Missing detection of JdbcRowSetImpl in Jackson config

[amlweems]

It looks like gadgetinspector fails to find com/sun/rowset/JdbcRowSetImpl.setAutoCommit (which is described in the marshalsec paper) due to the fact that the getDataSourceName is not explicitly defined in JdbcRowSetImpl, but is inherited from javax/sql/rowset/BaseRowSet (which is hinted at in the inheritance map).

One other issue is that setAutoCommit accepts a boolean (instead of an L value) and should taint the first argument rather than the return value. This will fail the following check in JacksonSourceDiscovery.java:

if (method.getName().startsWith("set") && method.getDesc().matches("\\(L[^;]*;\\)V")) {
    addDiscoveredSource(new Source(method, 0));
}

I think the issue can be resolved by tainting and tracking inherited methods when creating the callgraph AND by updating JacksonSourceDiscovery.java to include the following check:

if (method.getName().startsWith("set") && Type.getArgumentTypes(method.getDesc()).length == 1) {
    addDiscoveredSource(new Source(method, 1));
}

Apologies if I'm misunderstanding something. I'm super excited about this tool and I'm interested to learn more about the inner workings.