Basically, I want to try the available alpha.security.taint.TaintPropagation checker on my code. But , I am not getting any suitable output even when i try it on clang/test/Analysis/taint-tester.c
Issue :- http://stackoverflow.com/questions/36150778/no-output-using-alpha-security-checkers-in-clang.
The command I used : scan-build --use-analyzer=/home/…/clang -enable-checker alpha.security.taint.TaintPropagation clang taintcheck.c -c -o taintcheck.o
I have tried the same installing clang from source as well as apt-get. Same result,ie no issues found. Why is that so?
Regards,
Ashwin
Hello,
The checker reports nothing on taint-tester.c because there are truly no errors in this file. The taint-tester.c test contains tests based on the internal debugging facility - the debug.TaintTest checker. The tests for alpha.security.taint.TaintPropagation checker are mostly in the taint-generic.c file. You can grep through the test run-lines by the checker name to find more tests that rely on this checker. The code you provide in the stack-overflow question doesn't have any security issues either, so the checker is intentionally silent.
Best regards,
Artem.
Hey Artem, the mail thread where you had answered my queries regarding taint propagation , GenericTaintChecker,etc seem to have disappeared from my mails, have absolutely no idea how it happened. It would be great if you can forward that conversation to me again as you had given me many valuable points there. I think it was dated April 5 or 6.
Regards,
Ashwin
Hey Artem, the mail thread where you had answered my queries regarding taint propagation , GenericTaintChecker,etc seem to have disappeared from my mails, have absolutely no idea how it happened. It would be great if you can forward that conversation to me again as you had given me many valuable points there. I think it was dated April 5 or 6.
Hello, you can always have a look at cfe-dev archives:
http://lists.llvm.org/pipermail/cfe-dev/
Our thread here is (click "next" for other messages in the thread):
http://lists.llvm.org/pipermail/cfe-dev/2016-April/048250.html
Or on the unofficial nabble (names are a bit messed up here, but it's very comfortable to read otherwise):
http://clang-developers.42468.n3.nabble.com/General-query-Alpha-security-checkers-and-taint-analysis-td4050858.html
I'm always using the archives, not even subscribed to the list, so i think i don't even know your e-mail address 