Hello!
I was wondering if it is possible to make taint analysis run only on a specified set of classes from the analysed jar? So that it wouldn’t build a graph for the whole jar.
I’d like to provide as input class names smth like Class1|Class2|Class3.
Thanks in advance!
Hi Olesya!
You have several alternatives to reduce the scope of the analysis, depending on what are you trying to do:
- By default
JvmTaintBamCpaRunand classes implementing it just run the analysis from the method specified in themainMethodSignatureparameter, so not for the entire program - If you are interested in intraprocedural analysis for a single method you can set the
maxCallStackDepthparameter to 1 - I think your case is that you want to just not consider code outside some classes. You can create a
JvmCfafrom aprogramClassPooljust containing the classes you are interested into
Code snippet to create just classes from package org.example:
// ClassPool original is the class pool you have in your current code
ClassPool newClassPool = new ClassPool();
original.classesAccept("org/example/**", new ClassPoolFiller(newClassPool));
You can edit the filter passed as argument to classesAccept to match the classes you are interested into.
1 Like