From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dmalcolm@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2209)
	id 2C6753858D28; Fri, 22 Mar 2024 14:59:07 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2C6753858D28
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1711119547;
	bh=K9DpSslkIMGS6UVdTt45thvKWsuqzXbSKLhiJxnrfcs=;
	h=From:To:Subject:Date:From;
	b=h6K0PEEjPyA7a9Ox6P/ICjaESWC10jKQFHgxVrYGaqgaYG9SJRsprzil4USKCP0Tk
	 tzW0WeGY16/IT+LMN0BmVWs/xhGmLHfN0KwZgD4+nI5qVEMGf2/f369Yvhpy0t+IAx
	 qY694vBTkLLlXnGF/5jYoHg5v8PwvZuBIHMAA+lI=
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
From: David Malcolm <dmalcolm@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org
Subject: [gcc r14-9624] analyzer: add SARIF property bags to taint diagnostics
X-Act-Checkin: gcc
X-Git-Author: David Malcolm <dmalcolm@redhat.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 1bf18629c54adf4893c8db5227a36e1952ee69a3
X-Git-Newrev: d475a4571ef310a727a1023856b070f195910140
Message-Id: <20240322145907.2C6753858D28@sourceware.org>
Date: Fri, 22 Mar 2024 14:59:07 +0000 (GMT)
List-Id: <gcc-cvs.sourceware.org>

https://gcc.gnu.org/g:d475a4571ef310a727a1023856b070f195910140

commit r14-9624-gd475a4571ef310a727a1023856b070f195910140
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Fri Mar 22 10:57:20 2024 -0400

    analyzer: add SARIF property bags to taint diagnostics
    
    Another followup to r14-6057-g12b67d1e13b3cf to make it easier to debug
    the analyzer.
    
    gcc/analyzer/ChangeLog:
            * sm-taint.cc: Include "diagnostic-format-sarif.h".
            (bounds_to_str): New.
            (taint_diagnostic::maybe_add_sarif_properties): New.
            (tainted_offset::tainted_offset): Add "offset" param.
            (tainted_offset::maybe_add_sarif_properties): New.
            (tainted_offset::m_offset): New.
            (region_model::check_region_for_taint): Pass offset to
            tainted_offset ctor.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 gcc/analyzer/sm-taint.cc | 50 +++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 47 insertions(+), 3 deletions(-)

diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc
index bbf683f82ef..c873c9ebd33 100644
--- a/gcc/analyzer/sm-taint.cc
+++ b/gcc/analyzer/sm-taint.cc
@@ -50,6 +50,7 @@ along with GCC; see the file COPYING3.  If not see
 #include "analyzer/program-state.h"
 #include "analyzer/pending-diagnostic.h"
 #include "analyzer/constraint-manager.h"
+#include "diagnostic-format-sarif.h"
 
 #if ENABLE_ANALYZER
 
@@ -71,6 +72,22 @@ enum bounds
   BOUNDS_LOWER
 };
 
+static const char *
+bounds_to_str (enum bounds b)
+{
+  switch (b)
+    {
+    default:
+      gcc_unreachable ();
+    case BOUNDS_NONE:
+      return "BOUNDS_NONE";
+    case BOUNDS_UPPER:
+      return "BOUNDS_UPPER";
+    case BOUNDS_LOWER:
+      return "BOUNDS_LOWER";
+    }
+}
+
 /* An experimental state machine, for tracking "taint": unsanitized uses
    of data potentially under an attacker's control.  */
 
@@ -193,6 +210,17 @@ public:
     return diagnostic_event::meaning ();
   }
 
+  void maybe_add_sarif_properties (sarif_object &result_obj)
+    const override
+  {
+    sarif_property_bag &props = result_obj.get_or_create_properties ();
+#define PROPERTY_PREFIX "gcc/analyzer/taint_diagnostic/"
+    props.set (PROPERTY_PREFIX "arg", tree_to_json (m_arg));
+    props.set_string (PROPERTY_PREFIX "has_bounds",
+		      bounds_to_str (m_has_bounds));
+#undef PROPERTY_PREFIX
+  }
+
 protected:
   const taint_state_machine &m_sm;
   tree m_arg;
@@ -315,8 +343,10 @@ class tainted_offset : public taint_diagnostic
 {
 public:
   tainted_offset (const taint_state_machine &sm, tree arg,
-		       enum bounds has_bounds)
-  : taint_diagnostic (sm, arg, has_bounds)
+		  enum bounds has_bounds,
+		  const svalue *offset)
+  : taint_diagnostic (sm, arg, has_bounds),
+    m_offset (offset)
   {}
 
   const char *get_kind () const final override { return "tainted_offset"; }
@@ -409,6 +439,19 @@ public:
 				     " checking");
 	}
   }
+
+  void maybe_add_sarif_properties (sarif_object &result_obj)
+    const final override
+  {
+    taint_diagnostic::maybe_add_sarif_properties (result_obj);
+    sarif_property_bag &props = result_obj.get_or_create_properties ();
+#define PROPERTY_PREFIX "gcc/analyzer/tainted_offset/"
+    props.set (PROPERTY_PREFIX "offset", m_offset->to_json ());
+#undef PROPERTY_PREFIX
+  }
+
+private:
+  const svalue *m_offset;
 };
 
 /* Concrete taint_diagnostic subclass for reporting attacker-controlled
@@ -1554,7 +1597,8 @@ region_model::check_region_for_taint (const region *reg,
 	    if (taint_sm.get_taint (state, effective_type, &b))
 	      {
 		tree arg = get_representative_tree (offset);
-		ctxt->warn (make_unique<tainted_offset> (taint_sm, arg, b));
+		ctxt->warn (make_unique<tainted_offset> (taint_sm, arg, b,
+							 offset));
 	      }
 	  }
 	  break;