Sources and Sinks view

The Sources and Sinks view provides the ability to view findings based on a trace of input and output.

The Sources and Sinks view is divided into three sections:

  • Sources and Sinks: In the left panel, there are three top level nodes:
    • Source: A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered tainted. Sources are listed in any findings table in the Source column.
    • Sink: A sink can be any external format to which data can be written out. Sink examples include databases, files, console output, and sockets. Writing data to a sink without checking it may indicate a serious security vulnerability.
    • Lost Sink A lost sink is an API method that can no longer be traced.

    Each node can be expanded to display affected packages. Packages, in turn, can be expanded to display affected classes and then methods. These methods can then be expanded to display the package, class, and method at the opposite end of the trace. For example, if you are concerned about a particular sink, you can drill down to the method under the Sinks root. Once there, the tree underneath that method would show the paths back to all of the sources that led to that sink:

    - Sources
	- packageA
		- classA
			- methodA
				- packageB
					- classB
						- methodB (at opposite end of trace)
- Sinks
	- packageB
		- classB
			- methodB
				- packageA
					- classA
						- methodA
- Lost Sinks

    The selection that is made in this tree view determines what is displayed in the other two sections of the view.

  • Intermediate nodes: This section of the view displays the union of all of the intermediate nodes of the traces that apply to the selection in the Sources and Sinks section. It allows you to refine what is displayed in the findings table.

    This section is hidden by default. It can be displayed (or hidden again) by clicking Show/Hide the intermediate calls table.

    To only display the findings for a package, class, or method, select the check box in its Require column. To filter out the findings for a package, class, or method, select the check box in its Remove column. Filter settings made in this section can be used to create a new filter.

    Usage example: Given this tree node in the Sources and Sinks section:

    - Sources
	- java.util
		- Properties
			- getProperty

    When getProperty is selected, the findings table displays only those findings that contain traces that have getProperty as the source. At this point, the intermediate nodes section will display all of the intermediate nodes (all nodes in the trace other than the source and sink) for all of the traces that have a source of getProperty. However, you may not care if the trace passes through a particular API. For example, you may have a validation routine that ensures that the data coming from getProperty is valid, and so you do not want to see traces that go through this validation routine. The intermediate nodes section will include this validation routine, as it is an intermediate node on the trace. You can browse to the validation routine in the intermediate node section and click its Remove check box. This will remove all of the findings from the findings table that have traces that pass through this intermediate node.

  • Findings: This section contains the same Findings table (and associated actions) that is in the Findings view and other views with findings. It displays the findings for the sources, sinks, and intermediate nodes that you have chosen to display in the other two sections of the view.