# A list of source/propagation function Propagations: # int x = mySource1(); // x is tainted - Name: mySource1 DstArgs: [-1] # Index for return value # int x; # mySource2(&x); // x is tainted - Name: mySource2 DstArgs: [0] # int x = myNamespace::mySource3(); // x is tainted - Name: mySource3 Scope: "myNamespace::" DstArgs: [-1] # int x = myAnotherNamespace::mySource3(); // x is tainted - Name: mySource3 Scope: "myAnotherNamespace::" DstArgs: [-1] # int x, y; # myScanf("%d %d", &x, &y); // x and y are tainted - Name: myScanf VariadicType: Dst VariadicIndex: 1 # int x, y; # Foo::myScanf("%d %d", &x, &y); // x and y are tainted - Name: myMemberScanf Scope: "Foo::" VariadicType: Dst VariadicIndex: 1 # int x; // x is tainted # int y; # myPropagator(x, &y); // y is tainted - Name: myPropagator SrcArgs: [0] DstArgs: [1] # constexpr unsigned size = 100; # char buf[size]; # int x, y; # int n = mySprintf(buf, size, "%d %d", x, y); // If size, x or y is tainted # // the return value and the buf will be tainted - Name: mySnprintf SrcArgs: [1] DstArgs: [0, -1] VariadicType: Src VariadicIndex: 3 # A list of filter functions Filters: # int x; // x is tainted # isOutOfRange(&x); // x is not tainted anymore - Name: isOutOfRange Args: [0] # int x; // x is tainted # myNamespace::isOutOfRange(&x); // x is not tainted anymore - Name: isOutOfRange2 Scope: "myNamespace::" Args: [0] # int x; // x is tainted # myAnotherNamespace::isOutOfRange(&x); // x is not tainted anymore - Name: isOutOfRange2 Scope: "myAnotherNamespace::" Args: [0] # A list of sink functions Sinks: # int x, y; // x and y are tainted # mySink(x, 0, 1); // It will warn # mySink(0, 1, y); // It will warn # mySink(0, x, 1); // It won't warn - Name: mySink Args: [0, 2] # int x; // x is tainted # myNamespace::mySink(x); // It will warn - Name: mySink2 Scope: "myNamespace::" Args: [0] # int x; // x is tainted # myAnotherNamespace::mySink(x); // It will warn - Name: mySink2 Scope: "myAnotherNamespace::" Args: [0]