joernio
[Javasrc2cpg]When a line of code uses string concatenation, the taint analysis results of this line of code lose some details.
Describe the bug
s = s.substring(0) + "a";
The above is a line of Java code, which evidently contains two method calls: string concatenation and the substring method.
However, in the paths obtained through taint analysis, there is only a single call recorded.
After debugging, it was discovered that the call for string concatenation was retained, while the call to the substring method was not included in the traced path.
I originally thought that Joern wouldn't handle cases where there are multiple function calls in a single line of code, but in reality, Joern is able to handle the following code correctly.
s = s.substring(0).substring(0); // handled correctly
Then I tested the following code and found that Joern still loses some information, so I suspect this might be due to the string concatenation operation.
s = s + "a" + "b"; // handled incorrectly
To Reproduce A.java
public class A {
public static void main(String[] args) {
String s = source();
s = s.substring(0) + "a"; // this line
sink(s);
}
public static String source() {
return "abc";
}
public static String sink(String s) {
String temp = s;
return s;
}
}
TaintAnalysis.scala
val source = cpg.call.name("source")
val sink = cpg.call.name("sink")
val paths = sink.reachableByFlows(source)
Expected behavior The line of code where the expected comments are added can find two method calls in the taint analysis.
Desktop (please complete the following information):
- Joern Version : v2.0.311
- Java version : 17
