[clang] [analyzer] Moving TaintPropagation checker out of alpha (PR #67352)
Daniel Krupp via cfe-commits
cfe-commits at lists.llvm.org
Mon Sep 25 10:21:15 PDT 2023
https://github.com/dkrupp created https://github.com/llvm/llvm-project/pull/67352
This commit renames alpha.security.taint.TaintPropagation checker to optin.security.taint.TaintPropagation.
This checker was stabilized and improved by recent commits thus it's ready for production use.
The checker is placed in the optin package as it implements an optional security analysis.
Reports by the checker:
- memcached [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=memcached_1.6.8_ednikru_taint_dealpha_baseline&newcheck=memcached_1.6.8_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- tmux [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tmux_2.6_ednikru_taint_dealpha_baseline&newcheck=tmux_2.6_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- twin [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=twin_v0.8.1_ednikru_taint_dealpha_baseline&newcheck=twin_v0.8.1_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- vim [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=vim_v8.2.1920_ednikru_taint_dealpha_baseline&newcheck=vim_v8.2.1920_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- openssl [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=openssl_openssl-3.0.0-alpha7_ednikru_taint_dealpha_baseline&newcheck=openssl_openssl-3.0.0-alpha7_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- sqlite [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=sqlite_version-3.33.0_ednikru_taint_dealpha_baseline&newcheck=sqlite_version-3.33.0_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- ffmpeg [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=ffmpeg_n4.3.1_ednikru_taint_dealpha_baseline&newcheck=ffmpeg_n4.3.1_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- tinyxml [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tinyxml2_8.0.0_ednikru_taint_dealpha_baseline&newcheck=tinyxml2_8.0.0_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- libwebm [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=libwebm_libwebm-1.0.0.27_ednikru_taint_dealpha_baseline&newcheck=libwebm_libwebm-1.0.0.27_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- xerces [0 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=xerces_v3.2.3_ednikru_taint_dealpha_baseline&newcheck=xerces_v3.2.3_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
- postgres [3 reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=postgres_REL_13_0_ednikru_taint_dealpha_baseline&newcheck=postgres_REL_13_0_ednikru_taint_dealpha_new&is-unique=on&diff-type=New)
All reports are true positive in the sense that they correctly indicate that tainted data gets to the trusted source and the data path is correctly shown.
2 reports are indicating particularly interesting potential vulnerabilities.
- [Untrusted data is passed to a system call](https://codechecker-demo.eastus.cloudapp.azure.com/Default/report-detail?run=postgres_REL_13_0_ednikru_taint_dealpha_baseline&newcheck=postgres_REL_13_0_ednikru_taint_dealpha_new&is-unique=on&diff-type=New&report-id=2721643&report-hash=29792212406eaa5c1c2ffac790fef9fa&report-filepath=%2afe-print.c)
- [Untrusted data is passed to a system call](https://codechecker-demo.eastus.cloudapp.azure.com/Default/report-detail?run=postgres_REL_13_0_ednikru_taint_dealpha_baseline&newcheck=postgres_REL_13_0_ednikru_taint_dealpha_new&is-unique=on&diff-type=New&report-id=2722532&report-hash=4483012d4ec028b6c325ba8cb05540e5&report-filepath=%2aprint.c)
If the if environment variables regarded untrusted, an attacker may be able to execute arbitrary command through popen.
The report [Untrusted data is used to specify the buffer size](https://codechecker-demo.eastus.cloudapp.azure.com/Default/report-detail?run=postgres_REL_13_0_ednikru_taint_dealpha_baseline&newcheck=postgres_REL_13_0_ednikru_taint_dealpha_new&is-unique=on&diff-type=New&report-id=2717295&report-hash=2cbf6c15bcd80e8066497f61a8478aef&report-filepath=%2aexec.c)
is likely not a vulnerability, as an environment string is just copied to another buffer.
>From d1fcbb6dbb65ee029b7fbcc0d1278f589bfc250b Mon Sep 17 00:00:00 2001
From: Daniel Krupp <daniel.krupp at ericsson.com>
Date: Mon, 11 Sep 2023 14:16:11 +0200
Subject: [PATCH] [analyzer] Moving TaintPropagation checker out of alpha
This commit renames alpha.security.taint.TaintPropagation
checker to optin.security.taint.TaintPropagation.
This checker was stabilized and improved by recent commits
thus it's ready for production use.
The checker is placed in the optin package as it implements
an optional security analysis.
---
clang/docs/analyzer/checkers.rst | 492 +++++++++---------
.../user-docs/TaintAnalysisConfiguration.rst | 4 +-
.../clang/StaticAnalyzer/Checkers/Checkers.td | 7 +-
clang/test/Analysis/analyzer-config.c | 2 +-
.../Analysis/assume-controlled-environment.c | 4 +-
clang/test/Analysis/bool-assignment.c | 4 +-
clang/test/Analysis/cxx-method-names.cpp | 2 +-
.../Analysis/debug-exprinspection-istainted.c | 2 +-
.../sarif-diagnostics-taint-test.c | 2 +-
.../diagnostics/sarif-multi-diagnostic-test.c | 2 +-
.../global-region-invalidation-errno.c | 4 +-
.../Analysis/global-region-invalidation.c | 2 +-
clang/test/Analysis/redefined_system.c | 2 +-
clang/test/Analysis/string.c | 2 +-
...nt-checker-callback-order-has-definition.c | 2 +-
...hecker-callback-order-without-definition.c | 2 +-
.../test/Analysis/taint-diagnostic-visitor.c | 2 +-
clang/test/Analysis/taint-dumps.c | 2 +-
clang/test/Analysis/taint-generic.c | 26 +-
clang/test/Analysis/taint-generic.cpp | 2 +-
clang/test/Analysis/taint-tester.c | 2 +-
clang/test/Analysis/taint-tester.cpp | 2 +-
clang/test/Analysis/taint-tester.m | 6 +-
clang/utils/analyzer/SATestBuild.py | 2 +-
clang/www/analyzer/alpha_checks.html | 6 +-
25 files changed, 295 insertions(+), 290 deletions(-)
diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index dbd6d7787823530..e68b10dc2c1c6c5 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -533,7 +533,253 @@ Warns when a nullable pointer is returned from a function that has _Nonnull retu
optin
^^^^^
-Checkers for portability, performance or coding style specific rules.
+Optional checkers for portability, performance, security or coding style checkers
+which may not be applicable to all projects.
+
+optin.security.taint
+^^^^^^^^^^^^^^^^^^^^
+
+Checkers implementing
+`taint analysis <https://en.wikipedia.org/wiki/Taint_checking>`_.
+
+.. optin-security-taint-TaintPropagation:
+
+optin.security.taint.TaintPropagation (C, C++)
+""""""""""""""""""""""""""""""""""""""""""""""
+
+Taint analysis identifies potential security vulnerabilities where the
+attacker can inject malicious data to the program to execute an attack
+(privilege escalation, command injection, SQL injection etc.).
+
+The malicious data is injected at the taint source (e.g. ``getenv()`` call)
+which is then propagated through function calls and being used as arguments of
+sensitive operations, also called as taint sinks (e.g. ``system()`` call).
+
+One can defend against this type of vulnerability by always checking and
+sanitizing the potentially malicious, untrusted user input.
+
+The goal of the checker is to discover and show to the user these potential
+taint source-sink pairs and the propagation call chain.
+
+The most notable examples of taint sources are:
+
+ - data from network
+ - files or standard input
+ - environment variables
+ - data from databases
+
+Let us examine a practical example of a Command Injection attack.
+
+.. code-block:: c
+
+ // Command Injection Vulnerability Example
+ int main(int argc, char** argv) {
+ char cmd[2048] = "/bin/cat ";
+ char filename[1024];
+ printf("Filename:");
+ scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here
+ strcat(cmd, filename);
+ system(cmd); // Warning: Untrusted data is passed to a system call
+ }
+
+The program prints the content of any user specified file.
+Unfortunately the attacker can execute arbitrary commands
+with shell escapes. For example with the following input the `ls` command is also
+executed after the contents of `/etc/shadow` is printed.
+`Input: /etc/shadow ; ls /`
+
+The analysis implemented in this checker points out this problem.
+
+One can protect against such attack by for example checking if the provided
+input refers to a valid file and removing any invalid user input.
+
+.. code-block:: c
+
+ // No vulnerability anymore, but we still get the warning
+ void sanitizeFileName(char* filename){
+ if (access(filename,F_OK)){// Verifying user input
+ printf("File does not exist\n");
+ filename[0]='\0';
+ }
+ }
+ int main(int argc, char** argv) {
+ char cmd[2048] = "/bin/cat ";
+ char filename[1024];
+ printf("Filename:");
+ scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here
+ sanitizeFileName(filename);// filename is safe after this point
+ if (!filename[0])
+ return -1;
+ strcat(cmd, filename);
+ system(cmd); // Superfluous Warning: Untrusted data is passed to a system call
+ }
+
+Unfortunately, the checker cannot discover automatically that the programmer
+have performed data sanitation, so it still emits the warning.
+
+One can get rid of this superfluous warning by telling by specifying the
+sanitation functions in the taint configuration file (see
+:doc:`user-docs/TaintAnalysisConfiguration`).
+
+.. code-block:: YAML
+
+ Filters:
+ - Name: sanitizeFileName
+ Args: [0]
+
+The clang invocation to pass the configuration file location:
+
+.. code-block:: bash
+
+ clang --analyze -Xclang -analyzer-config -Xclang optin.security.taint.TaintPropagation:Config=`pwd`/taint_config.yml ...
+
+If you are validating your inputs instead of sanitizing them, or don't want to
+mention each sanitizing function in our configuration,
+you can use a more generic approach.
+
+Introduce a generic no-op `csa_mark_sanitized(..)` function to
+tell the Clang Static Analyzer
+that the variable is safe to be used on that analysis path.
+
+.. code-block:: c
+
+ // Marking sanitized variables safe.
+ // No vulnerability anymore, no warning.
+
+ // User csa_mark_sanitize function is for the analyzer only
+ #ifdef __clang_analyzer__
+ void csa_mark_sanitized(const void *);
+ #endif
+
+ int main(int argc, char** argv) {
+ char cmd[2048] = "/bin/cat ";
+ char filename[1024];
+ printf("Filename:");
+ scanf (" %1023[^\n]", filename);
+ if (access(filename,F_OK)){// Verifying user input
+ printf("File does not exist\n");
+ return -1;
+ }
+ #ifdef __clang_analyzer__
+ csa_mark_sanitized(filename); // Indicating to CSA that filename variable is safe to be used after this point
+ #endif
+ strcat(cmd, filename);
+ system(cmd); // No warning
+ }
+
+Similarly to the previous example, you need to
+define a `Filter` function in a `YAML` configuration file
+and add the `csa_mark_sanitized` function.
+
+.. code-block:: YAML
+
+ Filters:
+ - Name: csa_mark_sanitized
+ Args: [0]
+
+Then calling `csa_mark_sanitized(X)` will tell the analyzer that `X` is safe to
+be used after this point, because its contents are verified. It is the
+responsibility of the programmer to ensure that this verification was indeed
+correct. Please note that `csa_mark_sanitized` function is only declared and
+used during Clang Static Analysis and skipped in (production) builds.
+
+Further examples of injection vulnerabilities this checker can find.
+
+.. code-block:: c
+
+ void test() {
+ char x = getchar(); // 'x' marked as tainted
+ system(&x); // warn: untrusted data is passed to a system call
+ }
+
+ // note: compiler internally checks if the second param to
+ // sprintf is a string literal or not.
+ // Use -Wno-format-security to suppress compiler warning.
+ void test() {
+ char s[10], buf[10];
+ fscanf(stdin, "%s", s); // 's' marked as tainted
+
+ sprintf(buf, s); // warn: untrusted data used as a format string
+ }
+
+ void test() {
+ size_t ts;
+ scanf("%zd", &ts); // 'ts' marked as tainted
+ int *p = (int *)malloc(ts * sizeof(int));
+ // warn: untrusted data used as buffer size
+ }
+
+There are built-in sources, propagations and sinks even if no external taint
+configuration is provided.
+
+Default sources:
+ ``_IO_getc``, ``fdopen``, ``fopen``, ``freopen``, ``get_current_dir_name``,
+ ``getch``, ``getchar``, ``getchar_unlocked``, ``getwd``, ``getcwd``,
+ ``getgroups``, ``gethostname``, ``getlogin``, ``getlogin_r``, ``getnameinfo``,
+ ``gets``, ``gets_s``, ``getseuserbyname``, ``readlink``, ``readlinkat``,
+ ``scanf``, ``scanf_s``, ``socket``, ``wgetch``
+
+Default propagations rules:
+ ``atoi``, ``atol``, ``atoll``, ``basename``, ``dirname``, ``fgetc``,
+ ``fgetln``, ``fgets``, ``fnmatch``, ``fread``, ``fscanf``, ``fscanf_s``,
+ ``index``, ``inflate``, ``isalnum``, ``isalpha``, ``isascii``, ``isblank``,
+ ``iscntrl``, ``isdigit``, ``isgraph``, ``islower``, ``isprint``, ``ispunct``,
+ ``isspace``, ``isupper``, ``isxdigit``, ``memchr``, ``memrchr``, ``sscanf``,
+ ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``memcmp``,
+ ``memcpy``, ``memmem``, ``memmove``, ``mbtowc``, ``pread``, ``qsort``,
+ ``qsort_r``, ``rawmemchr``, ``read``, ``recv``, ``recvfrom``, ``rindex``,
+ ``strcasestr``, ``strchr``, ``strchrnul``, ``strcasecmp``, ``strcmp``,
+ ``strcspn``, ``strlen``, ``strncasecmp``, ``strncmp``, ``strndup``,
+ ``strndupa``, ``strnlen``, ``strpbrk``, ``strrchr``, ``strsep``, ``strspn``,
+ ``strstr``, ``strtol``, ``strtoll``, ``strtoul``, ``strtoull``, ``tolower``,
+ ``toupper``, ``ttyname``, ``ttyname_r``, ``wctomb``, ``wcwidth``
+
+Default sinks:
+ ``printf``, ``setproctitle``, ``system``, ``popen``, ``execl``, ``execle``,
+ ``execlp``, ``execv``, ``execvp``, ``execvP``, ``execve``, ``dlopen``,
+ ``memcpy``, ``memmove``, ``strncpy``, ``strndup``, ``malloc``, ``calloc``,
+ ``alloca``, ``memccpy``, ``realloc``, ``bcopy``
+
+Please note that there are no built-in filter functions.
+
+One can configure their own taint sources, sinks, and propagation rules by
+providing a configuration file via checker option
+``optin.security.taint.TaintPropagation:Config``. The configuration file is in
+`YAML <http://llvm.org/docs/YamlIO.html#introduction-to-yaml>`_ format. The
+taint-related options defined in the config file extend but do not override the
+built-in sources, rules, sinks. The format of the external taint configuration
+file is not stable, and could change without any notice even in a non-backward
+compatible way.
+
+For a more detailed description of configuration options, please see the
+:doc:`user-docs/TaintAnalysisConfiguration`. For an example see
+:ref:`clangsa-taint-configuration-example`.
+
+**Configuration**
+
+* `Config` Specifies the name of the YAML configuration file. The user can
+ define their own taint sources and sinks.
+
+**Related Guidelines**
+
+* `CWE Data Neutralization Issues
+ <https://cwe.mitre.org/data/definitions/137.html>`_
+* `SEI Cert STR02-C. Sanitize data passed to complex subsystems
+ <https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems>`_
+* `SEI Cert ENV33-C. Do not call system()
+ <https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177>`_
+* `ENV03-C. Sanitize the environment when invoking external programs
+ <https://wiki.sei.cmu.edu/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs>`_
+
+**Limitations**
+
+* The taintedness property is not propagated through function calls which are
+ unknown (or too complex) to the analyzer, unless there is a specific
+ propagation rule built-in to the checker or given in the YAML configuration
+ file. This causes potential true positive findings to be lost.
+
+Optional checkers for portability, performance, security
+or coding style specific rules.
.. _optin-cplusplus-UninitializedObject:
@@ -2217,7 +2463,7 @@ Warn about buffer overflows (newer checker).
buf[0][-1] = 1; // warn
}
- // note: requires alpha.security.taint check turned on.
+ // note: requires optin.security.taint check turned on.
void test() {
char s[] = "abc";
int x = getchar();
@@ -2406,248 +2652,6 @@ pointer. These functions include: getenv, localeconv, asctime, setlocale, strerr
// dereferencing invalid pointer
}
-alpha.security.taint
-^^^^^^^^^^^^^^^^^^^^
-
-Checkers implementing
-`taint analysis <https://en.wikipedia.org/wiki/Taint_checking>`_.
-
-.. _alpha-security-taint-TaintPropagation:
-
-alpha.security.taint.TaintPropagation (C, C++)
-""""""""""""""""""""""""""""""""""""""""""""""
-
-Taint analysis identifies potential security vulnerabilities where the
-attacker can inject malicious data to the program to execute an attack
-(privilege escalation, command injection, SQL injection etc.).
-
-The malicious data is injected at the taint source (e.g. ``getenv()`` call)
-which is then propagated through function calls and being used as arguments of
-sensitive operations, also called as taint sinks (e.g. ``system()`` call).
-
-One can defend against this type of vulnerability by always checking and
-sanitizing the potentially malicious, untrusted user input.
-
-The goal of the checker is to discover and show to the user these potential
-taint source-sink pairs and the propagation call chain.
-
-The most notable examples of taint sources are:
-
- - data from network
- - files or standard input
- - environment variables
- - data from databases
-
-Let us examine a practical example of a Command Injection attack.
-
-.. code-block:: c
-
- // Command Injection Vulnerability Example
- int main(int argc, char** argv) {
- char cmd[2048] = "/bin/cat ";
- char filename[1024];
- printf("Filename:");
- scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here
- strcat(cmd, filename);
- system(cmd); // Warning: Untrusted data is passed to a system call
- }
-
-The program prints the content of any user specified file.
-Unfortunately the attacker can execute arbitrary commands
-with shell escapes. For example with the following input the `ls` command is also
-executed after the contents of `/etc/shadow` is printed.
-`Input: /etc/shadow ; ls /`
-
-The analysis implemented in this checker points out this problem.
-
-One can protect against such attack by for example checking if the provided
-input refers to a valid file and removing any invalid user input.
-
-.. code-block:: c
-
- // No vulnerability anymore, but we still get the warning
- void sanitizeFileName(char* filename){
- if (access(filename,F_OK)){// Verifying user input
- printf("File does not exist\n");
- filename[0]='\0';
- }
- }
- int main(int argc, char** argv) {
- char cmd[2048] = "/bin/cat ";
- char filename[1024];
- printf("Filename:");
- scanf (" %1023[^\n]", filename); // The attacker can inject a shell escape here
- sanitizeFileName(filename);// filename is safe after this point
- if (!filename[0])
- return -1;
- strcat(cmd, filename);
- system(cmd); // Superfluous Warning: Untrusted data is passed to a system call
- }
-
-Unfortunately, the checker cannot discover automatically that the programmer
-have performed data sanitation, so it still emits the warning.
-
-One can get rid of this superfluous warning by telling by specifying the
-sanitation functions in the taint configuration file (see
-:doc:`user-docs/TaintAnalysisConfiguration`).
-
-.. code-block:: YAML
-
- Filters:
- - Name: sanitizeFileName
- Args: [0]
-
-The clang invocation to pass the configuration file location:
-
-.. code-block:: bash
-
- clang --analyze -Xclang -analyzer-config -Xclang alpha.security.taint.TaintPropagation:Config=`pwd`/taint_config.yml ...
-
-If you are validating your inputs instead of sanitizing them, or don't want to
-mention each sanitizing function in our configuration,
-you can use a more generic approach.
-
-Introduce a generic no-op `csa_mark_sanitized(..)` function to
-tell the Clang Static Analyzer
-that the variable is safe to be used on that analysis path.
-
-.. code-block:: c
-
- // Marking sanitized variables safe.
- // No vulnerability anymore, no warning.
-
- // User csa_mark_sanitize function is for the analyzer only
- #ifdef __clang_analyzer__
- void csa_mark_sanitized(const void *);
- #endif
-
- int main(int argc, char** argv) {
- char cmd[2048] = "/bin/cat ";
- char filename[1024];
- printf("Filename:");
- scanf (" %1023[^\n]", filename);
- if (access(filename,F_OK)){// Verifying user input
- printf("File does not exist\n");
- return -1;
- }
- #ifdef __clang_analyzer__
- csa_mark_sanitized(filename); // Indicating to CSA that filename variable is safe to be used after this point
- #endif
- strcat(cmd, filename);
- system(cmd); // No warning
- }
-
-Similarly to the previous example, you need to
-define a `Filter` function in a `YAML` configuration file
-and add the `csa_mark_sanitized` function.
-
-.. code-block:: YAML
-
- Filters:
- - Name: csa_mark_sanitized
- Args: [0]
-
-Then calling `csa_mark_sanitized(X)` will tell the analyzer that `X` is safe to
-be used after this point, because its contents are verified. It is the
-responsibility of the programmer to ensure that this verification was indeed
-correct. Please note that `csa_mark_sanitized` function is only declared and
-used during Clang Static Analysis and skipped in (production) builds.
-
-Further examples of injection vulnerabilities this checker can find.
-
-.. code-block:: c
-
- void test() {
- char x = getchar(); // 'x' marked as tainted
- system(&x); // warn: untrusted data is passed to a system call
- }
-
- // note: compiler internally checks if the second param to
- // sprintf is a string literal or not.
- // Use -Wno-format-security to suppress compiler warning.
- void test() {
- char s[10], buf[10];
- fscanf(stdin, "%s", s); // 's' marked as tainted
-
- sprintf(buf, s); // warn: untrusted data used as a format string
- }
-
- void test() {
- size_t ts;
- scanf("%zd", &ts); // 'ts' marked as tainted
- int *p = (int *)malloc(ts * sizeof(int));
- // warn: untrusted data used as buffer size
- }
-
-There are built-in sources, propagations and sinks even if no external taint
-configuration is provided.
-
-Default sources:
- ``_IO_getc``, ``fdopen``, ``fopen``, ``freopen``, ``get_current_dir_name``,
- ``getch``, ``getchar``, ``getchar_unlocked``, ``getwd``, ``getcwd``,
- ``getgroups``, ``gethostname``, ``getlogin``, ``getlogin_r``, ``getnameinfo``,
- ``gets``, ``gets_s``, ``getseuserbyname``, ``readlink``, ``readlinkat``,
- ``scanf``, ``scanf_s``, ``socket``, ``wgetch``
-
-Default propagations rules:
- ``atoi``, ``atol``, ``atoll``, ``basename``, ``dirname``, ``fgetc``,
- ``fgetln``, ``fgets``, ``fnmatch``, ``fread``, ``fscanf``, ``fscanf_s``,
- ``index``, ``inflate``, ``isalnum``, ``isalpha``, ``isascii``, ``isblank``,
- ``iscntrl``, ``isdigit``, ``isgraph``, ``islower``, ``isprint``, ``ispunct``,
- ``isspace``, ``isupper``, ``isxdigit``, ``memchr``, ``memrchr``, ``sscanf``,
- ``getc``, ``getc_unlocked``, ``getdelim``, ``getline``, ``getw``, ``memcmp``,
- ``memcpy``, ``memmem``, ``memmove``, ``mbtowc``, ``pread``, ``qsort``,
- ``qsort_r``, ``rawmemchr``, ``read``, ``recv``, ``recvfrom``, ``rindex``,
- ``strcasestr``, ``strchr``, ``strchrnul``, ``strcasecmp``, ``strcmp``,
- ``strcspn``, ``strncasecmp``, ``strncmp``, ``strndup``,
- ``strndupa``, ``strpbrk``, ``strrchr``, ``strsep``, ``strspn``,
- ``strstr``, ``strtol``, ``strtoll``, ``strtoul``, ``strtoull``, ``tolower``,
- ``toupper``, ``ttyname``, ``ttyname_r``, ``wctomb``, ``wcwidth``
-
-Default sinks:
- ``printf``, ``setproctitle``, ``system``, ``popen``, ``execl``, ``execle``,
- ``execlp``, ``execv``, ``execvp``, ``execvP``, ``execve``, ``dlopen``,
- ``memcpy``, ``memmove``, ``strncpy``, ``strndup``, ``malloc``, ``calloc``,
- ``alloca``, ``memccpy``, ``realloc``, ``bcopy``
-
-Please note that there are no built-in filter functions.
-
-One can configure their own taint sources, sinks, and propagation rules by
-providing a configuration file via checker option
-``alpha.security.taint.TaintPropagation:Config``. The configuration file is in
-`YAML <http://llvm.org/docs/YamlIO.html#introduction-to-yaml>`_ format. The
-taint-related options defined in the config file extend but do not override the
-built-in sources, rules, sinks. The format of the external taint configuration
-file is not stable, and could change without any notice even in a non-backward
-compatible way.
-
-For a more detailed description of configuration options, please see the
-:doc:`user-docs/TaintAnalysisConfiguration`. For an example see
-:ref:`clangsa-taint-configuration-example`.
-
-**Configuration**
-
-* `Config` Specifies the name of the YAML configuration file. The user can
- define their own taint sources and sinks.
-
-**Related Guidelines**
-
-* `CWE Data Neutralization Issues
- <https://cwe.mitre.org/data/definitions/137.html>`_
-* `SEI Cert STR02-C. Sanitize data passed to complex subsystems
- <https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems>`_
-* `SEI Cert ENV33-C. Do not call system()
- <https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177>`_
-* `ENV03-C. Sanitize the environment when invoking external programs
- <https://wiki.sei.cmu.edu/confluence/display/c/ENV03-C.+Sanitize+the+environment+when+invoking+external+programs>`_
-
-**Limitations**
-
-* The taintedness property is not propagated through function calls which are
- unknown (or too complex) to the analyzer, unless there is a specific
- propagation rule built-in to the checker or given in the YAML configuration
- file. This causes potential true positive findings to be lost.
-
alpha.unix
^^^^^^^^^^^
diff --git a/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst b/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst
index 94db84494e00b22..04fc54bc8181b7d 100644
--- a/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst
+++ b/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst
@@ -3,7 +3,7 @@ Taint Analysis Configuration
============================
The Clang Static Analyzer uses taint analysis to detect security-related issues in code.
-The backbone of taint analysis in the Clang SA is the `GenericTaintChecker`, which the user can access via the :ref:`alpha-security-taint-TaintPropagation` checker alias and this checker has a default taint-related configuration.
+The backbone of taint analysis in the Clang SA is the `GenericTaintChecker`, which the user can access via the :ref:`optin-security-taint-TaintPropagation` checker alias and this checker has a default taint-related configuration.
The built-in default settings are defined in code, and they are always in effect once the checker is enabled, either directly or via the alias.
The checker also provides a configuration interface for extending the default settings by providing a configuration file in `YAML <http://llvm.org/docs/YamlIO.html#introduction-to-yaml>`_ format.
This documentation describes the syntax of the configuration file and gives the informal semantics of the configuration options.
@@ -18,7 +18,7 @@ ________
Taint analysis works by checking for the occurrence of special operations during the symbolic execution of the program.
Taint analysis defines sources, sinks, and propagation rules. It identifies errors by detecting a flow of information that originates from a taint source, reaches a taint sink, and propagates through the program paths via propagation rules.
-A source, sink, or an operation that propagates taint is mainly domain-specific knowledge, but there are some built-in defaults provided by :ref:`alpha-security-taint-TaintPropagation`.
+A source, sink, or an operation that propagates taint is mainly domain-specific knowledge, but there are some built-in defaults provided by :ref:`optin-security-taint-TaintPropagation`.
It is possible to express that a statement sanitizes tainted values by providing a ``Filters`` section in the external configuration (see :ref:`clangsa-taint-configuration-example` and :ref:`clangsa-taint-filter-details`).
There are no default filters defined in the built-in settings.
The checker's documentation also specifies how to provide a custom taint configuration with command-line options.
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..a80e171ac61efb3 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -68,8 +68,9 @@ def Performance : Package<"performance">, ParentPackage<OptIn>;
def Security : Package <"security">;
def InsecureAPI : Package<"insecureAPI">, ParentPackage<Security>;
+def SecurityOptIn : Package<"security">, ParentPackage<OptIn>;
+def Taint : Package<"taint">, ParentPackage<SecurityOptIn>;
def SecurityAlpha : Package<"security">, ParentPackage<Alpha>;
-def Taint : Package<"taint">, ParentPackage<SecurityAlpha>;
def CERT : Package<"cert">, ParentPackage<SecurityAlpha>;
def POS : Package<"pos">, ParentPackage<CERT>;
@@ -1050,11 +1051,11 @@ def GenericTaintChecker : Checker<"TaintPropagation">,
"Config",
"Specifies the name of the configuration file.",
"",
- InAlpha>,
+ Released>,
]>,
Documentation<HasDocumentation>;
-} // end "alpha.security.taint"
+} // end "optin.security.taint"
//===----------------------------------------------------------------------===//
// Mac OS X, Cocoa, and Core Foundation checkers.
diff --git a/clang/test/Analysis/analyzer-config.c b/clang/test/Analysis/analyzer-config.c
index d86ca5d19219c64..d34bd1b96b5d98b 100644
--- a/clang/test/Analysis/analyzer-config.c
+++ b/clang/test/Analysis/analyzer-config.c
@@ -11,7 +11,6 @@
// CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01
-// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = ""
// CHECK-NEXT: alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions = true
// CHECK-NEXT: alpha.unix.StdCLibraryFunctions:DisplayLoadedSummaries = false
// CHECK-NEXT: alpha.unix.StdCLibraryFunctions:ModelPOSIX = false
@@ -112,6 +111,7 @@
// CHECK-NEXT: optin.cplusplus.VirtualCall:ShowFixIts = false
// CHECK-NEXT: optin.osx.cocoa.localizability.NonLocalizedStringChecker:AggressiveReport = false
// CHECK-NEXT: optin.performance.Padding:AllowedPad = 24
+// CHECK-NEXT: optin.security.taint.TaintPropagation:Config = ""
// CHECK-NEXT: osx.NumberObjectConversion:Pedantic = false
// CHECK-NEXT: osx.cocoa.RetainCount:TrackNSCFStartParam = false
// CHECK-NEXT: prune-paths = true
diff --git a/clang/test/Analysis/assume-controlled-environment.c b/clang/test/Analysis/assume-controlled-environment.c
index fce1a1e7bae3304..0055025a7ef48ea 100644
--- a/clang/test/Analysis/assume-controlled-environment.c
+++ b/clang/test/Analysis/assume-controlled-environment.c
@@ -1,12 +1,12 @@
// RUN: %clang_analyze_cc1 -verify=untrusted-env %s \
// RUN: -analyzer-checker=core \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=debug.TaintTest
// RUN: %clang_analyze_cc1 -verify %s -DEXPECT_NO_WARNINGS \
// RUN: -analyzer-config assume-controlled-environment=true \
// RUN: -analyzer-checker=core \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=debug.TaintTest
diff --git a/clang/test/Analysis/bool-assignment.c b/clang/test/Analysis/bool-assignment.c
index c32bc8f9e8b14f0..372006de96bb6b5 100644
--- a/clang/test/Analysis/bool-assignment.c
+++ b/clang/test/Analysis/bool-assignment.c
@@ -1,5 +1,5 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint -verify -std=c99 -Dbool=_Bool %s
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint -verify -x c++ %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,optin.security.taint -verify -std=c99 -Dbool=_Bool %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment,optin.security.taint -verify -x c++ %s
// Test C++'s bool and C's _Bool.
// FIXME: We stopped warning on these when SValBuilder got smarter about
diff --git a/clang/test/Analysis/cxx-method-names.cpp b/clang/test/Analysis/cxx-method-names.cpp
index 22ec4db34796bc4..1e390d6560cdb1d 100644
--- a/clang/test/Analysis/cxx-method-names.cpp
+++ b/clang/test/Analysis/cxx-method-names.cpp
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,osx,alpha.unix,alpha.security.taint -verify %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix,osx,alpha.unix,optin.security.taint -verify %s
// expected-no-diagnostics
class Evil {
diff --git a/clang/test/Analysis/debug-exprinspection-istainted.c b/clang/test/Analysis/debug-exprinspection-istainted.c
index 8d1ebca930885de..7c272557a49ea27 100644
--- a/clang/test/Analysis/debug-exprinspection-istainted.c
+++ b/clang/test/Analysis/debug-exprinspection-istainted.c
@@ -1,7 +1,7 @@
// RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
-// RUN: -analyzer-checker=alpha.security.taint
+// RUN: -analyzer-checker=optin.security.taint
int scanf(const char *restrict format, ...);
void clang_analyzer_isTainted(char);
diff --git a/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c b/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c
index b1042f9034d7d70..b1f7714aa97aac9 100644
--- a/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c
+++ b/clang/test/Analysis/diagnostics/sarif-diagnostics-taint-test.c
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-diagnostics-taint-test.c.sarif -
+// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-diagnostics-taint-test.c.sarif -
#include "../Inputs/system-header-simulator.h"
int atoi(const char *nptr);
diff --git a/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c b/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c
index 61d19817407e273..39c6643469fa9f5 100644
--- a/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c
+++ b/clang/test/Analysis/diagnostics/sarif-multi-diagnostic-test.c
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.security.taint,debug.TaintTest,unix.Malloc %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-multi-diagnostic-test.c.sarif -
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,optin.security.taint,debug.TaintTest,unix.Malloc %s -verify -analyzer-output=sarif -o - | %normalize_sarif | diff -U1 -b %S/Inputs/expected-sarif/sarif-multi-diagnostic-test.c.sarif -
#include "../Inputs/system-header-simulator.h"
#include "../Inputs/system-header-simulator-for-malloc.h"
#define ERR -1
diff --git a/clang/test/Analysis/global-region-invalidation-errno.c b/clang/test/Analysis/global-region-invalidation-errno.c
index 9de10ad59095a27..ca0db8cc8e5ec72 100644
--- a/clang/test/Analysis/global-region-invalidation-errno.c
+++ b/clang/test/Analysis/global-region-invalidation-errno.c
@@ -1,9 +1,9 @@
// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \
-// RUN: -analyzer-checker=core,deadcode,alpha.security.taint \
+// RUN: -analyzer-checker=core,deadcode,optin.security.taint \
// RUN: -DERRNO_VAR
// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \
-// RUN: -analyzer-checker=core,deadcode,alpha.security.taint \
+// RUN: -analyzer-checker=core,deadcode,optin.security.taint \
// RUN: -DERRNO_FUNC
// Note, we do need to include headers here, since the analyzer checks if the function declaration is located in a system header.
diff --git a/clang/test/Analysis/global-region-invalidation.c b/clang/test/Analysis/global-region-invalidation.c
index faca3baf11caf39..7bfb60dcc5e0687 100644
--- a/clang/test/Analysis/global-region-invalidation.c
+++ b/clang/test/Analysis/global-region-invalidation.c
@@ -1,5 +1,5 @@
// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \
-// RUN: -analyzer-checker=core,deadcode,alpha.security.taint,debug.TaintTest,debug.ExprInspection
+// RUN: -analyzer-checker=core,deadcode,optin.security.taint,debug.TaintTest,debug.ExprInspection
void clang_analyzer_eval(int);
diff --git a/clang/test/Analysis/redefined_system.c b/clang/test/Analysis/redefined_system.c
index 0a55c36c6dd5b3d..66039d5fef22987 100644
--- a/clang/test/Analysis/redefined_system.c
+++ b/clang/test/Analysis/redefined_system.c
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=osx,unix,core,alpha.security.taint -w -verify %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=osx,unix,core,optin.security.taint -w -verify %s
// expected-no-diagnostics
// Make sure we don't crash when someone redefines a system function we reason about.
diff --git a/clang/test/Analysis/string.c b/clang/test/Analysis/string.c
index d369ee9f7d854a1..ae26c5c8d1bad7c 100644
--- a/clang/test/Analysis/string.c
+++ b/clang/test/Analysis/string.c
@@ -25,7 +25,7 @@
// RUN: %clang_analyze_cc1 -verify %s -Wno-null-dereference \
// RUN: -DUSE_BUILTINS -DVARIANT \
// RUN: -analyzer-checker=core \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=alpha.unix.cstring \
diff --git a/clang/test/Analysis/taint-checker-callback-order-has-definition.c b/clang/test/Analysis/taint-checker-callback-order-has-definition.c
index eaf96cc675f0620..9b7ad1f8ab50fbd 100644
--- a/clang/test/Analysis/taint-checker-callback-order-has-definition.c
+++ b/clang/test/Analysis/taint-checker-callback-order-has-definition.c
@@ -1,5 +1,5 @@
// RUN: %clang_analyze_cc1 %s \
-// RUN: -analyzer-checker=core,alpha.security.taint \
+// RUN: -analyzer-checker=core,optin.security.taint \
// RUN: -mllvm -debug-only=taint-checker \
// RUN: 2>&1 | FileCheck %s
diff --git a/clang/test/Analysis/taint-checker-callback-order-without-definition.c b/clang/test/Analysis/taint-checker-callback-order-without-definition.c
index 6de87f736926d36..cc1d3b2b4dce60e 100644
--- a/clang/test/Analysis/taint-checker-callback-order-without-definition.c
+++ b/clang/test/Analysis/taint-checker-callback-order-without-definition.c
@@ -1,5 +1,5 @@
// RUN: %clang_analyze_cc1 %s \
-// RUN: -analyzer-checker=core,alpha.security.taint \
+// RUN: -analyzer-checker=core,optin.security.taint \
// RUN: -mllvm -debug-only=taint-checker \
// RUN: 2>&1 | FileCheck %s
diff --git a/clang/test/Analysis/taint-diagnostic-visitor.c b/clang/test/Analysis/taint-diagnostic-visitor.c
index 8a7510177f3e444..94ab31de790186d 100644
--- a/clang/test/Analysis/taint-diagnostic-visitor.c
+++ b/clang/test/Analysis/taint-diagnostic-visitor.c
@@ -1,4 +1,4 @@
-// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
+// RUN: %clang_cc1 -analyze -analyzer-checker=optin.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-output=text -verify %s
// This file is for testing enhanced diagnostics produced by the GenericTaintChecker
diff --git a/clang/test/Analysis/taint-dumps.c b/clang/test/Analysis/taint-dumps.c
index 37fb6c2f2adf7d2..47c9059cb29c7f5 100644
--- a/clang/test/Analysis/taint-dumps.c
+++ b/clang/test/Analysis/taint-dumps.c
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint\
+// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint\
// RUN: -analyzer-checker=debug.ExprInspection %s\
// RUN: 2>&1 | FileCheck %s
diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c
index c6a01594f15abb7..f4c0d617bcb3a8a 100644
--- a/clang/test/Analysis/taint-generic.c
+++ b/clang/test/Analysis/taint-generic.c
@@ -1,57 +1,57 @@
// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
// RUN: -Wno-incompatible-library-redeclaration -verify %s \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \
-// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
+// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
// RUN: %clang_analyze_cc1 -Wno-format-security -Wno-pointer-to-int-cast \
// RUN: -Wno-incompatible-library-redeclaration -verify %s \
// RUN: -DFILE_IS_STRUCT \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.security.ArrayBoundV2 \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \
-// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
+// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml
// RUN: not %clang_analyze_cc1 -Wno-pointer-to-int-cast \
// RUN: -Wno-incompatible-library-redeclaration -verify %s \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \
-// RUN: alpha.security.taint.TaintPropagation:Config=justguessit \
+// RUN: optin.security.taint.TaintPropagation:Config=justguessit \
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-FILE
// CHECK-INVALID-FILE: (frontend): invalid input for checker option
-// CHECK-INVALID-FILE-SAME: 'alpha.security.taint.TaintPropagation:Config',
+// CHECK-INVALID-FILE-SAME: 'optin.security.taint.TaintPropagation:Config',
// CHECK-INVALID-FILE-SAME: that expects a valid filename instead of
// CHECK-INVALID-FILE-SAME: 'justguessit'
// RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
// RUN: -verify %s \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \
-// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
+// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-ill-formed.yaml \
// RUN: 2>&1 | FileCheck -DMSG=%errc_EINVAL %s -check-prefix=CHECK-ILL-FORMED
// CHECK-ILL-FORMED: (frontend): invalid input for checker option
-// CHECK-ILL-FORMED-SAME: 'alpha.security.taint.TaintPropagation:Config',
+// CHECK-ILL-FORMED-SAME: 'optin.security.taint.TaintPropagation:Config',
// CHECK-ILL-FORMED-SAME: that expects a valid yaml file: [[MSG]]
// RUN: not %clang_analyze_cc1 -Wno-incompatible-library-redeclaration \
// RUN: -verify %s \
-// RUN: -analyzer-checker=alpha.security.taint \
+// RUN: -analyzer-checker=optin.security.taint \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config \
-// RUN: alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
+// RUN: optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config-invalid-arg.yaml \
// RUN: 2>&1 | FileCheck %s -check-prefix=CHECK-INVALID-ARG
// CHECK-INVALID-ARG: (frontend): invalid input for checker option
-// CHECK-INVALID-ARG-SAME: 'alpha.security.taint.TaintPropagation:Config',
+// CHECK-INVALID-ARG-SAME: 'optin.security.taint.TaintPropagation:Config',
// CHECK-INVALID-ARG-SAME: that expects an argument number for propagation
// CHECK-INVALID-ARG-SAME: rules greater or equal to -1
diff --git a/clang/test/Analysis/taint-generic.cpp b/clang/test/Analysis/taint-generic.cpp
index c907c8f5eeb958b..7c0b7e25551611b 100644
--- a/clang/test/Analysis/taint-generic.cpp
+++ b/clang/test/Analysis/taint-generic.cpp
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-config alpha.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml -Wno-format-security -verify -std=c++11 %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,core,alpha.security.ArrayBoundV2 -analyzer-config optin.security.taint.TaintPropagation:Config=%S/Inputs/taint-generic-config.yaml -Wno-format-security -verify -std=c++11 %s
#define BUFSIZE 10
int Buffer[BUFSIZE];
diff --git a/clang/test/Analysis/taint-tester.c b/clang/test/Analysis/taint-tester.c
index ddfa91021825f31..b500a70511fe204 100644
--- a/clang/test/Analysis/taint-tester.c
+++ b/clang/test/Analysis/taint-tester.c
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -Wno-int-to-pointer-cast -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify
+// RUN: %clang_analyze_cc1 -Wno-int-to-pointer-cast -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify
#include "Inputs/system-header-simulator.h"
diff --git a/clang/test/Analysis/taint-tester.cpp b/clang/test/Analysis/taint-tester.cpp
index 23a92cc56d248f4..f91d10c1928b974 100644
--- a/clang/test/Analysis/taint-tester.cpp
+++ b/clang/test/Analysis/taint-tester.cpp
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify
+// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify
// expected-no-diagnostics
typedef struct _FILE FILE;
diff --git a/clang/test/Analysis/taint-tester.m b/clang/test/Analysis/taint-tester.m
index 531c21b5faf88f7..1340569184e6a64 100644
--- a/clang/test/Analysis/taint-tester.m
+++ b/clang/test/Analysis/taint-tester.m
@@ -1,4 +1,4 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.security.taint,debug.TaintTest %s -verify
+// RUN: %clang_analyze_cc1 -analyzer-checker=optin.security.taint,debug.TaintTest %s -verify
// expected-no-diagnostics
#import <stdarg.h>
@@ -14,8 +14,8 @@ void TestLog (NSString *format, ...) {
va_list ap;
va_start(ap, format);
NSString *string = @"AAA: ";
-
+
NSLogv([string stringByAppendingString:format], ap);
-
+
va_end(ap);
}
\ No newline at end of file
diff --git a/clang/utils/analyzer/SATestBuild.py b/clang/utils/analyzer/SATestBuild.py
index bc86ed8b64e0e9b..17e0069f05accae 100644
--- a/clang/utils/analyzer/SATestBuild.py
+++ b/clang/utils/analyzer/SATestBuild.py
@@ -176,7 +176,7 @@ def stdout(message: str):
CHECKERS = ",".join(
[
"alpha.unix.SimpleStream",
- "alpha.security.taint",
+ "optin.security.taint",
"cplusplus.NewDeleteLeaks",
"core",
"cplusplus",
diff --git a/clang/www/analyzer/alpha_checks.html b/clang/www/analyzer/alpha_checks.html
index 181ce1b9de591b3..b7fb39128c98a9b 100644
--- a/clang/www/analyzer/alpha_checks.html
+++ b/clang/www/analyzer/alpha_checks.html
@@ -722,7 +722,7 @@ <h3 id="security_alpha_checkers">Security Alpha Checkers</h3>
}
</pre></div><div class="separator"></div>
<div class="example"><pre>
-// note: requires alpha.security.taint check turned on.
+// note: requires optin.security.taint check turned on.
void test() {
char s[] = "abc";
int x = getchar();
@@ -781,8 +781,8 @@ <h3 id="security_alpha_checkers">Security Alpha Checkers</h3>
</pre></div></div></td></tr>
-<tr><td><a id="alpha.security.taint.TaintPropagation"><div class="namedescr expandable"><span class="name">
-alpha.security.taint.TaintPropagation</span><span class="lang">
+<tr><td><a id="optin.security.taint.TaintPropagation"><div class="namedescr expandable"><span class="name">
+optin.security.taint.TaintPropagation</span><span class="lang">
(C)</span><div class="descr">
Generate taint information used by other checkers.</div></div></a></td>
<td><div class="exampleContainer expandable">
More information about the cfe-commits
mailing list