Specify analysis classes

olesya · May 7, 2023, 4:52pm

Hello!
I was wondering if it is possible to make taint analysis run only on a specified set of classes from the analysed jar? So that it wouldn’t build a graph for the whole jar.
I’d like to provide as input class names smth like Class1|Class2|Class3.
Thanks in advance!

carlo.pozzoli · May 9, 2023, 8:51am

Hi Olesya!

You have several alternatives to reduce the scope of the analysis, depending on what are you trying to do:

By default JvmTaintBamCpaRun and classes implementing it just run the analysis from the method specified in the mainMethodSignature parameter, so not for the entire program
If you are interested in intraprocedural analysis for a single method you can set the maxCallStackDepth parameter to 1
I think your case is that you want to just not consider code outside some classes. You can create a JvmCfa from a programClassPool just containing the classes you are interested into

Code snippet to create just classes from package org.example:

// ClassPool original is the class pool you have in your current code
ClassPool newClassPool = new ClassPool();
original.classesAccept("org/example/**", new ClassPoolFiller(newClassPool));

You can edit the filter passed as argument to classesAccept to match the classes you are interested into.

Topic		Replies	Views
Taint analysis capabilities Ask a Question proguard , taint	2	456	December 9, 2022
Latest version taint analysis usage Ask a Question	1	383	March 7, 2023
ProGuardCORE 9.0 is Live! Guardsquare Community proguard , proguardcore , release-announcements	0	776	April 13, 2022
Taint analysis collections access Ask a Question	7	412	March 13, 2023
Traces interpretation Ask a Question proguard , taint	9	594	December 20, 2022

Specify analysis classes

Related Topics