
v0.4.5-alpha Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Mar 3, 2025 License: Apache-2.0 Imports: 20 Imported by: 0



Package config provides a simple way to manage configuration files.

Use Load(filename) to load a configuration from a specific filename.

Use SetGlobalConfig(filename) to set filename as the global config, and then LoadGlobal() to load the global config.

A config file should be in yaml or json format. The top-level fields can be any of the fields defined in the Config struct type. The other fields are defined by the types of the fields of Config and nested struct types. For example, a valid config file is as follows: options:

log-level: 5



		    - package: fmt
	          method: Printf

		     - method: Read

Identifying code elements

The config uses CodeIdentifier to identify specific code entities. For example, sinks and sources are CodeIdentifiers which identifies specific functions in specific packages, or types, etc.. An important feature of the code identifiers is that the string specifications are seen as regexes if they can be compiled to regexes, otherwise they are strings.

Unsafe options

All the options that might affect the soundness of the results are prefixed by `unsafe-`, except for the configuration options where the user provides function summaries (where it is assumed the user have soundly summarized the functions).



View Source
const (
	// DefaultSafeMaxDepth is the default maximum call stack value that will be considered by the analyses using it
	// -1 means that depth limit is ignored
	DefaultSafeMaxDepth = -1
	// DefaultSafeMaxEntrypointContextSize sets a context depth value that is usually safe in terms of algorithm performance.
	DefaultSafeMaxEntrypointContextSize = 5
	// EscapeBehaviorSummarize specifies that the function should be summarized in the escape analysis
	EscapeBehaviorSummarize = "summarize"
	// EscapeBehaviorNoop specifies that the function is a noop in the escape analysis
	EscapeBehaviorNoop = "noop"
	// EscapeBehaviorUnknown specifies that the function is "unknown" in the escape analysis
	EscapeBehaviorUnknown = "unknown"

PkgLoadMode is the default loading mode in the analyses. We load all possible information

View Source
const TargetsAll = "all"

TargetsAll is the universal target


This section is empty.


func ExistsCid

func ExistsCid(a []CodeIdentifier, f func(identifier CodeIdentifier) bool) bool

ExistsCid is true if there is some x in a such that f(x) is true. O(len(a))

func IsValidSeverityStr

func IsValidSeverityStr(s string) bool

IsValidSeverityStr returns true is the string s is a valid severity strings

func LoadEscape

func LoadEscape(c *Config, escapeConfigBytes []byte) error

LoadEscape adds the escape configuration settings from escapeConfigBytes into c.

func OverrideWithAnalysisOptions

func OverrideWithAnalysisOptions(l *LogGroup, c *Config, o *AnalysisProblemOptions)

OverrideWithAnalysisOptions overwrites the options in the config with the non-default options in the analysis problem options. Overwriting is logged at info level.

func ParseXMLConfigFormat

func ParseXMLConfigFormat(c *Config, b []byte) error

ParseXMLConfigFormat parses the bytes as xml, expecting a drawio file representing a diagram of dataflow problems where the options of the config are specified in the metadata.

func SetGlobalConfig

func SetGlobalConfig(filename string)

SetGlobalConfig sets the global config filename

func SetOption

func SetOption(c *Config, name, value string) (string, error)

SetOption sets config option value using a string name for the option and a string value. Returns the value (as a string) of the previous setting, or an error. Settings that can be set using this function: - max-alarms - unsafe-max-depth - max-entrypoint-context-size

func TargetIncludes

func TargetIncludes(targets []string, sub string) bool

TargetIncludes returns true if the list of targets includes the targets or has the "all" target, or the target is empty (the program is passed through the command line)


type AnalysisProblemOptions

type AnalysisProblemOptions struct {
	// MaxAlarms sets a limit for the number of alarms reported by an analysis.  If MaxAlarms > 0, then at most
	// MaxAlarms will be reported. Otherwise, if MaxAlarms <= 0, it is ignored.
	// This setting does not affect soundness, since event with max-alarms:1, at least one path will be reported if
	// there is some potential alarm-causing result.
	MaxAlarms int `xml:"max-alarms,attr" yaml:"max-alarms" json:"max-alarms"`

	// UnsafeMaxDepth sets a limit for the number of function call depth explored during the analysis.
	// The default is -1, and any value less than 0 is safe: the analysis will be sound and explore call depth
	// without bounds.
	// Setting UnsafeMaxDepth to a limit larger than 0 will yield unsound results, but can be useful to use the tool
	// as a checking mechanism. Limiting the call depth will usually yield fewer false positives.
	UnsafeMaxDepth int `xml:"unsafe-max-depth,attr" yaml:"unsafe-max-depth" json:"unsafe-max-depth"`

	// MaxEntrypointContextSize sets the maximum context (call stack) size used when searching for entry points with context.
	// This only impacts precision of the returned results.
	// If MaxEntrypointContextSize is < 0, it is ignored.
	// If MaxEntrypointContextSize is 0 is specified by the user, the value is ignored, and a default internal value is used.
	// If MaxEntrypointContextSize is > 0, then the limit in the callstack size for the context is used.
	MaxEntrypointContextSize int `xml:"max-entrypoint-context-size,attr" yaml:"max-entrypoint-context-size" json:"max-entrypoint-context-size"`

AnalysisProblemOptions are the options that are specific to an analysis problem.

type CallingContext

type CallingContext struct {
	Package      string
	PackageRegex string `xml:"package-regex,attr" yaml:"package~" json:"package~"`
	Method       string
	MethodRegex  string `xml:"method-regex,attr" yaml:"method~" json:"method~"`
	// contains filtered or unexported fields

CallingContext matches a function/method that specifies the calling context of the target.

type CmdLineOverrides

type CmdLineOverrides struct {
	// LogLevel can be overridden (by setting -verbose for example)
	LogLevel int
	// ReportsDir can be overridden (by setting -out <out-folder>)
	ReportsDir string

CmdLineOverrides groups all the config file options that can be overridden by command line arguments.

type CodeIdentifier

type CodeIdentifier struct {
	// Context stores an additional string that can be used depending on context by analyses. Typically, one can use
	// Context to match the parent function name when matching a code identifier.
	Context string `xml:"context,attr"`

	// Package identifies the package of the code identifier.
	Package string `xml:"package,attr"` // in drawio input, package is an attribute

	// Interface identifies the interface name of the code identifier.
	Interface string `xml:"interface,attr"`

	// Package identifies the method/function of the code identifier. Method is used loosely here to mean function
	// or actual method
	Method string `xml:"method,attr"`

	// Receiver identified the receiver object of a method call
	Receiver string `xml:"receiver,attr"`

	// Field identifies a specific field
	Field string `xml:"field,attr"`

	// Type identifies a specific type, which can be used for example to identify allocation of a given type
	Type string `xml:"type,attr"`

	// Const identifies a named package-level constant.
	// The Package field must be set as well.
	Const string `xml:"const,attr"`

	// Label can be used to store user-defined information about the code identifier.
	Label string `xml:"label,attr"`

	// Kind can be used to give additional semantic meaning to the code identifier. For example, it can be used
	// to tag a code identifier as a specific "channel receive"
	Kind string `xml:"kind,attr"`

	// ValueMatch can be used to match specific calls to a function. This is useful to match specific calls to
	// formatting functions.
	ValueMatch string `xml:"value-match,attr" yaml:"value-match" json:"value-match"`

	// Target identifies a program value that the analysis should analyze as an
	// entrypoint.
	// It can be "narrowed" further if needed to match specific objects that are
	// part of the target.
	Target Target

	// Enclosing specifies the calling context of the target (only for method targets).
	Enclosing CallingContext
	// contains filtered or unexported fields

A CodeIdentifier identifies a code element that is a source, sink, sanitizer, etc.. A code identifier can be identified from its package, method, receiver, field or type, or any combination of those This is meant to replicate functionality in go-flow-levee and gokart, and can be extended as needed

func NewCodeIdentifier

func NewCodeIdentifier(cid CodeIdentifier) CodeIdentifier

NewCodeIdentifier properly intializes cid.

func (*CodeIdentifier) FullMethodName

func (cid *CodeIdentifier) FullMethodName() string

FullMethodName returns the fully qualified name of the code identifier.

func (*CodeIdentifier) MatchConst

func (cid *CodeIdentifier) MatchConst(c *ssa.NamedConst) bool

MatchConst matches a named package-level constant to a code identifier.

func (*CodeIdentifier) MatchInterface

func (cid *CodeIdentifier) MatchInterface(f *ssa.Function) bool

MatchInterface matches a function to a code identifier by looking whether that function implements an interface's method, and using that method information to match against the code identifier

func (*CodeIdentifier) MatchPackageAndMethod

func (cid *CodeIdentifier) MatchPackageAndMethod(f *ssa.Function) bool

MatchPackageAndMethod checks whether the function f matches the code identifier on the package and method fields. It is safe to call with nil values.

func (*CodeIdentifier) MatchPackageAndMethodWithCaller

func (cid *CodeIdentifier) MatchPackageAndMethodWithCaller(caller *ssa.Function, f *ssa.Function) bool

MatchPackageAndMethodWithCaller checks whether the function f matches the code identifier on the package and method fields and the context of the caller. It is safe to call with nil values.

func (*CodeIdentifier) MatchType

func (cid *CodeIdentifier) MatchType(typ types.Type) bool

MatchType checks whether the code identifier matches the type represented as a types.Type. It is safe to call with nil values.

type CondCheckSpec

type CondCheckSpec struct {
	// Tag is the identifier of the problem
	Tag string
	// Severity is the severity of the finding when some struct is not initialized properly
	Severity Severity
	// Description is a human-readable description of the problem
	Description string
	// Targets of this problem
	Targets []string
	// Call is the calls that need to be guarded
	Call []CodeIdentifier
	// Preconditions is the list of conditions that need to be satisfied before making a Call.
	// The Call is valid if one of the preconditions is valid on all control-flow paths to the Call.
	Preconditions []GuardSpec

CondCheckSpec is a specification for the precondition analysis. On top of the common fields (Tag, Severity, Description and Targets) it specifies a Call (the call that needs to ge guarded by a precondition) and the Preconditions.

func (CondCheckSpec) SpecSeverity

func (cc CondCheckSpec) SpecSeverity() Severity

SpecSeverity returns the precondition check specification's severity

func (CondCheckSpec) SpecTag

func (cc CondCheckSpec) SpecTag() string

SpecTag returns the precondition check specification's tag

func (CondCheckSpec) SpecTargets

func (cc CondCheckSpec) SpecTargets() []string

SpecTargets returns the precondition check specification's targets

type Config

type Config struct {

	// EscapeConfig contains the escape-analysis specific configuration parameters
	EscapeConfig *EscapeConfig

	// PointerConfig contains the pointer-analysis specific configuration parameters
	PointerConfig *PointerConfig `yaml:"pointer-config" json:"pointer-config"`

	// StaticCommandsProblems lists the static commands problems
	StaticCommandsProblems []StaticCommandsSpec `yaml:"static-commands-problems" json:"static-commands-problems"`

	SyntacticProblems SyntacticSpecs `yaml:"syntactic-problems" json:"syntactic-problems"`

	// DataflowProblems specifies the dataflow problems to solve in the config
	DataflowProblems `yaml:"dataflow-problems" json:"dataflow-problems"`

	// Targets specifies the set of targets that may be used in the config
	Targets []TargetSpec
	// contains filtered or unexported fields

Config contains lists of sanitizers, sinks, sources, static commands to identify ... To add elements to a config file, add fields to this struct. If some field is not defined in the config file, it will be empty/zero in the struct. private fields are not populated from a yaml file, but computed after initialization

func Load

func Load(filename string, configBytes []byte, cmdLineOverrides *CmdLineOverrides) (*Config, error)

Load constructs a configuration from a byte slice representing the config file.

func LoadFromFiles

func LoadFromFiles(configFileName string, overrides *CmdLineOverrides) (*Config, error)

LoadFromFiles loads a full config from configFileName and the config file's specified escape config file name, reading the files from disk. If the escape config file name is empty, there will be no escape configuration.

func LoadGlobal

func LoadGlobal(overrides *CmdLineOverrides) (*Config, error)

LoadGlobal loads the config file that has been set by SetGlobalConfig

func NewDefault

func NewDefault() *Config

NewDefault returns an empty default config.

func (Config) ExceedsMaxDepth

func (c Config) ExceedsMaxDepth(d int) bool

ExceedsMaxDepth returns true if the input exceeds the maximum depth parameter of the configuration. (this implements the logic for using maximum depth; if the configuration setting is < 0, then this returns false)

func (Config) GetSpecs

func (c Config) GetSpecs() []TaggedSpec

GetSpecs returns ALL the problems in the configuration that are tagged specs (i.e. have a tag, severity and targets).

func (Config) GetTargetMap

func (c Config) GetTargetMap() map[string]TargetInfo

GetTargetMap returns a map from target names to target files

func (Config) IsPathSensitiveFunc

func (c Config) IsPathSensitiveFunc(funcName string) bool

IsPathSensitiveFunc returns true if funcName matches any regex in c.Options.PathSensitiveFuncs.

func (Config) IsSomeBacktracePoint

func (c Config) IsSomeBacktracePoint(cid CodeIdentifier) bool

IsSomeBacktracePoint returns true if the code identifier matches any backtrace point in the slicing problems

func (Config) IsSomeSanitizer

func (c Config) IsSomeSanitizer(cid CodeIdentifier) bool

IsSomeSanitizer returns true if the code identifier matches any sanitizer in the config

func (Config) IsSomeSink

func (c Config) IsSomeSink(cid CodeIdentifier) bool

IsSomeSink returns true if the code identifier matches any sink in the config

func (Config) IsSomeSource

func (c Config) IsSomeSource(cid CodeIdentifier) bool

IsSomeSource returns true if the code identifier matches any source in the config

func (Config) IsSomeValidator

func (c Config) IsSomeValidator(cid CodeIdentifier) bool

IsSomeValidator returns true if the code identifier matches any validator in the config

func (Config) MatchCoverageFilter

func (c Config) MatchCoverageFilter(filename string) bool

MatchCoverageFilter returns true if the file name matches the coverageFilterRegex, if specified

func (Config) MatchPkgFilter

func (c Config) MatchPkgFilter(pkgname string) bool

MatchPkgFilter returns true if the package name pkgname matches the package filter set in the config file. If no package filter has been set in the config file, the regex will match anything and return true. This function safely considers the case where a filter has been specified by the user, but it could not be compiled to a regex. The safe case is to check whether the package filter string is a prefix of the pkgname

func (Config) RelPath

func (c Config) RelPath(filename string) string

RelPath returns the path of the filename path relative to the root

func (Config) ReportNoCalleeFile

func (c Config) ReportNoCalleeFile() string

ReportNoCalleeFile return the file name that will contain the list of locations that have no callee

func (Config) Root

func (c Config) Root() string

Root returns the absolute path to the root directory

func (Config) Validate

func (c Config) Validate() error

Validate validates the config and returns an error if there is some invalid setting

func (Config) Verbose

func (c Config) Verbose() bool

Verbose returns true is the configuration verbosity setting is larger than Info (i.e. Debug or Trace)

type ConfiguredLogger

type ConfiguredLogger struct {
	Config *Config
	Logger *LogGroup

ConfiguredLogger is the simplest Configurer

func (ConfiguredLogger) GetConfig

func (s ConfiguredLogger) GetConfig() *Config

GetConfig returns the config of the state

func (ConfiguredLogger) GetLogger

func (s ConfiguredLogger) GetLogger() *LogGroup

GetLogger returns the logger of the state

type Configurer

type Configurer interface {
	GetConfig() *Config
	GetLogger() *LogGroup

Configurer groups a config and a logger. All "state" structs should implement this.

type DataflowProblems

type DataflowProblems struct {
	// PathSensitiveFuncs is a list of regexes indicating which functions should be path-sensitive.
	// This allows the analysis to scale yet still maintain a degree of precision where it matters.
	PathSensitiveFuncs []string `xml:"field-sensitive-funcs" yaml:"field-sensitive-funcs" json:"field-sensitive-funcs"`

	// SummarizeOnDemand specifies whether the graph should build summaries on-demand instead of all at once
	SummarizeOnDemand bool `xml:"summarize-on-demand,attr" yaml:"summarize-on-demand" json:"summarize-on-demand"`

	// UserSpecs is a path to a json file that contains the data flows specs for the interfaces in the dataflow
	// analyses
	UserSpecs []string `yaml:"user-specs" json:"user-specs"`

	// TaintTrackingProblems lists the taint tracking specifications
	TaintTrackingProblems []TaintSpec `yaml:"taint-tracking" json:"taint-tracking"`

	// SlicingProblems lists the program slicing specifications
	SlicingProblems []SlicingSpec `yaml:"slicing" json:"slicing"`
	// contains filtered or unexported fields

DataflowProblems defines all the dataflow (taint, slicing) problems in a config file.

type Errors

type Errors struct {
	// Stored errors
	ErrorMap map[string][]error
	// contains filtered or unexported fields

Errors contains errors generated during the different steps of the analysis, keyed by some string to reduce the number of duplicates.

type EscapeConfig

type EscapeConfig struct {

	// Functions controls behavior override, keyed by .String() (e.g. command-line-arguments.main,
	// (*package.Type).Method, etc.). A value of "summarize" means process normally, "unknown" is
	// treat as unanalyzed, and "noop" means calls are assumed to have no escape effect (and return
	// nil if they have a pointer-like return).
	Functions map[string]string `json:"functions"`

	// The maximum size of an escape summary. If a function attempts to compute a larger summary, it
	// will be replaced by a conservative, unsummarized stub.
	SummaryMaximumSize int `json:"summary-maximum-size"`

	// Allow/blocklist of packages, keyed by package path. A value of true means allow, false is
	// block, and not present is default behavior.
	PkgFilter string `json:"pkg-filter"`
	// contains filtered or unexported fields

EscapeConfig holds the options relative to the escape analysis configuration

func NewEscapeConfig

func NewEscapeConfig() *EscapeConfig

NewEscapeConfig returns a new escape config with a preset summary maximum size and initialized Functions map.

func (*EscapeConfig) MatchPkgFilter

func (c *EscapeConfig) MatchPkgFilter(pkgname string) bool

MatchPkgFilter matches a package name against a configuration. Returns true if the package name matches the filter.

type FieldsSetSpec

type FieldsSetSpec struct {
	// Field is the struct field name whose value must be initialized to the Value.
	Field string
	// Value is the value that Field must always be set to.
	// We only support static values for now (e.g., constants and static functions).
	Value CodeIdentifier

FieldsSetSpec contains the code identifiers for the problem of tracking how a struct's fields are initialized.

type GuardSpec

type GuardSpec struct {
	// Precondition is the function that is used in the condition
	Precondition []string

GuardSpec is the specification of a guard or condition Currently, it only contains a Precondition which is a list of string represented conjuncts. This makes it at little difficult to specify in a config file, so we will make a more extensible and precise GuardSpec in the future.

type LoadOptions

type LoadOptions struct {
	// BuildMode is the mode used when creating the SSA from the packages.
	BuildMode ssa.BuilderMode
	// LoadTests is a flag indicating whether tests should be loaded with the program.
	LoadTests bool
	// ApplyRewrites is a flag indicating whether the standard source rewrites should be applied.
	ApplyRewrites bool
	// Platform indicates which platform the analysis is being performed on (sets GOOS in env).
	Platform string
	// PackageConfig is the options passed to packages.Load.
	// The GOOS  in the Env of the packageConfig is overridden by the Platform when Platform is set.
	PackageConfig *packages.Config

LoadOptions combines all the options that are used when loading programs.

type LogGroup

type LogGroup struct {
	Level LogLevel
	// contains filtered or unexported fields

LogGroup holds a set of loggers that will be called depending on the logging kind

func NewLogGroup

func NewLogGroup(config *Config) *LogGroup

NewLogGroup returns a log group that is configured to the logging settings stored inside the config

func (*LogGroup) Debug

func (l *LogGroup) Debug(msg string)

Debug calls Debug.Print to print to the trace logger. Arguments are handled in the manner of Print

func (*LogGroup) Debugf

func (l *LogGroup) Debugf(format string, v ...any)

Debugf calls Debug.Printf to print to the trace logger. Arguments are handled in the manner of Printf

func (*LogGroup) Error

func (l *LogGroup) Error(msg string)

Error calls Error.Print to print to the trace logger. Arguments are handled in the manner of Print

func (*LogGroup) Errorf

func (l *LogGroup) Errorf(format string, v ...any)

Errorf calls Error.Printf to print to the trace logger. Arguments are handled in the manner of Printf

func (*LogGroup) GetDebug

func (l *LogGroup) GetDebug() *log.Logger

GetDebug returns the debug level logger, for applications that need a logger as input

func (*LogGroup) GetError

func (l *LogGroup) GetError() *log.Logger

GetError returns the error logger, for applications that need a logger as input

func (*LogGroup) Info

func (l *LogGroup) Info(msg string)

Info calls Info.Print to print to the trace logger. Arguments are handled in the manner of Print

func (*LogGroup) Infof

func (l *LogGroup) Infof(format string, v ...any)

Infof calls Info.Printf to print to the trace logger. Arguments are handled in the manner of Printf

func (*LogGroup) LogsDebug

func (l *LogGroup) LogsDebug() bool

LogsDebug returns true if the log group logs debug messages

func (*LogGroup) LogsError

func (l *LogGroup) LogsError() bool

LogsError returns true if the log group logs error messages. Note that this is the lowest logging level, and if this returns false, it implies that the log group does not log anything.

func (*LogGroup) LogsInfo

func (l *LogGroup) LogsInfo() bool

LogsInfo returns true if the log group logs info messages

func (*LogGroup) LogsTrace

func (l *LogGroup) LogsTrace() bool

LogsTrace returns true if the log group logs trace messages

func (*LogGroup) LogsWarning

func (l *LogGroup) LogsWarning() bool

LogsWarning returns true if the log group logs warning messages

func (*LogGroup) PopContext

func (l *LogGroup) PopContext()

PopContext pops a context string off the prefix of the logger

func (*LogGroup) PushContext

func (l *LogGroup) PushContext(s string)

PushContext pushes a context string on the prefix of the logger

func (*LogGroup) SetAllFlags

func (l *LogGroup) SetAllFlags(x int)

SetAllFlags sets the flag of all loggers in the log group to the argument provided

func (*LogGroup) SetAllOutput

func (l *LogGroup) SetAllOutput(w io.Writer)

SetAllOutput sets all the output writers to the writer provided

func (*LogGroup) SetError

func (l *LogGroup) SetError(w io.Writer)

SetError sets the output writer of the error logger

func (*LogGroup) Trace

func (l *LogGroup) Trace(msg string)

Trace calls Trace.Print to print to the trace logger. Arguments are handled in the manner of Print

func (*LogGroup) Tracef

func (l *LogGroup) Tracef(format string, v ...any)

Tracef calls Trace.Printf to print to the trace logger. Arguments are handled in the manner of Printf

func (*LogGroup) Warn

func (l *LogGroup) Warn(msg string)

Warn calls Warn.Print to print to the trace logger. Arguments are handled in the manner of Print

func (*LogGroup) Warnf

func (l *LogGroup) Warnf(format string, v ...any)

Warnf calls Warn.Printf to print to the trace logger. Arguments are handled in the manner of Printf

type LogLevel

type LogLevel int

LogLevel represents a logging level

const (
	// ErrLevel =1 - the minimum level of logging.
	ErrLevel LogLevel = iota + 1

	// WarnLevel =2 - the level for logging warnings, and errors

	// InfoLevel =3 - the level for logging high-level information, results

	// DebugLevel =4 - the level for debugging information. The tool will run properly on large programs with
	// that level of debug information.

	// TraceLevel =5 - the level for tracing. The tool will not run properly on large programs with that level
	// of information, but this is useful on smaller testing programs.

type MxFile

type MxFile struct {
	Object   []Object `xml:"diagram>mxGraphModel>root>object"`
	Cells    []mxCell `xml:"diagram>mxGraphModel>root>mxCell"`
	Modified string   `xml:"modified,attr"`
	Host     string   `xml:"host,attr"`

MxFile is the toplevel file representation in a draio diagram

type Object

type Object struct {
	ID string `xml:"id,attr"`
	Forbidden     bool   `xml:"forbidden,attr"`
	Cell          mxCell `xml:"mxCell"`
	IsSource      bool   `xml:"taint-source,attr"`
	IsSink        bool   `xml:"taint-sink,attr"`
	IsSanitizer   bool   `xml:"taint-sanitizer,attr"`
	IsValidator   bool   `xml:"taint-validator,attr"`
	DataflowSpecs string `xml:"dataflow-specs,attr"`
	Filters       string `xml:"filters,attr"`

Object represents an object in the drawio diagram

type ObjectKind

type ObjectKind string

ObjectKind is the kind of entrypoint object.

const (
	// ArgumentKind indicates an function call argument entrypoint.
	ArgumentKind ObjectKind = "argument"

type Options

type Options struct {
	AnalysisProblemOptions `xml:"analysis-options,attr" yaml:"analysis-options" json:"analysis-options"`

	// Path to a JSON file that has the escape configuration (allow/blocklist)
	EscapeConfigFile string `xml:"escape-config,attr" yaml:"escape-config" json:"escape-config"`

	// CoverageFilter can be used to filter which packages will be reported in the coverage. If non-empty,
	// coverage will only for those packages that match CoverageFilter
	CoverageFilter string `xml:"coverage-filter,attr" yaml:"coverage-filter" json:"coverage-filter"`

	// Loglevel controls the verbosity of the tool
	LogLevel int `xml:"log-level,attr" yaml:"log-level" json:"log-level"`

	// PkgFilter is a filter for the taint analysis to build summaries only for the function whose package match the
	// prefix. This is a global option because it is used during the first intra-procedural passes of the analysis.
	PkgFilter string `xml:"pkg-filter,attr" yaml:"pkg-filter" json:"pkg-filter"`

	// ReportCoverage specifies whether coverage should be reported. If true, then a file names coverage-*.out will
	// be created in the report directory, containing the coverage data generated by the analysis
	ReportCoverage bool `xml:"report-coverage,attr" yaml:"report-coverage" json:"report-coverage"`

	// ReportNoCalleeSites specifies whether the tool should report where it does not find any callee.
	ReportNoCalleeSites bool `xml:"report-no-callee-sites,attr" yaml:"report-no-callee-sites" json:"report-no-callee-sites"`

	// ReportPaths specifies whether the taint flows should be reported in separate files. For each taint flow, a new
	// file named taint-*.out will be generated with the trace from source to sink
	ReportPaths bool `xml:"report-paths,attr" yaml:"report-paths" json:"report-paths"`

	// ReportSummaries can be set to true, in which case summaries will be reported in a file names summaries-*.out in
	// the reports directory
	ReportSummaries bool `xml:"report-summaries,attr" yaml:"report-summaries" json:"report-summaries"`

	// ReportsDir is the directory where all the reports will be stored. If the yaml config file this config struct has
	// been loaded does not specify a ReportsDir but sets any Report* option to true, then ReportsDir will be created
	// in the folder the binary is called.
	ReportsDir string `xml:"reports-dir,attr" yaml:"reports-dir" json:"reports-dir"`

	// ProjectRoot specifies the root directory of the project. All other file names specified in the config file are
	// relative to the root. If not specified, the root is assumed to be the directory of the config file.
	ProjectRoot string `xml:"project-root,attr" yaml:"project-root" json:"project-root"`

	// Suppress warnings
	SilenceWarn bool `xml:"silence-warn,attr" json:"silence-warn" yaml:"silence-warn"`

	// Run and use the escape analysis for analyses that have the option to use the escape analysis results.
	UseEscapeAnalysis bool `xml:"use-escape-analysis,attr" yaml:"use-escape-analysis" json:"use-escape-analysis"`

Options holds the global options for analyses embeds AnalysisProblemOptions

type PointerConfig

type PointerConfig struct {
	// UnsafeNoEffectFunctions is a list of function names that produce no constraints in the pointer analysis.
	// Use at your own risk: using this option *may* make the analysis unsound. However, if you are confident
	// that the listed function does not have any effect on aliasing, adding it here may reduce false positives.
	UnsafeNoEffectFunctions []string `yaml:"unsafe-no-effect-functions" json:"unsafe-no-effect-functions"`

	// Reflection is the reflection option of the pointer analysis: when true, reflection aperators are handled
	// soundly, but analysis time will increase dramatically.
	Reflection bool

PointerConfig is the pointer analysis specific configuration.

func NewPointerConfig

func NewPointerConfig() *PointerConfig

NewPointerConfig returns a new escape config with default parameters: - the filter of no-effect functions is nil.

type ReportDesc

type ReportDesc struct {
	Tool     ToolName
	Tag      string
	Severity Severity
	Content  any

A ReportDesc gathers content and metadata about a specific report entry.

type ReportEntry

type ReportEntry struct {
	Tool        ToolName
	ContentFile string
	Severity    Severity

ReportEntry is one entry in the report, with high-level information about the severity and what tool generated it. Contents of the report should be stored in a separate content file.

type ReportGroup

type ReportGroup struct {
	Tool     ToolName
	Severity Severity
	Details  []string

A ReportGroup lists the report contents in each details file

type ReportInfo

type ReportInfo struct {
	CountBySeverity map[Severity]int

	// Reports groups entries by tag
	Reports map[string]ReportGroup

	// Errors contains the errors generated during the analysis
	Errors Errors

ReportInfo contains the information in the main report of argot

func NewReport

func NewReport() *ReportInfo

NewReport returns a new ReportInfo with initialized maps

func (*ReportInfo) AddEntry

func (r *ReportInfo) AddEntry(c Configurer, report ReportDesc)

AddEntry write the information in the ReportDesc to a new file in the ReportsDir, and adds a new entry into the receiver.

func (*ReportInfo) AddError

func (r *ReportInfo) AddError(key string, e error)

AddError adds an error with key and error e to the state.

func (*ReportInfo) CheckError

func (r *ReportInfo) CheckError() []error

CheckError checks whether there is an error in the state, and if there is, returns the first it encounters and deletes it. The slice returned contains all the errors associated with one single error key (as used in [*AnalyzerState.AddError])

func (*ReportInfo) Dump

func (r *ReportInfo) Dump(c Configurer)

Dump writes a new report file in the ReportsDir of the config file.

func (*ReportInfo) HasErrors

func (r *ReportInfo) HasErrors() bool

HasErrors returns true if the state has an error. Unlike [*AnalyzerState.CheckError], this is non-destructive.

func (*ReportInfo) IncrementSevCount

func (r *ReportInfo) IncrementSevCount(sev Severity, count int)

IncrementSevCount increments the count of the provided severity label

func (*ReportInfo) Merge

func (r *ReportInfo) Merge(other *ReportInfo)

Merge merges the report elements of other into the receiver

type Severity

type Severity string

Severity is the severity label of an analysis problem

const (
	// Critical severity: often triggers early failure in analyses
	Critical Severity = "CRITICAL"
	// High severity
	High Severity = "HIGH"
	// Medium severity problems
	Medium Severity = "MEDIUM"
	// Low severity problems
	Low Severity = "LOW"

func (Severity) String

func (s Severity) String() string

type SlicingSpec

type SlicingSpec struct {
	*AnalysisProblemOptions `xml:"override-analysis-options,attr" yaml:"override-analysis-options" json:"override-analysis-options"`
	// BacktracePoints is the list of identifiers to be considered as entrypoint functions for the backwards
	// dataflow analysis.
	BacktracePoints []CodeIdentifier

	// Filters contains a list of filters that can be used by analyses
	Filters []CodeIdentifier

	// Tag identifies a group of annotations when used with annotations
	Tag string

	// Severity assigns a severity to this problem
	Severity Severity

	// Description allows the user to add a description to the problem
	Description string

	// Targets identifies the names of the targets this analysis must run against
	Targets []string

	// MustBeStatic set to true indicates that all the data flowing to backtrace points must be static (constants,
	// static string)
	MustBeStatic bool `yaml:"must-be-static" json:"must-be-static"`

	// SkipBoundLabels indicates whether to skip flows that go through "bound labels", i.e. aliases of the variables
	// bound by a closure. This can be useful to test data flows because bound labels generate a lot of false positives.
	SkipBoundLabels bool `yaml:"unsafe-skip-bound-labels" json:"unsafe-skip-bound-labels"`

SlicingSpec contains code identifiers that identify a specific program slicing / backwards dataflow analysis spec.

func (SlicingSpec) IsBacktracePoint

func (ss SlicingSpec) IsBacktracePoint(cid CodeIdentifier) (CodeIdentifier, bool)

IsBacktracePoint returns true if the code identifier matches a backtrace point according to the SlicingSpec

func (SlicingSpec) SpecSeverity

func (ss SlicingSpec) SpecSeverity() Severity

SpecSeverity returns the severity of the slicing spec

func (SlicingSpec) SpecTag

func (ss SlicingSpec) SpecTag() string

SpecTag returns the tag of the slicing spec

func (SlicingSpec) SpecTargets

func (ss SlicingSpec) SpecTargets() []string

SpecTargets returns the targets of the slicing spec

type State

type State struct {
	Config   *Config
	Logger   *LogGroup
	Target   string
	Patterns []string
	Options  LoadOptions
	Overlay  map[string][]byte

A State for config is a config with a logger.

func NewState

func NewState(c *Config, target string, patterns []string, options LoadOptions) *State

NewState returns a new state from a config by adding a logger built from that config.

func (*State) GetConfig

func (s *State) GetConfig() *Config

GetConfig returns the config of the state

func (*State) GetLogger

func (s *State) GetLogger() *LogGroup

GetLogger returns the logger of the state

type StaticCommandsSpec

type StaticCommandsSpec struct {
	// StaticCommands is the list of identifiers to be considered as command execution for the static commands analysis
	// (not used)
	StaticCommands []CodeIdentifier `yaml:"static-commands" json:"static-commands"`

StaticCommandsSpec contains code identifiers for the problem of identifying which commands are static

func (StaticCommandsSpec) IsStaticCommand

func (scs StaticCommandsSpec) IsStaticCommand(cid CodeIdentifier) bool

IsStaticCommand returns true if the code identifier matches a static command specification in the config file

type StructInitSpec

type StructInitSpec struct {
	// Tag is the identifier of the problem
	Tag string
	// Severity is the severity of the finding when some struct is not initialized properly
	Severity Severity
	// Description is a human-readable description of the problem
	Description string
	Targets     []string
	// Struct is the struct type whose initialization should be tracked.
	Struct CodeIdentifier
	// FieldsSet is the list of the fields of Struct that must always be set to a specific value.
	FieldsSet []FieldsSetSpec `yaml:"fields-set" json:"fields-set"`
	// Filters is the list of values that the analysis does not track.
	Filters []CodeIdentifier

StructInitSpec contains specs for the problem of tracking a specific struct initialization.

func (StructInitSpec) SpecSeverity

func (si StructInitSpec) SpecSeverity() Severity

SpecSeverity returns the struct init specification's severity

func (StructInitSpec) SpecTag

func (si StructInitSpec) SpecTag() string

SpecTag returns the struct init specification's tag

func (StructInitSpec) SpecTargets

func (si StructInitSpec) SpecTargets() []string

SpecTargets returns the struct init specification's targets

type SyntacticSpecs

type SyntacticSpecs struct {
	// StructInitSpecs is the list of specs for the struct inititialization problems.
	StructInitProblems []StructInitSpec `yaml:"struct-inits" json:"struct-inits"`

	// CondCheckSpecs is the list of specs for the condition checking problems.
	CondCheckSpecs []CondCheckSpec `yaml:"cond-checks" json:"cond-checks"`

SyntacticSpecs contains specs for the different syntactic analysis problems.

type TaggedSpec

type TaggedSpec interface {
	// SpecTag returns the tag of the problem
	SpecTag() string
	// SpecTargets returns the targets of the problem
	SpecTargets() []string
	// SpecSeverity returns the severity of the problem
	SpecSeverity() Severity

A TaggedSpec is a problem specification that has targets, a tag and a severity.

type TaintSpec

type TaintSpec struct {
	*AnalysisProblemOptions `xml:"override-analysis-options,attr" yaml:"override-analysis-options" json:"override-analysis-options"`
	// Sanitizers is the list of sanitizers for the taint analysis
	Sanitizers []CodeIdentifier

	// Validators is the list of validators for the dataflow analyses
	Validators []CodeIdentifier

	// Sinks is the list of sinks for the taint analysis
	Sinks []CodeIdentifier

	// Sources is the list of sources for the taint analysis
	Sources []CodeIdentifier

	// Filters contains a list of filters that can be used by analyses
	Filters []CodeIdentifier

	// Tag identifies a group of annotations when used with annotations
	Tag string

	// Severity assigns a severity to this problem
	Severity Severity

	// Description allows the user to add a description to the problem
	Description string

	// Targets identifies the names of the targets this analysis must run against
	Targets []string

	// FailOnImplicitFlow indicates whether the taint analysis should fail when tainted data implicitly changes
	// the control flow of a program. This should be set to false when proving a data flow property,
	// and set to true when proving an information flow property.
	FailOnImplicitFlow bool `yaml:"fail-on-implicit-flow" json:"fail-on-implicit-flow"`

	// SkipBoundLabels indicates whether to skip flows that go through "bound labels", i.e. aliases of the variables
	// bound by a closure. This can be useful to test data flows because bound labels generate a lot of false positives.
	SkipBoundLabels bool `yaml:"unsafe-skip-bound-labels" json:"unsafe-skip-bound-labels"`

	// SourceTaintsArgs specifies whether calls to a source function also taints the argument. This is usually not
	// the case, but might be useful for some users or for source functions that do not return anything.
	SourceTaintsArgs bool `xml:"source-taints-args,attr" yaml:"source-taints-args" json:"source-taints-args"`

TaintSpec contains code identifiers that identify a specific taint tracking problem, or contains a code that can differentiate groups of annotations

func (TaintSpec) IsSanitizer

func (ts TaintSpec) IsSanitizer(cid CodeIdentifier) bool

IsSanitizer returns true if the code identifier matches a sanitizer specification in the config file

func (TaintSpec) IsSink

func (ts TaintSpec) IsSink(cid CodeIdentifier) bool

IsSink returns true if the code identifier matches a sink specification in the config file

func (TaintSpec) IsSource

func (ts TaintSpec) IsSource(cid CodeIdentifier) bool

IsSource returns true if the code identifier matches a source specification in the config file

func (TaintSpec) IsValidator

func (ts TaintSpec) IsValidator(cid CodeIdentifier) bool

IsValidator returns true if the code identifier matches a validator specification in the config file

func (TaintSpec) SpecSeverity

func (ts TaintSpec) SpecSeverity() Severity

SpecSeverity returns the severity of the taint specification

func (TaintSpec) SpecTag

func (ts TaintSpec) SpecTag() string

SpecTag returns the tag of the taint specification

func (TaintSpec) SpecTargets

func (ts TaintSpec) SpecTargets() []string

SpecTargets returns the targets of the taint specification

type Target

type Target struct {
	// Kind is the kind of target.
	// Supported kinds:
	// - "call"
	Kind TargetKind

	// Package is the name of the package that the method belongs to.
	Package string

	// Method is the name of the method or function.
	Method string

	// Objects are the specific objects (values) in the target that the analysis
	// should analyze as an entrypoints.
	// A "target object" can be an argument, return value, etc.
	// The supported kinds of objects depend on the kind of the target.
	Objects []TargetObject

Target matches a specific program value to be analyzed as an entrypoint.

type TargetInfo

type TargetInfo struct {
	// Files in the target
	Files []string
	// Platform of the target
	Platform string
	// UseProgramTransforms for the target
	UseProgramTransforms bool
	// ReflectValueCallInstances
	ReflectValueCallInstances []CodeIdentifier

TargetInfo is the information needed to build the target

type TargetKind

type TargetKind string

TargetKind is the kind of target.

const (
	// CallKind indicates a function/method call target.
	CallKind TargetKind = "call"

type TargetObject

type TargetObject struct {
	// Kind is the kind of entrypoint.
	// Supported Kinds:
	// - "argument"
	Kind ObjectKind

	// Name is the (optional) name of the entrypoint.
	// For example, if the Kind is an argument, `Name` should be set to the
	// parameter name in the function.
	Name string

	// Index is the index of the entrypoint.
	// If the Kind is an argument, Index is the argument index.
	// If the Kind is a return value, Index specifies which returned tuple
	// element is the entrypoint.
	Index uint

	// Type is the type of the entrypoint.
	Type string

TargetObject is a specific object value in the target that the analysis should analyze as an entrypoint.

type TargetSpec

type TargetSpec struct {
	// Name identifies the target in the rest of the configuration file
	Name string
	// Files identifies the target's files
	Files []string
	// Platform identifies the target's platform
	Platform string

	// UseProgramTransforms indicates that the tool should apply program transformations before running any analysis.
	// Program transformations can be expensive to apply, but they can eliminate sources of imprecision and sources of
	// unsoundness.
	// NOTE: this option may change to let the user choose precisely which program transformations to apply
	UseProgramTransforms bool `xml:"use-program-transforms" yaml:"use-program-transforms" json:"use-program-transforms"`

	// ReflectValueCallInstances lists functions that take as argument a class. The program will be transformed to rewrite
	// (reflect.Value).Call instances that can be statically resolved to the class's method.
	ReflectValueCallInstances []CodeIdentifier `xml:"reflect-value-call-instances" yaml:"reflect-value-call-instances" json:"reflect-value-call-instances"`

A TargetSpec is a set of files the form a Go program together with a name to identify the target in the configuration file.

type ToolName

type ToolName string

ToolName is the type of tool names

const (
	// BacktraceTool name
	BacktraceTool ToolName = "backtrace"
	// CliTool name
	CliTool ToolName = "cli"
	// CompareTool name
	CompareTool ToolName = "compare"
	// DeferTool name
	DeferTool ToolName = "defer"
	// DependenciesTool name
	DependenciesTool ToolName = "dependencies"
	// MayPanicTool name
	MayPanicTool ToolName = "maypanic"
	// PackageScanTool name
	PackageScanTool ToolName = "packagescan"
	// ReachabilityTool name
	ReachabilityTool ToolName = "reachability"
	// RenderTool name
	RenderTool ToolName = "render"
	// SsaStatisticsTool name
	SsaStatisticsTool ToolName = "ssa-statistics"
	// SyntacticTool name
	SyntacticTool ToolName = "syntactic"
	// TaintTool name
	TaintTool ToolName = "taint"

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL