Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document data flow analysis #122

Open
timtebeek opened this issue Jan 29, 2023 · 13 comments
Open

Document data flow analysis #122

timtebeek opened this issue Jan 29, 2023 · 13 comments
Labels
documentation Improvements or additions to documentation

Comments

@timtebeek
Copy link
Contributor

We've had data flow analysis as an incubating feature for a while now; in particular in rewrite-java-security. Might be good to document or at least mention this feature in the documentation, to make it easier for people to discover and potentially use.

@timtebeek timtebeek added the documentation Improvements or additions to documentation label Jan 29, 2023
@timtebeek timtebeek moved this to Backlog in OpenRewrite Jan 29, 2023
@mike-solomon
Copy link
Contributor

@timtebeek I'm not sure what exactly data flow analysis is or how people might use it. Do you know of any discussions about this I could read to get some context? Or, if you have some time at some point, could you add some context to this issue?

@mike-solomon mike-solomon added the blocked When an issue can't be worked on right now label Jul 11, 2023
@timtebeek
Copy link
Contributor Author

This has since been spun of into a separate module (rewrite-analysis), that's being worked on mostly by @JLLeitschuh and his mentees; it might be in flux for a bit, although I don't have the details there.

Essentially what it would allow you to do (if I'm correct) is not just look at a line of code, but also what goes in and out in terms of data and subsequent calls, such that you can for instance find security issues when a String is later used in an SQL statement (hypothesizing).

I think at the very least the module deserves a mention in the docs, with perhaps a brief example of how to use it, even if that merely links to an existing recipe. Could you two perhaps briefly coordinate how to document that at this stage?

@mike-solomon
Copy link
Contributor

Thanks @timtebeek !

@JLLeitschuh - Would you mind providing some context on the data flow analysis package here? Would appreciate links to any examples or things you think would be useful for the docs. Also happy to set up a call at some point to discuss if that's easier.

@JLLeitschuh
Copy link

Likely easier to setup a call. I'm going on vacation next Tuesday for 10 days though.

https://calendly.com/jonathan-leitschuh-at-open-source-security-foundation

Please also take a look at the talk I gave on this topic too:

"Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All" you can find the links to the talk on my README: https://github.com/JLLeitschuh

@JLLeitschuh
Copy link

Also, this document explains the concepts behind what Data Flow is:

https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/

@JLLeitschuh
Copy link

Rewrite-analysis also has support for Control Flow Analysis as well, which might be worth documenting as well.

Here's an examination of that from CodeQL too (but specific to python in their case):
https://codeql.github.com/docs/codeql-language-guides/analyzing-control-flow-in-python/

Control Flow can also be found here:

https://en.m.wikipedia.org/wiki/Control_flow

@mike-solomon
Copy link
Contributor

Thanks for the information @JLLeitschuh ! When I have time, I’ll give those a read and see if I need any other information from you (can then set up a call if I do). If I don’t need anything, I’ll tag you in the PR to review (with the understanding that there’s no rush on if you’re gone).

@mike-solomon mike-solomon removed the blocked When an issue can't be worked on right now label Jul 12, 2023
@JLLeitschuh
Copy link

I kinda want to do a Data Flow and Control Flow API user crash course demo for the OpenRewrite team at some point. Maybe something we can record and post somewhere.

@jkschneider @sambsnyd thoughts/interested in this idea?

@sambsnyd
Copy link
Member

sambsnyd commented Jul 19, 2023

@JLLeitschuh Yes, I am interested. Please invite me and Tracey and Kun

@kunli2
Copy link
Contributor

kunli2 commented Jul 19, 2023

I am interested too. Thanks

@mike-solomon
Copy link
Contributor

I’d also appreciate an invite for whenever this happens :)

@timtebeek
Copy link
Contributor Author

@JLLeitschuh Please invite me as well, +1.

@escardin
Copy link

escardin commented Aug 3, 2023

Add me please!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
Status: Backlog
Development

No branches or pull requests

6 participants