Input/output tracing

An input/output trace is generated when AppScan® Source for Analysis can track the data from a known source to a sink or lost sink.

Input/Output Trace

If the code analysis can track a tainted source to a sink or lost sink, then the analysis produces an input/output trace. The root of the trace is the method that gets data from taint producing sources and passes it to a series of calls that eventually write to an unprotected sink.

Sources and sinks

  • Source: A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered tainted. Sources are listed in any findings table in the Source column.
  • Sink: A sink can be any external format to which data can be written out. Sink examples include databases, files, console output, and sockets. Writing data to a sink without checking it may indicate a serious security vulnerability.
  • Lost Sink A lost sink is an API method that can no longer be traced.