Added the feature

1. Adds the information of the TaintFlowPath to the result
2. Adds the information of number of source found (seed count)

Author: ranjithkris

de.fraunhofer.iem.secucheck.analysis.datastructures/src/main/java/de/fraunhofer/iem/secucheck/analysis/datastructures/TaintFlowPath.java

@@ -0,0 +1,52 @@
+package de.fraunhofer.iem.secucheck.analysis.datastructures;
+
+import java.util.List;
+
+/**
+ * TaintFlowPath
+ *
+ * @author Ranjith Krishnamurthy
+ */
+public interface TaintFlowPath {
+    /**
+     * Nodes value
+     *
+     * @return Nodes value
+     */
+    public Object getNodeValue();
+
+    /**
+     * List of children node
+     *
+     * @return Children node
+     */
+    public List<TaintFlowPath> getChildrenNodes();
+
+    /**
+     * Parent node
+     *
+     * @return Parent node
+     */
+    public TaintFlowPath getParentNode();
+
+    /**
+     * Is Root node otherwise false
+     *
+     * @return Root node or not
+     */
+    public boolean isRootNode();
+
+    /**
+     * Is sink node otherwise false
+     *
+     * @return Sink node or not
+     */
+    public boolean isNodeSink();
+
+    /**
+     * Is leaf node otherwise false
+     *
+     * @return Leaf node or not
+     */
+    public boolean isLeafNode();
+}

de.fraunhofer.iem.secucheck.analysis.implementation/src/main/java/de/fraunhofer/iem/secucheck/analysis/implementation/SingleFlowTaintAnalysis/BoomerangSolver/BoomerangSingleFlowAnalysis.java

@@ -14,6 +14,7 @@
 import de.fraunhofer.iem.secucheck.analysis.query.TaintFlow;
 import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowImpl;
 import de.fraunhofer.iem.secucheck.analysis.result.LocationDetails;
+import de.fraunhofer.iem.secucheck.analysis.result.SingleTaintFlowAnalysisResult;
 import de.fraunhofer.iem.secucheck.analysis.result.TaintFlowResult;
 import soot.PackManager;
 import soot.SceneTransformer;
@@ -55,7 +56,6 @@ public BoomerangSingleFlowAnalysis(TaintFlowImpl singleFlow, SecucheckAnalysisCo
      */
     @Override
     public TaintFlowResult run() throws Exception {
-
         String classPath = Utility.getCombinedSootClassPath(this.configuration.getOs(),
                 this.configuration.getApplicationClassPath(), this.configuration.getSootClassPathJars());
 
@@ -99,10 +99,10 @@ private void executeAnalysis() {
      * @param singleFlow Current single TaintFlow specification
      * @return List of Tainflow locations details for the current single TaintFlow specification
      */
-    public List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>>
+    public List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>>
     analyzePlainFlow(TaintFlowImpl singleFlow) {
 
-        List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>>
+        List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>>
                 reachMap = new ArrayList<>();
 
         // First get the seeds --- source ForwardQuery
@@ -111,6 +111,8 @@ private void executeAnalysis() {
 
         Set<ForwardQuery> source = computeSeeds(analysisScope);
 
+        result.setSeedCount(source.size());
+
         if (source.size() != 0) {   // If seeds found then run the SecucheckBoomerangDemandDrivenAnalysis
             reachMap.addAll(new SecucheckBoomerangDemandDrivenAnalysis(this.configuration).run(source, singleFlow));
         }

de.fraunhofer.iem.secucheck.analysis.implementation/src/main/java/de/fraunhofer/iem/secucheck/analysis/implementation/SingleFlowTaintAnalysis/BoomerangSolver/guided/BoomerangGPHandler.java

@@ -9,14 +9,13 @@
 import boomerang.scene.Statement;
 import boomerang.scene.Val;
 import de.fraunhofer.iem.secucheck.analysis.configuration.SecucheckAnalysisConfiguration;
+import de.fraunhofer.iem.secucheck.analysis.datastructures.DifferentTypedPair;
 import de.fraunhofer.iem.secucheck.analysis.implementation.SingleFlowTaintAnalysis.BoomerangSolver.Utility;
+import de.fraunhofer.iem.secucheck.analysis.implementation.SingleFlowTaintAnalysis.datastructure.BoomerangTaintFlowPath;
+import de.fraunhofer.iem.secucheck.analysis.implementation.SingleFlowTaintAnalysis.TaintFlowPathUtility;
 import de.fraunhofer.iem.secucheck.analysis.query.*;
-import soot.jimple.internal.JDynamicInvokeExpr;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
+import java.util.*;
 
 /**
  * This is the Secucheck DemandDriven Manager for Boomerang
@@ -28,7 +27,7 @@ public class BoomerangGPHandler implements IDemandDrivenGuidedManager {
      * List of found sinks. Whenever SecucheckDemandDrivenManager finds a sink with a taintflow then it creates a
      * BackwardQuery and adds it to this list.
      */
-    private final ArrayList<BackwardQuery> foundSinks = new ArrayList<>();
+    private final ArrayList<DifferentTypedPair<BackwardQuery, BoomerangTaintFlowPath>> foundSinks = new ArrayList<>();
 
     /**
      * Current single TaintFlow specification, that the current analysis running for.
@@ -40,23 +39,27 @@ public class BoomerangGPHandler implements IDemandDrivenGuidedManager {
      */
     private final SecucheckAnalysisConfiguration secucheckAnalysisConfiguration;
 
+    private final BoomerangTaintFlowPath tempPath;
+
     /**
      * Constructor
      *
      * @param singleFlow                     Single TaintFlow specification
      * @param secucheckAnalysisConfiguration SecuchcekAnalysisConfiguration given by the client
      */
-    public BoomerangGPHandler(TaintFlowImpl singleFlow, SecucheckAnalysisConfiguration secucheckAnalysisConfiguration) {
+    public BoomerangGPHandler(TaintFlowImpl singleFlow, SecucheckAnalysisConfiguration secucheckAnalysisConfiguration, BoomerangTaintFlowPath initialPath) {
         this.singleFlow = singleFlow;
         this.secucheckAnalysisConfiguration = secucheckAnalysisConfiguration;
+        this.tempPath = initialPath;
+
     }
 
     /**
      * Getter for the list of found sinks
      *
      * @return List of found sinks
      */
-    public ArrayList<BackwardQuery> getFoundSinks() {
+    public ArrayList<DifferentTypedPair<BackwardQuery, BoomerangTaintFlowPath>> getFoundSinks() {
         return foundSinks;
     }
 
@@ -68,9 +71,7 @@ public ArrayList<BackwardQuery> getFoundSinks() {
      * @param dataFlowVal  Fact: dataFlowVal
      * @return True is there is a sink method call and TaintFlow exist.
      */
-    private boolean isSink(Statement statement, ControlFlowGraph.Edge dataFlowEdge, Val dataFlowVal) {
-        boolean isSinkFound = false;
-
+    private BackwardQuery isSink(Statement statement, ControlFlowGraph.Edge dataFlowEdge, Val dataFlowVal) {
         for (Method sinkMethod : singleFlow.getTo()) {
             String sinkSootSignature = Utility.wrapInAngularBrackets(sinkMethod.getSignature());
 
@@ -86,8 +87,7 @@ private boolean isSink(Statement statement, ControlFlowGraph.Edge dataFlowEdge,
                         int parameterIndex = input.getParamID();
                         if (statement.getInvokeExpr().getArgs().size() >= parameterIndex) {
                             if (statement.getInvokeExpr().getArg(parameterIndex).toString().equals(dataFlowVal.toString())) {
-                                foundSinks.add(BackwardQuery.make(dataFlowEdge, statement.getInvokeExpr().getArg(parameterIndex)));
-                                isSinkFound = true;
+                                return BackwardQuery.make(dataFlowEdge, statement.getInvokeExpr().getArg(parameterIndex));
                             }
                         }
                     }
@@ -97,15 +97,14 @@ private boolean isSink(Statement statement, ControlFlowGraph.Edge dataFlowEdge,
                 if (sinkMethod.isInputThis() &&
                         statement.getInvokeExpr().isInstanceInvokeExpr()) {
                     if (statement.getInvokeExpr().getBase().toString().equals(dataFlowVal.toString())) {
-                        foundSinks.add(BackwardQuery.make(dataFlowEdge, statement.getInvokeExpr().getBase()));
-                        isSinkFound = true;
+                        return BackwardQuery.make(dataFlowEdge, statement.getInvokeExpr().getBase());
                     }
                 }
             }
 
         }
 
-        return isSinkFound;
+        return null;
     }
 
     /**
@@ -244,17 +243,44 @@ public Collection<Query> onForwardFlow(ForwardQuery query, ControlFlowGraph.Edge
         Statement stmt = dataFlowEdge.getStart();
         ArrayList<Query> out = new ArrayList<Query>();
 
+        //TODO: check isPostProcessing enabled
+        BoomerangTaintFlowPath parentNode = (BoomerangTaintFlowPath) TaintFlowPathUtility.findNodeUsingDFS(tempPath, query);
+
         if (stmt.containsInvokeExpr()) {
-            if (isSink(stmt, dataFlowEdge, dataFlowVal)) {
+            BackwardQuery sinkQuery = isSink(stmt, dataFlowEdge, dataFlowVal);
+            if (sinkQuery != null) {
+                //TODO: check isPostProcessing enabled
+                BoomerangTaintFlowPath finalSinkNode = new BoomerangTaintFlowPath(
+                        sinkQuery, parentNode, false, true);
+                parentNode.addNewChild(finalSinkNode);
+                BoomerangTaintFlowPath singleTaintFlowPath = TaintFlowPathUtility.createSinglePathFromRootNode(finalSinkNode);
+                DifferentTypedPair<BackwardQuery, BoomerangTaintFlowPath> res = new DifferentTypedPair<>(sinkQuery, singleTaintFlowPath);
+                foundSinks.add(res);
                 return Collections.emptyList();
             }
 
-            out.addAll(isPropogator(singleFlow.getThrough(), stmt, dataFlowEdge, dataFlowVal));
+            Collection<Query> prop = isPropogator(singleFlow.getThrough(), stmt, dataFlowEdge, dataFlowVal);
+
+            for (Query propQuery : prop) {
+                //TODO: check isPostProcessing enabled
+                BoomerangTaintFlowPath finalSinkNode = new BoomerangTaintFlowPath(
+                        propQuery, parentNode, false, false);
+                parentNode.addNewChild(finalSinkNode);
+                out.add(propQuery);
+            }
 
             if (out.size() > 0)
                 return out;
 
-            out.addAll(isPropogator(secucheckAnalysisConfiguration.getAnalysisGeneralPropagators(), stmt, dataFlowEdge, dataFlowVal));
+            Collection<Query> generalProp = isPropogator(secucheckAnalysisConfiguration.getAnalysisGeneralPropagators(), stmt, dataFlowEdge, dataFlowVal);
+
+            for (Query generalPropQuery : generalProp) {
+                //TODO: check isPostProcessing enabled
+                BoomerangTaintFlowPath finalSinkNode = new BoomerangTaintFlowPath(
+                        generalPropQuery, parentNode, false, false);
+                parentNode.addNewChild(finalSinkNode);
+                out.add(generalPropQuery);
+            }
         }
 
         return out;

de.fraunhofer.iem.secucheck.analysis.implementation/src/main/java/de/fraunhofer/iem/secucheck/analysis/implementation/SingleFlowTaintAnalysis/BoomerangSolver/guided/SecucheckBoomerangDemandDrivenAnalysis.java

@@ -1,5 +1,6 @@
 package de.fraunhofer.iem.secucheck.analysis.implementation.SingleFlowTaintAnalysis.BoomerangSolver.guided;
 
+import boomerang.BackwardQuery;
 import boomerang.ForwardQuery;
 import boomerang.Query;
 import boomerang.QueryGraph;
@@ -9,9 +10,12 @@
 import de.fraunhofer.iem.secucheck.analysis.datastructures.SameTypedPair;
 import de.fraunhofer.iem.secucheck.analysis.implementation.SingleFlowTaintAnalysis.BoomerangSolver.Utility;
 import de.fraunhofer.iem.secucheck.analysis.datastructures.DifferentTypedPair;
+import de.fraunhofer.iem.secucheck.analysis.implementation.SingleFlowTaintAnalysis.datastructure.BoomerangTaintFlowPath;
+import de.fraunhofer.iem.secucheck.analysis.implementation.SingleFlowTaintAnalysis.TaintFlowPathUtility;
 import de.fraunhofer.iem.secucheck.analysis.query.TaintFlowImpl;
 import de.fraunhofer.iem.secucheck.analysis.result.LocationDetails;
 import de.fraunhofer.iem.secucheck.analysis.result.LocationType;
+import de.fraunhofer.iem.secucheck.analysis.result.SingleTaintFlowAnalysisResult;
 import soot.SootMethod;
 import soot.jimple.IdentityStmt;
 import soot.jimple.ParameterRef;
@@ -39,12 +43,14 @@ public SecucheckBoomerangDemandDrivenAnalysis(SecucheckAnalysisConfiguration sec
      * @param singleFlow Current single TaintFlow specification---looking for this TaintFlow
      * @return Returns the result for the single given TaintFlow-specification ( There may be more than one TaintFlow in the result)
      */
-    public List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>> run(Set<ForwardQuery> sources, TaintFlowImpl singleFlow) {
+    public List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>> run(Set<ForwardQuery> sources, TaintFlowImpl singleFlow) {
 
-        List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>> reachMap = new ArrayList<>();
+        List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>> reachMap = new ArrayList<>();
 
         for (ForwardQuery source : sources) {
-            BoomerangGPHandler boomerangGPHandler = new BoomerangGPHandler(singleFlow, this.secucheckAnalysisConfiguration);
+            BoomerangTaintFlowPath boomerangTaintFlowPath = new BoomerangTaintFlowPath(
+                    source, null, true, false);
+            BoomerangGPHandler boomerangGPHandler = new BoomerangGPHandler(singleFlow, this.secucheckAnalysisConfiguration, boomerangTaintFlowPath);
             SecucheckDefaultBoomerangOptions secucheckDefaultBoomerangOptions = new SecucheckDefaultBoomerangOptions(singleFlow);
             CustomDataFlowScope customDataFlowScope = new CustomDataFlowScope(singleFlow, this.secucheckAnalysisConfiguration);
 
@@ -55,8 +61,14 @@ public List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>> r
 
             QueryGraph<Weight.NoWeight> queryGraph = demandDrivenGuidedAnalysis.run(source);
 
-            for (Query sink : boomerangGPHandler.getFoundSinks()) {
-                reachMap.add(new DifferentTypedPair<>(singleFlow, getLocationDetailsPair(source, sink)));
+            for (DifferentTypedPair<BackwardQuery, BoomerangTaintFlowPath> sinkNode : boomerangGPHandler.getFoundSinks()) {
+                BackwardQuery sink = sinkNode.getFirst();
+                TaintFlowPathUtility.print(sinkNode.getSecond());
+                SingleTaintFlowAnalysisResult res = new SingleTaintFlowAnalysisResult(
+                        new DifferentTypedPair<>(singleFlow, getLocationDetailsPair(source, sink)),
+                        sinkNode.getSecond()
+                );
+                reachMap.add(new DifferentTypedPair<>(singleFlow, res));
             }
         }
 

de.fraunhofer.iem.secucheck.analysis.implementation/src/main/java/de/fraunhofer/iem/secucheck/analysis/implementation/SingleFlowTaintAnalysis/FlowDroidSolver/FlowDroidSingleFlowAnalysis.java

@@ -8,6 +8,7 @@
 import de.fraunhofer.iem.secucheck.analysis.query.*;
 import de.fraunhofer.iem.secucheck.analysis.result.LocationDetails;
 import de.fraunhofer.iem.secucheck.analysis.result.LocationType;
+import de.fraunhofer.iem.secucheck.analysis.result.SingleTaintFlowAnalysisResult;
 import de.fraunhofer.iem.secucheck.analysis.result.TaintFlowResult;
 import soot.*;
 import soot.jimple.JimpleBody;
@@ -127,11 +128,11 @@ public TaintFlowResult run() throws Exception {
      * @param configuration     SecuCheck configuration
      * @return Result
      */
-    public List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>>
+    public List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>>
     analyzePlainFlow(TaintFlowImpl singleFlow, Infoflow infoFlow,
                      DefaultEntryPointCreator entryPointCreator, SecucheckAnalysisConfiguration configuration) {
 
-        List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>>
+        List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>>
                 reachMap = new ArrayList<>();
 
         List<String> sources = getCanonicalMethodSignatures(singleFlow.getFrom());
@@ -153,7 +154,11 @@ public TaintFlowResult run() throws Exception {
             if (map.size() > 0) {
                 for (DataFlowResult dataFlowResult : map.getResultSet()) {
                     SameTypedPair<LocationDetails> locationPair = getLocationDetailsPair(singleFlow, dataFlowResult);
-                    reachMap.add(new DifferentTypedPair<>(singleFlow, locationPair));
+                    SingleTaintFlowAnalysisResult res = new SingleTaintFlowAnalysisResult(
+                            new DifferentTypedPair<>(singleFlow, locationPair),
+                            null
+                    );
+                    reachMap.add(new DifferentTypedPair<>(singleFlow, res));
                 }
             }
         }
@@ -172,7 +177,7 @@ public TaintFlowResult run() throws Exception {
      * @param configuration     SecuCheck configuration
      * @return Result
      */
-    public List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>>
+    public List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>>
     analyzePropogatorFlow(TaintFlowImpl singleFlow, Infoflow infoFlow,
                           DefaultEntryPointCreator entryPointCreator, SecucheckAnalysisConfiguration configuration) {
 
@@ -194,25 +199,27 @@ public TaintFlowResult run() throws Exception {
 
         newQuery2.getTo().addAll(singleFlow.getTo());
 
-        List<DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>>
+        List<DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>>
                 originalReachMap = new ArrayList<>(),
                 reachMap1 = analyzePlainFlow(newQuery1, infoFlow, entryPointCreator, configuration),
                 reachMap2 = analyzePlainFlow(newQuery2, infoFlow, entryPointCreator, configuration);
 
         if (reachMap1.size() != 0 && reachMap2.size() != 0) {
-            for (DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>
+            for (DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>
                     sourcePair : reachMap1) {
 
-                for (DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>
+                for (DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>
                         sinkPair : reachMap2) {
 
-                    if (isSourceAndSinkMatching(sourcePair.getSecond(), sinkPair.getSecond())) {
+                    if (isSourceAndSinkMatching(sourcePair.getSecond().getLocationDetails().getSecond(),
+                            sinkPair.getSecond().getLocationDetails().getSecond())) {
                         SameTypedPair<LocationDetails> stichedPair =
-                                stitchSourceAndSink(sourcePair.getSecond(), sinkPair.getSecond());
+                                stitchSourceAndSink(sourcePair.getSecond().getLocationDetails().getSecond(),
+                                        sinkPair.getSecond().getLocationDetails().getSecond());
 
                         originalReachMap.add(new
-                                DifferentTypedPair<TaintFlowImpl, SameTypedPair<LocationDetails>>
-                                (singleFlow, stichedPair));
+                                DifferentTypedPair<TaintFlowImpl, SingleTaintFlowAnalysisResult>
+                                (singleFlow, new SingleTaintFlowAnalysisResult(new DifferentTypedPair<>(singleFlow, stichedPair), null)));
                     }
                 }