Merge branch 'secure-software-engineering:develop' into improve-code

Author: MarcMil

soot-infoflow-integration/pom.xml

@@ -144,7 +144,7 @@
 		<dependency>
 		    <groupId>org.springframework</groupId>
 		    <artifactId>spring-web</artifactId>
-		    <version>6.2.1</version>
+		    <version>6.2.8</version>
 			<scope>test</scope>
 		</dependency>
     </dependencies>

soot-infoflow-summaries/pom.xml

@@ -247,7 +247,7 @@
 		<dependency>
 		    <groupId>org.springframework</groupId>
 		    <artifactId>spring-web</artifactId>
-		    <version>6.2.1</version>
+		    <version>6.2.8</version>
 			<scope>test</scope>
 		</dependency>
 	</dependencies>

soot-infoflow/pom.xml

@@ -154,7 +154,7 @@
 		<dependency>
 		    <groupId>org.springframework</groupId>
 		    <artifactId>spring-web</artifactId>
-		    <version>6.1.13</version>
+		    <version>6.1.14</version>
 			<scope>test</scope>
 		</dependency>
 	</dependencies>

soot-infoflow/src/soot/jimple/infoflow/codeOptimization/InterproceduralConstantValuePropagator.java

@@ -483,7 +483,6 @@ private void propagateReturnValueIntoCallers(SootMethod sm) {
 							ConstantPropagatorAndFolder.v().transform(caller.getActiveBody());
 							checkAndAddMethod(caller);
 						}
-						caller.getActiveBody().getUnits().remove(assignConst);
 
 						Stmt inv = Jimple.v().newInvokeStmt(assign.getInvokeExpr());
 						caller.getActiveBody().getUnits().swapWith(assign, inv);

soot-infoflow/src/soot/jimple/infoflow/problems/rules/backward/BackwardsImplicitFlowRule.java

@@ -22,7 +22,6 @@
 import soot.jimple.SwitchStmt;
 import soot.jimple.infoflow.InfoflowManager;
 import soot.jimple.infoflow.aliasing.Aliasing;
-import soot.jimple.infoflow.collect.MyConcurrentHashMap;
 import soot.jimple.infoflow.data.Abstraction;
 import soot.jimple.infoflow.data.AccessPath;
 import soot.jimple.infoflow.problems.TaintPropagationResults;
@@ -38,7 +37,6 @@
  * @author Tim Lange
  */
 public class BackwardsImplicitFlowRule extends AbstractTaintPropagationRule {
-	private final MyConcurrentHashMap<Unit, Set<Abstraction>> implicitTargets = new MyConcurrentHashMap<Unit, Set<Abstraction>>();
 
 	public BackwardsImplicitFlowRule(InfoflowManager manager, Abstraction zeroValue, TaintPropagationResults results) {
 		super(manager, zeroValue, results);
@@ -164,12 +162,6 @@ public Collection<Abstraction> propagateCallFlow(Abstraction d1, Abstraction sou
 			return null;
 		}
 
-		if (implicitTargets.containsKey(stmt) && (d1 == null || implicitTargets.get(stmt).contains(d1))) {
-			if (killAll != null)
-				killAll.value = true;
-			return null;
-		}
-
 		// We do not propagate empty taints into methods
 		// because backward no taints are derived from empty taints.
 		if (source.getAccessPath().isEmpty()) {
@@ -225,8 +217,8 @@ public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstrac
 
 					List<Unit> condUnits = manager.getICFG().getConditionalBranchesInterprocedural(stmt);
 					for (Unit condUnit : condUnits) {
-						Abstraction abs = new Abstraction(sink.getAllDefinitions(), AccessPath.getEmptyAccessPath(), stmt,
-								sink.getUserData(), false, false);
+						Abstraction abs = new Abstraction(sink.getAllDefinitions(), AccessPath.getEmptyAccessPath(),
+								stmt, sink.getUserData(), false, false);
 						abs.setCorrespondingCallSite(stmt);
 						abs.setDominator(condUnit);
 						res.add(abs);
@@ -235,8 +227,8 @@ public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstrac
 					if (!sm.isStatic()) {
 						AccessPath thisAp = manager.getAccessPathFactory()
 								.createAccessPath(sm.getActiveBody().getThisLocal(), false);
-						Abstraction thisTaint = new Abstraction(sink.getDefinitionsForAccessPath(ap), thisAp, stmt, sink.getUserData(),
-								false, false);
+						Abstraction thisTaint = new Abstraction(sink.getDefinitionsForAccessPath(ap), thisAp, stmt,
+								sink.getUserData(), false, false);
 						thisTaint.setCorrespondingCallSite(stmt);
 						res.add(thisTaint);
 					}
@@ -269,12 +261,6 @@ public Collection<Abstraction> propagateCallToReturnFlow(Abstraction d1, Abstrac
 				&& getAliasing().mayAlias(((AssignStmt) stmt).getLeftOp(), source.getAccessPath().getPlainValue())) {
 			boolean isImplicit = source.getDominator() != null;
 			if (isImplicit) {
-//                if (d1 != null) {
-//                    Set<Abstraction> callSites = implicitTargets.putIfAbsentElseGet(stmt,
-//                            new ConcurrentHashSet<Abstraction>());
-//                    callSites.add(d1);
-//                }
-
 				killSource.value = true;
 				return Collections.singleton(source.deriveConditionalUpdate(stmt));
 			}

soot-infoflow/test/soot/jimple/infoflow/test/junit/backward/ImplicitFlowTests.java

@@ -1,5 +1,7 @@
 package soot.jimple.infoflow.test.junit.backward;
 
+import org.junit.Ignore;
+
 import soot.jimple.infoflow.AbstractInfoflow;
 import soot.jimple.infoflow.BackwardsInfoflow;
 
@@ -10,4 +12,12 @@ protected AbstractInfoflow createInfoflowInstance() {
 		return new BackwardsInfoflow(null, false, null);
 	}
 
+	@Ignore("When running backwards, we don't know that the method will be from a "
+			+ "different class depending on the instantiation of the object that we don't "
+			+ "see until further up in the code, i.e., later in the analysis")
+	@Override
+	public void dataClassSetterTest() {
+		//
+	}
+
 }