Missed sink with taint propagated in lists and --aliasalgo NONE/LAZY #799
Description
Please consider the following code:
List myList = new ArrayList<String>(); myList.add(source()); sink(myList); // Reported by FlowDroid try{System.out.println("");}catch(Exception ex){} // If removed, FlowDroid correctly reports the sink in the next statement sink(myList); // Not reported by FlowDroid List unused = new ArrayList<Boolean>(); // If removed, FlowDroid correctly reports the sink in the previous statementAs annotated, FlowDroid doesn't report the second sink. This seems to be related to the try-catch block before it and the variable declaration after it: if we remove one of them, the leak is correctly reported.
I'm using a rather new version of FlowDroid (02dba8a).
This only happens using --aliasalgo NONE or --aliasalgo LAZY, with --aliasalgo FLOWSENSITIVE both sinks are found.
I call FlowDroid via the command line
java -jar ./soot-infoflow-cmd-02dba8a-jar-with-dependencies.jar \ -a {path-to-apk} \ -s ./SourcesAndSinks.xml \ -o ./out.xml \ -p {path-to-android-platforms-folder} \ --aliasalgo NONE \ --mergedexfiles SourcesAndSinks.xml
<sinkSources> <category id="NO_CATEGORY" description="no_category"> <method signature="com.example.testapp.MainActivity: java.lang.String source()"> <return type="java.lang.String"> <accessPath isSource="true" isSink="false"> </accessPath> </return> </method> <method signature="com.example.testapp.MainActivity: void sink(java.util.List)"> <param index="0" type="java.util.List"> <accessPath isSource="false" isSink="true"/> </param> </method> </category> </sinkSources>