Usage of -analyzer-checker=alpha.security.taint.TaintPropagation:Config does not work

[ShangzhiXu]

Hi, sorry for bothering. I met with a problem that while I was trying to use taint analysis with my own source-sink yaml file, the following command line does not work:

CodeChecker analyze --analyzers clangsa -j16 xxx/compilation.json -e alpha.security.taint.TaintPropagation  --checker-config 'clangsa:alpha.security.taint.TaintPropagation:Config=xxx/test/test_memcpy/config.yaml'     --ctu --output ./reports

And here is my target file:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void vulnerableFunction(char* input) {
   char buffer[10];
   strcpy(buffer, input); // Vulnerability: No bounds checking on the input
   
}
int main() {
  unsigned char inputString[200] = {};
  fgets(inputString, sizeof(inputString), stdin);
  vulnerableFunction(inputString);
  return 0;
}

And my config.yaml is:

Filters:
Propagations:
  - Name: fgets
    DstArgs: [0]

Sinks:
  - Name: strcpy
    Args: [0]

There is supposed to be an untrusted variable bug been detected but it turned out that there is no report :(

I followed the user guide :

CodeChecker analyze \
  -e alpha.security.taint.TaintPropagation \
  --checker-config 'clangsa:alpha.security.taint.TaintPropagation:Config=my-cutom-taint-config.yaml'

I'm not sure if it is because I made any mistake in my usage.
Really sorry for bothering.

[bruntib]

Hi @ShangzhiXu,

Unfortunately I'm not aware of the behavior of TaintPropagation checker. But if I use sprintf() instead of strcpy() in the attached source code then this checker emits a report for me. I'm not sure, if not reporting on strcpy() is a false-negative of the checker, or I just simply don't understand how the checker works. Someone from the Clang community could help us, perhaps. But maybe you can continue the investigation of the config file's usage with changing sprintf() to strcpy().

I'm looking forward to hear your experiences about this example.
Thank you!