JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
Java

Taint Tracking for CodeSonar Java Warning Classes

CodeSonar finds potential injection attacks through a taint analysis that tracks paths of tainted data from source locations to sink locations.

Overview

Many dangerous software errors are due to the injection of untrusted data into sensitive routines, such as database queries, HTML output, or file system access. These attacks are generally known as injection attacks. The unifying aspect of these errors is that user input can flow, unconstrained, into sensitive routines.

CodeSonar finds potential injection attacks through a taint analysis that tracks paths of tainted data from source locations to sink locations.

We use the following terminology.

taint source
A point at which a tainted value can enter a program.
taint sink
A program point which some kind of harm will be caused if a tainted value is used.
taint propagation
A program operation in which taint from an operand is transmitted to the result (or to other operands).
taint sanitizing (or cleansing)
A program operation in which taint is removed from one or more operands.
CodeSonar provides two mechanisms for identifying taint sources, sinks, and sanitizers.

Full details of these mechanisms, including lists of automatically recognized methods and details about user annotations, see the following pages.

Warning Classes

Checks for the following CodeSonar Java warning classes make use of this taint analysis.

Android Message Injection (Java) JAVA.IO.INJ.ANDROID.MESSAGE
Android URL Injection (Java) JAVA.IO.INJ.ANDROID.URL
Tainted Network Address JAVA.IO.TAINT.ADDR
Code Injection JAVA.IO.INJ.CODE
Command Injection JAVA.IO.INJ.COMMAND
Tainted Control JAVA.IO.TAINT.CONTROL
DLL Injection JAVA.IO.INJ.DLL
DOS Injection JAVA.IO.INJ.DENIAL
Tainted Hardware Device Property JAVA.IO.TAINT.DEVICE
Tainted Expression Evaluation JAVA.IO.TAINT.EVAL
Tainted @Trusted Value JAVA.IO.TAINT.TRUSTED
Tainted HTTP Response JAVA.IO.TAINT.HTTP
Tainted LDAP Attribute JAVA.IO.TAINT.LDAP.ATTR
Tainted LDAP Filter JAVA.IO.TAINT.LDAP.FILTER
Tainted Log JAVA.IO.TAINT.LOG
Tainted Message JAVA.IO.TAINT.MESSAGE
Tainted Path JAVA.IO.TAINT.PATH
Reflection Injection JAVA.IO.TAINT.REFLECTION
Tainted Regular Expression JAVA.IO.TAINT.REGEX
Tainted Resource JAVA.IO.TAINT.RESOURCE
Tainted Session JAVA.IO.TAINT.SESSION
SQL Injection JAVA.IO.INJ.SQL
Tainted Bundle JAVA.IO.TAINT.BUNDLE
Tainted URL JAVA.IO.TAINT.URL
Tainted XAML JAVA.IO.TAINT.XAML
Tainted XML JAVA.IO.TAINT.XML
Tainted Xpath JAVA.IO.TAINT.XPATH
Cross Site Scripting JAVA.IO.INJ.XSS

Basic vs. Advanced Checking

When enabled, checks for the taint-related Java warning classes can be performed at either basic or advanced level.

Basic This is generally quicker than the advanced setting, but is likely to miss more complex warnings.
Advanced The advanced-level checker performs a more sophisticated analysis and will generally produce fewer false negatives (that is, miss fewer real problems) than the basic setting. However, it also takes longer and generally produces more false positives

The level of checking is controlled by the setting of configuration parameter JAVA_ANALYSIS_ADVANCED_INJECTION. Note that this controls the level of checking for all the warning classes listed.

 

To report problems with this documentation, please visit https://support.codesecure.com/.