Skip to content

When calling sink multiple times, how can I distinguish the source of each call in the result report? #818

New issue
New issue
Open
Open
When calling sink multiple times, how can I distinguish the source of each call in the result report?#818
@leileidesu

Description

@leileidesu
leileidesu
opened on May 21, 2025

When calling sink multiple times, how can I distinguish the source of each call in the result report?
When the source code is as follows, I will find 2 leaks, just as I expected

override fun onCreate(savedInstanceState: Bundle?) { super.onCreate(savedInstanceState) val s1 = source1(); val s2 = source2(); val s3 = source3(); val s4 = source4(); sink(s1+s2) sink(s3+s4) }
<Results> <Result> <Sink Statement="specialinvoke r0.<com.example.myapplication.MainActivity: void sink(java.lang.String)>($r2)" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: void sink(java.lang.String)>"> <AccessPath Value="$r2" Type="java.lang.String" TaintSubFields="true"/> </Sink> <Sources> <Source Statement="$r2 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source1()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source1()>"> <AccessPath Value="$r2" Type="java.lang.String" TaintSubFields="true"/> </Source> <Source Statement="$r3 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source2()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source2()>"> <AccessPath Value="$r3" Type="java.lang.String" TaintSubFields="true"/> </Source> </Sources> </Result> <Result> <Sink Statement="specialinvoke r0.<com.example.myapplication.MainActivity: void sink(java.lang.String)>($r4)" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: void sink(java.lang.String)>"> <AccessPath Value="$r4" Type="java.lang.String" TaintSubFields="true"/> </Sink> <Sources> <Source Statement="$r5 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source4()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source4()>"> <AccessPath Value="$r5" Type="java.lang.String" TaintSubFields="true"/> </Source> <Source Statement="$r4 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source3()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source3()>"> <AccessPath Value="$r4" Type="java.lang.String" TaintSubFields="true"/> </Source> </Sources> </Result> </Results>

If I call sink in outersink, I will only find one leak, and I cannot directly distinguish which sources are used each time the sink is called.

override fun onCreate(savedInstanceState: Bundle?) { super.onCreate(savedInstanceState) val s1 = source1(); val s2 = source2(); val s3 = source3(); val s4 = source4(); outersink(s1+s2) outersink(s3+s4) }
<Result> <Sink Statement="specialinvoke r0.<com.example.myapplication.MainActivity: void sink(java.lang.String)>($r1)" Method="<com.example.myapplication.MainActivity: void outersink(java.lang.String)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: void sink(java.lang.String)>"> <AccessPath Value="$r1" Type="java.lang.String" TaintSubFields="true"/> </Sink> <Sources> <Source Statement="$r5 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source4()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source4()>"> <AccessPath Value="$r5" Type="java.lang.String" TaintSubFields="true"/> </Source> <Source Statement="$r2 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source1()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source1()>"> <AccessPath Value="$r2" Type="java.lang.String" TaintSubFields="true"/> </Source> <Source Statement="$r3 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source2()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source2()>"> <AccessPath Value="$r3" Type="java.lang.String" TaintSubFields="true"/> </Source> <Source Statement="$r4 = specialinvoke r0.<com.example.myapplication.MainActivity: java.lang.String source3()>()" Method="<com.example.myapplication.MainActivity: void onCreate(android.os.Bundle)>" MethodSourceSinkDefinition="<com.example.myapplication.MainActivity: java.lang.String source3()>"> <AccessPath Value="$r4" Type="java.lang.String" TaintSubFields="true"/> </Source> </Sources> </Result>

Is there a way I can distinguish the sources that flow to the sink each time? Thank you for your time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions