wala
I doubt the slice result
The following source code is testing code.
/* uses badsource and badsink */
public void bad() throws Throwable
{
String data;
/* FLAW: Set data to a hardcoded string */
data = "7e5tc4s3";
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
if (data != null)
{
try
{
/* POTENTIAL FLAW: data used as password in database connection */
connection = DriverManager.getConnection("data-url", "root", data);
preparedStatement = connection.prepareStatement("select * from test_table");
resultSet = preparedStatement.executeQuery();
}
catch (SQLException exceptSql)
{
IO.logger.log(Level.WARNING, "Error with database connection", exceptSql);
}
finally
{
try
{
if (resultSet != null)
{
resultSet.close();
}
}
catch (SQLException exceptSql)
{
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try
{
if (preparedStatement != null)
{
preparedStatement.close();
}
}
catch (SQLException exceptSql)
{
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try
{
if (connection != null)
{
connection.close();
}
}
catch (SQLException exceptSql)
{
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
I want to do slicer for the source code 'connection = DriverManager.getConnection("data-url", "root", data);' After getting the seed stament ,I try backwardSlice to do slice. However , the slicer result has only seed statement itself. I expect the slice result like
connection = DriverManager.getConnection("data-url", "root", data);
preparedStatement = connection.prepareStatement("select * from test_table");
resultSet = preparedStatement.executeQuery();
So how can I get a more pretty result?
I wonder whether my way to slice is incorrect or the result is exactly like this.
From your expected result, it seems you want to do a forward slice from your seed statement, to see what else depends on it. Did you try that?
I tried it just now. The final slice result only contains the statement ‘ResultSet resultSet = null;’. This is the slice result I get:
NORMAL bad:11 = invokestatic < Application, Ljava/sql/DriverManager, getConnection(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Ljava/sql/Connection; > 8,9,7 @31 exception:10 Node: < Application, Ltestcases/CWE259_Hard_Coded_Password/CWE259_Hard_Coded_Password__driverManager_05, bad()V > Context: Everywhere
I map the statement location to the source code line number according to the slice result and then get the statement ‘ResultSet resultSet = null;’.
@161250029 my guess is that your pointer analysis is very incomplete. In particular, if the points-to set for connection is empty, you might see issues like this. This will depend on whether WALA sees any call targets for DriverManager.getConnection. Maybe you can check the call graph.
Thank u for your advice.Since the generation of callgraph depends on entrypointer, I understand you mean that I need to make entrypointer more complete. If what I understand is correct, can you give me an example to make entrypointer more complete.
I would first check the call graph and confirm it’s an issue. Did you do that? Here is some documentation on entry points:
https://github.com/wala/WALA/wiki/Pointer-Analysis#entry-points