTP response object of servlets. | Tainted HTTP Response (Java) |
| @com.juliasoft.julia.checkers.injection.LogTrusted | Parameters passed to logging functions. | Tainted Log (Java) |
| @com.juliasoft.julia.checkers.injection.MessageTrusted | Tainted Message
(Java) Android Message Injection (Java) (only if data originated from an @UntrustedDevice source) |
|
| @com.juliasoft.julia.checkers.flows.OsTrusted | ||
| @com.juliasoft.julia.checkers.injection.PathTrusted | Parameters passed as names to file or file stream constructors. | Tainted Path (Java) |
| @com.juliasoft.julia.checkers.injection.ReflectionTrusted | Parameters passed to reflection methods. | Reflection Injection (Java) |
| @com.juliasoft.julia.checkers.injection.ResourceTrusted | Parameters passed to constructors, bind and connect methods of sockets. | Tainted Resource (Java) |
| @com.juliasoft.julia.checkers.injection.SessionTrusted | Parameters passed to value/attribute manipulation methods of servlet session objects. | Tainted Session (Java) |
| @com.juliasoft.julia.checkers.injection.SqlTrusted | Parameters passed to SQL database query methods. | SQL Injection (Java) |
| @com.juliasoft.julia.checkers.injection.Trusted | A generic location where untrusted data should not flow. | Tainted @Trusted Value (Java) |
| @com.juliasoft.julia.checkers.injection.UrlTrusted | Parameters passed as addresses to URL constructors or to Class.getResource(). | Tainted URL (Java) Android URL Injection (Java) (only if data originated from an @UntrustedDevice source) |
| @com.juliasoft.julia.checkers.injection.XPathTrusted | Parameters passed to xpath compilation and evaluation methods. | Tainted Xpath (Java) |
For example, suppose we have a method issueMyQuery that constructs and submits an SQL query based on its String parameter. Such a method is vulnerable to SQL injection attacks, so we want to indicate that its parameter cannot be tainted.
String issueMyQuery(String instr){
// ...
}
Injection is possible if the parameter has SQL taint, so we annotate it with @SqlTrusted:
String mySqlSanitizer(@SqlTrusted String instr){
// ...
}
The methods listed below are automatically recognized as taint sinks by CodeSonar. The relevant annotation from the table above is shown for each method. For example,
indicates that the value passed to this function must be trusted to construct a URL: either it does not originate from a taint source, or it has subsequently been sanitized by passing through a taint sanitizer that is also annotated with @UrlTrusted.
To report problems with this documentation, please visit https://support.codesecure.com/.