Input/output stacks in the Trace view

The upper left panel displays the input and output stacks. The stack is a sequence of calls that terminates at either a source (input stack) or sink (output stack).

Data Flow

The lower left panel contains the data flow for the selected method. Data can flow through a method call or an assignment. The data flow section displays the line number in the source code where the item and context appear.

Call Graph

The chart is a graphical representation of the call graph. Each method call is a rectangle within the graph showing the class name and the method name:

  • Red identifies the method call as a source, sink, or both.
  • A lost sink is an API method that can no longer be traced. A virtual lost sink is a lost sink that is also a virtual function (a function that can have more than one implementation). Yellow identifies the method call as a lost sink or virtual lost sink.
  • Blue indicates that the method call is not a validation/encoding routine.
  • Grey represents all other trace node types.

Each method call is divided into three sections: the class name, the method name, and the tainted argument name. Hover text for the method call provides greater detail.

Lines with arrows represent calls from method to method. An unfilled arrowhead indicates that there was no known tainted data in the call, while a solid arrow indicates tainted data flow. A dashed arrow indicates a return statement.

Symbol Description

Trace connector for method call with no tainted data
 Method call with no known tainted data

Trace connector for method call with tainted data
 Method call with tainted data

Trace connector for return with tainted data
 Return with tainted data

Source
 Source (red): A method, function, or parameter that is the origin of potentially untrustworthy data.

Sink
 Sink (red): A method or function that is potentially vulnerable to tainted data or is potentially dangerous to use.

Lost sink
 Lost sink (yellow): A method/function that is potentially vulnerable to tainted data or is potentially dangerous to use.

Virtual lost sink
 Virtual lost sink (yellow): A type of lost sink that is resolved to more than one concrete implementation.

Not a validation routine
 Not a validation/encoding routine (blue). Marking an API as not a validation/encoding routine identifies that this API does not validate any data.

Taint propagator
 Taint propagator: A function/method that propagates taint to one or more of its parameters, to its return value, or to this pointer.
Tip:
  • In the Trace view, hovering over trace nodes in the graph provides information about the node.
  • The two left panels in the view (the input/output stacks panel and the data flow panel) can be collapsed for easier viewing of the graphical call graph. To collapse these panels, select the Hide tree view arrow button. To display these panels when they are hidden, select the Show tree view arrow button.
  • Move the scroll bar to zoom in and focus on details - or to zoom out to see more. Hovering over the zoom scroll bar provides the current zoom level. To zoom in to the maximum level, click Zoom to 200%. To zoom out as far as possible, click Zoom to fit.