diff --git a/infer/src/quandary/CppTaintAnalysis.ml b/infer/src/quandary/CppTaintAnalysis.ml index 70baddfac..b73e77287 100644 --- a/infer/src/quandary/CppTaintAnalysis.ml +++ b/infer/src/quandary/CppTaintAnalysis.ml @@ -22,6 +22,6 @@ include | QuandarySummary.Cpp trace -> trace | _ -> assert false - let handle_unknown_call _ _ _ = + let handle_unknown_call _ _ = [] end) diff --git a/infer/src/quandary/JavaTaintAnalysis.ml b/infer/src/quandary/JavaTaintAnalysis.ml index 6becaad14..f219bebea 100644 --- a/infer/src/quandary/JavaTaintAnalysis.ml +++ b/infer/src/quandary/JavaTaintAnalysis.ml @@ -22,76 +22,21 @@ include | QuandarySummary.Java trace -> trace | _ -> assert false - let make_nth_param_ap n pname ~propagate_all = - let raw_ap = - (* base of this access path is always ignored, so type/name don't matter *) - AccessPath.of_pvar - (Pvar.mk (Mangled.from_string ("fake_param" ^ string_of_int n)) pname) Typ.Tvoid in - if propagate_all then AccessPath.Abstracted raw_ap else AccessPath.Exact raw_ap - - (* propagate the trace from the nth parameter of [site.pname] to the return value of - [site.pname]. if [propagate_all] is true, all traces reachable from the parameter will - be propagated as well (e.g., for foo(x), we'll also propagate the traces associated with x.f, - x.f.g, and so on) *) - let propagate_nth_to_return n site ret_typ ~propagate_all = - let pname = CallSite.pname site in - let nth_param_ap = make_nth_param_ap n pname ~propagate_all in - let input = QuandarySummary.make_formal_input n nth_param_ap in - let output = - QuandarySummary.make_return_output - (AccessPath.Exact (AccessPath.of_pvar (Pvar.get_ret_pvar pname) ret_typ)) in - let footprint_source = Trace.Source.make_footprint nth_param_ap site in - let footprint_trace = Trace.of_source footprint_source in - QuandarySummary.make_in_out_summary input output (to_summary_trace footprint_trace) - - (* propagate the trace associated with non-receiver actual to the receiver actual. also useful - for propagating taint from constructor actuals to the constructed object (which, like the - receiver, is also the first argument) *) - let propagate_to_receiver site actuals ~propagate_all = - match actuals with - | [] -> - failwithf - "Constructor %a has 0 actuals, which should never happen" - Procname.pp (CallSite.pname site) - | _ :: [] -> - (* constructor has no actuals, nothing to propagate *) - [] - | _ :: actuals -> - let pname = CallSite.pname site in - let constructor_ap = make_nth_param_ap 0 pname ~propagate_all in - let output = QuandarySummary.make_formal_output 0 constructor_ap in - let make_propagation_summary acc n _ = - let n = n + 1 in (* skip the constructor actual *) - let nth_param_ap = make_nth_param_ap n pname ~propagate_all in - let input = QuandarySummary.make_formal_input n nth_param_ap in - let footprint_source = Trace.Source.make_footprint nth_param_ap site in - let footprint_trace = Trace.of_source footprint_source in - let summary = - QuandarySummary.make_in_out_summary input output (to_summary_trace footprint_trace) in - summary :: acc in - IList.fold_lefti make_propagation_summary [] actuals - - let propagate_actuals_to_return site ret_type actuals ~propagate_all = - IList.mapi - (fun actual_num _-> propagate_nth_to_return actual_num site ret_type ~propagate_all) - actuals - - let handle_unknown_call site ret_typ_opt actuals = - match CallSite.pname site with + let handle_unknown_call pname ret_typ_opt = + match pname with | (Procname.Java java_pname) as pname -> begin match Procname.java_get_class_name java_pname, Procname.java_get_method java_pname, ret_typ_opt with | _ when Procname.is_constructor pname -> - propagate_to_receiver site actuals ~propagate_all:true + [TaintSpec.Propagate_to_receiver] | ("java.lang.StringBuffer" | "java.lang.StringBuilder" | "java.util.Formatter"), _, - Some ret_typ + Some _ when not (Procname.java_is_static pname) -> - (propagate_actuals_to_return site ret_typ actuals ~propagate_all:true) @ - (propagate_to_receiver site actuals ~propagate_all:true) - | _, _, Some ret_typ -> - propagate_actuals_to_return site ret_typ actuals ~propagate_all:true + [TaintSpec.Propagate_to_receiver; TaintSpec.Propagate_to_return] + | _, _, Some _ -> + [TaintSpec.Propagate_to_return] | _ -> [] end diff --git a/infer/src/quandary/TaintAnalysis.ml b/infer/src/quandary/TaintAnalysis.ml index 5c8e5401c..0cbe7445f 100644 --- a/infer/src/quandary/TaintAnalysis.ml +++ b/infer/src/quandary/TaintAnalysis.ml @@ -29,9 +29,9 @@ module Summary = Summary.Make(struct summary_opt end) -module Make (TaintSpec : TaintSpec.S) = struct +module Make (TaintSpecification : TaintSpec.S) = struct - module TraceDomain = TaintSpec.Trace + module TraceDomain = TaintSpecification.Trace module TaintDomain = AccessTree.Make (TraceDomain) module IdMapDomain = IdAccessPathMapDomain @@ -118,11 +118,15 @@ module Make (TaintSpec : TaintSpec.S) = struct | None -> TraceDomain.initial (* get the node associated with [exp] in [access_tree] *) - let exp_get_node exp typ { Domain.access_tree; id_map; } proc_data loc = + let exp_get_node ?(abstracted=false) exp typ { Domain.access_tree; id_map; } proc_data loc = let f_resolve_id = resolve_id id_map in match AccessPath.of_lhs_exp exp typ ~f_resolve_id with - | Some access_path -> - access_path_get_node (AccessPath.Exact access_path) access_tree proc_data loc + | Some raw_access_path -> + let access_path = + if abstracted + then AccessPath.Abstracted raw_access_path + else AccessPath.Exact raw_access_path in + access_path_get_node access_path access_tree proc_data loc | None -> (* can't make an access path from [exp] *) None @@ -155,7 +159,7 @@ module Make (TaintSpec : TaintSpec.S) = struct match Summary.read_summary proc_data.tenv proc_data.pdesc pname with | Some summary -> let join_output_trace acc { QuandarySummary.output_trace; } = - TraceDomain.join (TaintSpec.of_summary_trace output_trace) acc in + TraceDomain.join (TaintSpecification.of_summary_trace output_trace) acc in IList.fold_left join_output_trace TraceDomain.initial summary | None -> TraceDomain.initial in @@ -295,7 +299,7 @@ module Make (TaintSpec : TaintSpec.S) = struct Some (global_ap, global_trace) in match caller_ap_trace_opt with | Some (caller_ap, caller_trace) -> - let output_trace = TaintSpec.of_summary_trace in_out_summary.output_trace in + let output_trace = TaintSpecification.of_summary_trace in_out_summary.output_trace in let appended_trace = TraceDomain.append in_trace output_trace callee_site in let joined_trace = TraceDomain.join caller_trace appended_trace in let filtered_trace = report_and_filter_trace joined_trace callee_site proc_data in @@ -365,6 +369,45 @@ module Make (TaintSpec : TaintSpec.S) = struct astate | Sil.Call (ret, Const (Cfun called_pname), actuals, callee_loc, call_flags) -> + + let handle_unknown_call callee_pname astate = + let exp_join_traces trace_acc (exp, typ) = + match exp_get_node ~abstracted:true exp typ astate proc_data callee_loc with + | Some (trace, _) -> TraceDomain.join trace trace_acc + | None -> trace_acc in + let propagate_to_access_path access_path actuals (astate : Domain.astate) = + let trace_with_propagation = + IList.fold_left exp_join_traces TraceDomain.initial actuals in + let access_tree = + TaintDomain.add_trace access_path trace_with_propagation astate.access_tree in + { astate with access_tree; } in + let handle_unknown_call_ astate_acc propagation = + match propagation, actuals, ret with + | _, [], _ -> + astate_acc + | TaintSpec.Propagate_to_return, actuals, Some (ret_id, ret_typ) -> + let ret_ap = AccessPath.Exact (AccessPath.of_id ret_id ret_typ) in + propagate_to_access_path ret_ap actuals astate_acc + | TaintSpec.Propagate_to_receiver, + (receiver_exp, receiver_typ) :: (_ :: _ as other_actuals), + _ -> + let receiver_ap = + match AccessPath.of_lhs_exp receiver_exp receiver_typ ~f_resolve_id with + | Some ap -> + AccessPath.Exact ap + | None -> + failwithf + "Receiver for called procedure %a does not have an access path" + Procname.pp + callee_pname in + propagate_to_access_path receiver_ap other_actuals astate_acc + | _ -> + astate_acc in + + let propagations = + TaintSpecification.handle_unknown_call callee_pname (Option.map snd ret) in + IList.fold_left handle_unknown_call_ astate propagations in + let analyze_call astate_acc callee_pname = let call_site = CallSite.make callee_pname callee_loc in @@ -391,11 +434,11 @@ module Make (TaintSpec : TaintSpec.S) = struct (* don't use a summary for a procedure that is a direct source or sink *) astate_with_source else - let summary = - match Summary.read_summary proc_data.tenv proc_data.pdesc callee_pname with - | Some summary -> summary - | None -> TaintSpec.handle_unknown_call call_site (Option.map snd ret) actuals in - apply_summary ret actuals summary astate_with_source proc_data call_site in + match Summary.read_summary proc_data.tenv proc_data.pdesc callee_pname with + | Some summary -> + apply_summary ret actuals summary astate_with_source proc_data call_site + | None -> + handle_unknown_call callee_pname astate_with_source in Domain.join astate_acc astate_with_summary in @@ -443,7 +486,7 @@ module Make (TaintSpec : TaintSpec.S) = struct | Var.ProgramVar pvar -> Pvar.is_return pvar | Var.LogicalVar _ -> false in let add_summaries_for_trace summary_acc access_path trace = - let summary_trace = TaintSpec.to_summary_trace trace in + let summary_trace = TaintSpecification.to_summary_trace trace in let output_opt = let base, accesses = AccessPath.extract access_path in match AccessPath.BaseMap.find base formal_map with diff --git a/infer/src/quandary/TaintSpec.ml b/infer/src/quandary/TaintSpec.ml index f82e38093..09ef6d576 100644 --- a/infer/src/quandary/TaintSpec.ml +++ b/infer/src/quandary/TaintSpec.ml @@ -10,12 +10,16 @@ (** combination of a trace with functions for handling unknown code and converting to and from summaries *) +type handle_unknown = + | Propagate_to_return + | Propagate_to_receiver + module type S = sig module Trace : Trace.S (** return a summary for handling an unknown call at the given site with the given return type and actuals *) - val handle_unknown_call : CallSite.t -> Typ.t option -> (Exp.t * Typ.t) list -> QuandarySummary.t + val handle_unknown_call : Procname.t -> Typ.t option -> handle_unknown list (** convert a trace type into a summary trace. can be killed if we functorize specs.ml *) val to_summary_trace : Trace.t -> QuandarySummary.summary_trace diff --git a/infer/src/unit/TaintTests.ml b/infer/src/unit/TaintTests.ml index 7843937ab..cb789f734 100644 --- a/infer/src/unit/TaintTests.ml +++ b/infer/src/unit/TaintTests.ml @@ -67,7 +67,7 @@ module MockTaintAnalysis = TaintAnalysis.Make(struct let of_summary_trace _ = assert false let to_summary_trace _ = assert false - let handle_unknown_call _ _ _ = [] + let handle_unknown_call _ _ = [] end) module TestInterpreter = AnalyzerTester.Make diff --git a/infer/tests/codetoanalyze/java/quandary/issues.exp b/infer/tests/codetoanalyze/java/quandary/issues.exp index 133b38784..6cf65f358 100644 --- a/infer/tests/codetoanalyze/java/quandary/issues.exp +++ b/infer/tests/codetoanalyze/java/quandary/issues.exp @@ -105,54 +105,54 @@ codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSou codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.returnSourceViaParameter2Bad(Interprocedural$Obj,Interprocedural$Obj), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through void Interprocedural.returnSourceViaParameter2(Interprocedural$Obj,Interprocedural$Obj),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.setGlobalThenCallSinkBad(), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through void Interprocedural.setGlobal(Object),call to void Interprocedural.callSinkOnGlobal(),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Interprocedural.java, void Interprocedural.singlePassthroughBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Object Interprocedural.id(Object),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.e(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.println(int,String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.w(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] -codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),flow through String String.valueOf(double),flow through String String.valueOf(float),flow through String String.valueOf(double),flow through String String.valueOf(double),flow through String String.valueOf(float),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 36, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.e(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 37, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.println(int,String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 38, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.w(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSubscriberId(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getSimSerialNumber(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLongitude(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getDeviceId(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getAltitude(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from double Location.getLatitude(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getVoiceMailNumber(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getBearing(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from String TelephonyManager.getLine1Number(),call to int Log.wtf(String,String)] +codetoanalyze/java/quandary/LoggingPrivateData.java, void LoggingPrivateData.logAllSourcesBad(Location,TelephonyManager), 39, QUANDARY_TAINT_ERROR, [return from float Location.getSpeed(),call to int Log.wtf(String,String)] codetoanalyze/java/quandary/Recursion.java, void Recursion.callSinkThenDivergeBad(), 1, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Recursion.callSinkThenDiverge(Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Recursion.java, void Recursion.recursionBad(int,Object), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Recursion.recursionBad(int,Object),call to void InferTaint.inferSensitiveSink(Object)] codetoanalyze/java/quandary/Recursion.java, void Recursion.safeRecursionCallSinkBad(), 1, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void Recursion.safeRecursionCallSink(int,Object),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Formatter Formatter.format(String,java.lang.Object[]),flow through String Formatter.toString(),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through Formatter Formatter.format(String,java.lang.Object[]),flow through String Formatter.toString(),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuffer StringBuffer.append(Object),flow through StringBuffer StringBuffer.append(String),flow through String StringBuffer.toString(),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuffer StringBuffer.append(Object),flow through String StringBuffer.toString(),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuilder StringBuilder.append(Object),flow through StringBuilder StringBuilder.append(String),flow through String StringBuilder.toString(),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderIgnoreReturnBad(), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuilder StringBuilder.append(Object),flow through String StringBuilder.toString(),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderSugarBad(), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through StringBuilder StringBuilder.append(Object),flow through StringBuilder StringBuilder.append(String),flow through String StringBuilder.toString(),call to void InferTaint.inferSensitiveSink(Object)] -codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),flow through String.(String),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Strings.java, void Strings.viaFormatterIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBufferIgnoreReturnBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderBad(), 3, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderIgnoreReturnBad(), 5, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/Strings.java, void Strings.viaStringBuilderSugarBad(), 2, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)] +codetoanalyze/java/quandary/UnknownCode.java, void UnknownCode.propagateViaUnknownConstructorBad(), 4, QUANDARY_TAINT_ERROR, [return from Object InferTaint.inferSecretSource(),call to void InferTaint.inferSensitiveSink(Object)]