Skip to content

[FEATURE] Taint analysis depth — unified cross-file engine + persistence + library approximation + debug trace #49

Description

@Wolfvin

Summary

Overhaul the taint analysis stack: consolidate 4 overlapping engines into 1 unified cross-file inter-procedural engine, add persistence (stored injection) modeling, add library method approximation system, and add debug-trace tooling. Target: 5+ hops cross-file (currently 1 hop), 50%+ false-positive reduction with LLM validator.

Worker consensus (6 reports)

Worker Source Contribution
OpenTaint update!/CodeLens_vs_OpenTaint_Upgrade_Analysis.md A1 Unify ast_taint_engine.py (3,756 LOC) + crossfile_taint_engine.py (946 LOC) into 1 pipeline. Taint path 5 hops cross-file. --max-depth N flag. Benchmark: detect +3 previously-missed findings in vulnerable_app/.
OpenTaint same file A2 Persistence / stored injection modeling — taint reaching DB/file/cache sink is tagged persisted_taint, resumed when read from persistence source.
OpenTaint same file A3 Library method approximation system — passThrough YAML + dataflow Python plugin for Promise.then, Optional.map, Map.computeIfAbsent, _.get. ~30 built-in approximations.
OpenTaint same file A4 Debug-trace taint engine — codelens debug-rule <rule-id> emits SARIF codeFlows with kinds: ["taint_fact"]. Auto-classify kill cause: missing_approximation, rule_defect, engine_issue.
OpenTaint same file F1 Consolidate taint engine (remove duplication) — audit 4 engines (ast_taint_engine, crossfile_taint_engine, dataflow_engine, semantic_engine), deprecate semantic_engine, consolidate crossfile_taint_engine into ast_taint_engine.
Opengrep update!/CodeLens_Opengrep_Upgrade_Analysis.md #44 Intrafile cross-function taint (signature extraction) — extract per-function taint signature, topological sort, replay signature at call site (no re-analysis). 2x faster than inline approach.
Opengrep same file #56 Guarded taint signatures (branch-condition guards) — attach branch condition to taint effect, evaluate at call site.
Opengrep same file #61 Shape inference for taint propagation — infer variable shape (list, dict, set, object) for accurate propagation through dict[key], list.append(item).
RepoAudit update!/CodeLens_Upgrade_Issues_from_RepoAudit.md CL-038 LLM dataflow explorer (intra-procedural path analysis) — LLM traces dataflow per-path within single function (path-sensitive).
RepoAudit same file CL-039 LLM path validator (inter-procedural feasibility check) — validates candidate buggy paths, returns is_reachable: bool + explanation. Target 50%+ FP reduction.
RepoAudit same file CL-040 Bug type-specific detectors (NPD, MLK, UAF, SQLi, XSS, CMD, PATH) — refactor YAML rules into per-bug-type Python classes.

Proposed phased scope

Phase 1 — Consolidation (P1, 2 weeks, depends on F1)

  • Audit 4 engines, document behavior + coverage
  • Deprecate semantic_engine.py with warning
  • Consolidate crossfile_taint_engine.py into ast_taint_engine.py

Phase 2 — Unified cross-file engine (P1, 3-4 weeks)

  • Single pipeline reaching 5+ hops cross-file
  • --max-depth N flag (default 5)
  • Taint path rendering: file_a.py:handler → request.args → file_b.py:sanitize → file_c.py:db.execute
  • Benchmark: detect +3 findings in vulnerable_app/ that current engine misses

Phase 3 — Signature extraction for performance (P2, 2 weeks)

  • Per-function taint signature: {params_tainted, returns_tainted, fields_tainted, sinks_reached}
  • Topological sort call graph, replay signature at call site
  • Target: 2x faster than inline on 50+ function files

Phase 4 — Persistence modeling (P2, 2 weeks)

  • persistence_sinks / persistence_sources config in YAML rules
  • Taint tag persisted_taint, resumed on read from persistence source
  • Test fixture: benchmarks/fixtures/vulnerable_app/src/stored_injection.py

Phase 5 — Library method approximation (P2, 4-5 weeks)

  • New scripts/approximations/{passthrough,dataflow}/ directories
  • PassThrough YAML: simple from→to copy (e.g. Promise.then from $0 to return)
  • Dataflow Python plugin: complex (lambda/callback/async, returns TaintResult(propagate_to, confidence))
  • ~30 built-in approximations for common library methods
  • --track-external-methods emits dropped-methods.yaml + approximated-methods.yaml

Phase 6 — Debug-trace tool (P2, 3 weeks, depends on Phase 5)

  • codelens debug-rule <rule-id> command
  • SARIF codeFlows with kinds: ["taint_fact"]
  • Auto-classify kill cause

Phase 7 — LLM validator (optional, P2, 4-6 weeks, depends on separate LLM integration issue)

  • LLM dataflow explorer (RepoAudit CL-038) + path validator (CL-039)
  • Target 50%+ FP reduction
  • Behind --llm-validate opt-in flag (cost concern)

Acceptance criteria

  • Phase 1: semantic_engine.py deprecated, no behavior regression
  • Phase 2: taint path 5 hops detected in vulnerable_app/ benchmark
  • Phase 3: 2x speedup on 50-function file
  • Phase 4: stored injection detected in new fixture
  • Phase 5: Promise.then taint propagation works in JS/TS
  • Phase 6: codelens debug-rule output usable for rule authoring
  • Phase 7 (if shipped): 50%+ FP reduction on vulnerable_app/ benchmark

License note

OpenTaint is GPL-3.0 — design influenced but no code copy. RepoAudit is Purdue Non-Commercial — design influenced, reimplement from scratch.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions