@@ -50,6 +50,7 @@ along with GCC; see the file COPYING3. If not see
#include "analyzer/program-state.h"
#include "analyzer/pending-diagnostic.h"
#include "analyzer/constraint-manager.h"
+#include "diagnostic-format-sarif.h"
#if ENABLE_ANALYZER
@@ -71,6 +72,22 @@ enum bounds
BOUNDS_LOWER
};
+static const char *
+bounds_to_str (enum bounds b)
+{
+ switch (b)
+ {
+ default:
+ gcc_unreachable ();
+ case BOUNDS_NONE:
+ return "BOUNDS_NONE";
+ case BOUNDS_UPPER:
+ return "BOUNDS_UPPER";
+ case BOUNDS_LOWER:
+ return "BOUNDS_LOWER";
+ }
+}
+
/* An experimental state machine, for tracking "taint": unsanitized uses
of data potentially under an attacker's control. */
@@ -193,6 +210,17 @@ public:
return diagnostic_event::meaning ();
}
+ void maybe_add_sarif_properties (sarif_object &result_obj)
+ const override
+ {
+ sarif_property_bag &props = result_obj.get_or_create_properties ();
+#define PROPERTY_PREFIX "gcc/analyzer/taint_diagnostic/"
+ props.set (PROPERTY_PREFIX "arg", tree_to_json (m_arg));
+ props.set_string (PROPERTY_PREFIX "has_bounds",
+ bounds_to_str (m_has_bounds));
+#undef PROPERTY_PREFIX
+ }
+
protected:
const taint_state_machine &m_sm;
tree m_arg;
@@ -315,8 +343,10 @@ class tainted_offset : public taint_diagnostic
{
public:
tainted_offset (const taint_state_machine &sm, tree arg,
- enum bounds has_bounds)
- : taint_diagnostic (sm, arg, has_bounds)
+ enum bounds has_bounds,
+ const svalue *offset)
+ : taint_diagnostic (sm, arg, has_bounds),
+ m_offset (offset)
{}
const char *get_kind () const final override { return "tainted_offset"; }
@@ -409,6 +439,19 @@ public:
" checking");
}
}
+
+ void maybe_add_sarif_properties (sarif_object &result_obj)
+ const final override
+ {
+ taint_diagnostic::maybe_add_sarif_properties (result_obj);
+ sarif_property_bag &props = result_obj.get_or_create_properties ();
+#define PROPERTY_PREFIX "gcc/analyzer/tainted_offset/"
+ props.set (PROPERTY_PREFIX "offset", m_offset->to_json ());
+#undef PROPERTY_PREFIX
+ }
+
+private:
+ const svalue *m_offset;
};
/* Concrete taint_diagnostic subclass for reporting attacker-controlled
@@ -1554,7 +1597,8 @@ region_model::check_region_for_taint (const region *reg,
if (taint_sm.get_taint (state, effective_type, &b))
{
tree arg = get_representative_tree (offset);
- ctxt->warn (make_unique<tainted_offset> (taint_sm, arg, b));
+ ctxt->warn (make_unique<tainted_offset> (taint_sm, arg, b,
+ offset));
}
}
break;
Another followup to r14-6057-g12b67d1e13b3cf to make it easier to debug the analyzer. Successfully bootstrapped & regrtested on x86_64-pc-linux-gnu. Successful run of analyzer integration tests on x86_64-pc-linux-gnu. Pushed to trunk as r14-9624-gd475a4571ef310. gcc/analyzer/ChangeLog: * sm-taint.cc: Include "diagnostic-format-sarif.h". (bounds_to_str): New. (taint_diagnostic::maybe_add_sarif_properties): New. (tainted_offset::tainted_offset): Add "offset" param. (tainted_offset::maybe_add_sarif_properties): New. (tainted_offset::m_offset): New. (region_model::check_region_for_taint): Pass offset to tainted_offset ctor. Signed-off-by: David Malcolm <dmalcolm@redhat.com> --- gcc/analyzer/sm-taint.cc | 50 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 3 deletions(-)