[Java] Dataflow through object

[KylerKatz]

Hello,

I am getting some false positives with some of my queries, which are usually centered around a source node flowing into an object and then other data from that object flowing into a sink node.

Here is a simple example,

env.put(Context.SECURITY_CREDENTIALS, password);
LOG.error("connection error [{}], failover connection to [{}]", env.get(Context.PROVIDER_URL), this.ldapURI.toString());

In this case, password is a source variable. While LOG.error is a sink. However, by having it flow into env, it now marks any use of the object as a detection eventough this case has nothing to do with password. Is there any way to reduce cases like this?

Thank you

[aschackmull]

Looks like a fairly simple case of storing a value in a map using one key and then getting false positive flow at the point where a value is taken from the map using a different key. This is a known problem and it's due to the level of precision at which we currently track container content for flow in Java. We have a solution lined up that we've been wanting to implement for some while now, but it's simply been a matter of priorities. Thank you for the report, though, signal like this helps us prioritise, and this is definitely on our radar. Unfortunately I cannot provide an estimate for when we'll be able to prioritise this at the moment, but I've linked this issue from our internal tracking issue on this, so I'll be able to give an update here once it's done.

[KylerKatz]

Hello @aschackmull,

Thank you for the information.