Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write a package for data flow analysis #192

Closed
ccojocar opened this issue Mar 13, 2018 · 8 comments
Closed

Write a package for data flow analysis #192

ccojocar opened this issue Mar 13, 2018 · 8 comments
Labels
enhancement help wanted

Comments

@ccojocar
Copy link
Member

Summary

Write a package which implements various primitives for data flow analysis. This package can be used by the rules to perform taint analysis, or other security checks.

godoctor/analysis has already some data flow analysis on which can be built as a starting point.

I will be very interested to get more suggestions for you. What do you think are the basic requirements?

cc @gcmurphy @coredefend
@wileystar
Copy link
Contributor

wileystar commented Mar 13, 2018
edited
Loading

Very excited to see this package in a discussion. Here are some basic requirements:

  • check for variable modified before reaching sink. a light check here that would help rate the severity
  • once a vuln is identified, it might make sense to trace the path from sink back to the source to validate the finding and thereby reduce false positive rate
  • some parameter values might be constructed with a combination of static string and user input. it might make sense to provide a feature that can identify this. For example, with file inclusion bugs, if the ../ sequence is appended to a hardcoded string (e.g, "test" + userInput -> "test../blah.txt"), there might no be vuln there.

I'll think more thru this and provide some basic requirements.

@dgryski
Copy link

dgryski commented Mar 13, 2018

I think @dominikh has looked at data flow analysis for staticcheck.

@gcmurphy
Copy link
Member

Think this makes a lot of sense and I've wanted to explore this for a while. We may be able to leverage some functionality from here as well:

"golang.org/x/tools/go/callgraph"
"golang.org/x/tools/go/loader"
"golang.org/x/tools/go/pointer"
"golang.org/x/tools/go/ssa"
"golang.org/x/tools/go/ssa/ssautil"

@ccojocar ccojocar mentioned this issue Sep 17, 2019
Merged
@ccojocar
Copy link
Member Author

I believe using also the SSA representation in addition to AST, it would make such an analysis achievable.
Some pointers:

@Jeeppler
Copy link

Jeeppler commented Nov 25, 2021
edited
Loading

SSA refers to: https://pkg.go.dev/golang.org/x/tools/go/ssa.

@yunwei37
Copy link
Contributor

yunwei37 commented May 6, 2022

Hi! Is there anyone working on this issue now? If not, I'd like to contribute to this. Maybe I can start from improving the taint analysis using dataflow analysis with go SSA?

@ccojocar
Copy link
Member Author

ccojocar commented May 6, 2022

@yunwei37 Please feel free to work on this, this will be a really valuable contribution. If you have any questions, don't hesitate to raise them here. Thanks!

@ccojocar
Copy link
Member Author

gosec supports now Analysers and SSA code representation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@gcmurphy @ccojocar @dgryski @Jeeppler @wileystar @yunwei37