Skip to content

分析自写的漏洞demo,无法扫描出漏洞结果 #98

New issue
New issue
Open
Open
分析自写的漏洞demo,无法扫描出漏洞结果#98
@7uup

Description

@7uup
7uup
opened on Jan 6, 2026

描述

使用自写漏洞demo进行测试的时候未检测出结果,根据console中显示的内容明确Source和Sink的配置规则有正确加载,查看调用关系似乎跳了两级他就没发现出了testcontroller->WatermarkService.runCmd->WatermarkServiceImpl.runCmd->cmd的调用关系了

main file:/snapshot/YASA-Engine/dist/main.js
Specific checkerIds: [ 'taint_flow_java_input' ]
Rule config file:  /root/yasa-engine/example-rule-config/rule_config_java.json
source path: /root/demo/
Report directory: /root/yasa-engine/report/demo2
Analyze Language: java
Analyze Analyer: SpringAnalyzer

=======================  Register rules  =======================
resolveCheckerPath projectRoot : /snapshot/YASA-Engine
Resolved checker path :/snapshot/YASA-Engine/dist/checker/taint/java/java-default-taint-checker.js
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
load checkers: [ 'taint_flow_java_input' ]
================================================================

[YASA] Begin execution
[YASA] Executing preProcess
[YASA][preProcess] Executing parseCode
[YASA][preProcess] Executing preload
[YASA][preProcess] Completed preload, cost: 0ms
[YASA][preProcess] Completed parseCode, cost: 621ms
[YASA][preProcess] Executing processModule
[YASA][preProcess] Completed processModule, cost: 21ms
[YASA] Completed preProcess, cost: 680ms
[YASA] Executing startAnalyze
YASA will collect Entrypoint and Source
[YASA] Executing makeFullCallGraph(BySymbolInterpret)
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
makeAllCG-start
        makeAllCG-10%
        makeAllCG-30%
        makeAllCG-70%
        makeAllCG-100%
[YASA] Completed makeFullCallGraph(BySymbolInterpret), cost: 103ms
[YASA] Completed startAnalyze, cost: 163ms
[YASA] Executing symbolInterpret
EntryPoint [/src/main/java/com/example/demo/DemoApplication.main] is executing
EntryPoint [/src/main/java/com/example/demo/Api/testController.testContent] is executing
EntryPoint [/src/main/java/com/example/demo/Api/testController.testExec] is executing
EntryPoint [/src/main/java/com/example/demo/DemoApplication.main] is executing
EntryPoint [/src/main/java/com/example/demo/Api/testController.testExec] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.setName] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.setPolicyObj] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.equals] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.canEqual] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.hashCode] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.toString] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setId] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setName] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setClassifyType] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setContent] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setStyleType] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setFontName] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setFontSize] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setAngular] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setHorizontalDensity] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setLongitudinalDensity] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setTransparency] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setDisplayRange] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setColor] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setGroupIds] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setPriority] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setStatus] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.equals] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.canEqual] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.hashCode] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.toString] is executing
EntryPoint [/src/main/java/com/example/demo/Service/IQleService.executeJavaCode] is executing
EntryPoint [/src/main/java/com/example/demo/Service/IWatermarkService.testContent] is executing
EntryPoint [/src/main/java/com/example/demo/Service/IWatermarkService.runCmd] is executing
EntryPoint [/src/main/java/com/example/demo/Service/impl/QleServiceImpl.executeJavaCode] is executing
EntryPoint [/src/main/java/com/example/demo/Service/impl/WatermarkServiceImpl.testContent] is executing
EntryPoint [/src/main/java/com/example/demo/Service/impl/WatermarkServiceImpl.runCmd] is executing
[YASA] Completed symbolInterpret, cost: 111ms
[YASA] Execution completed, cost: 954ms

======================  Analysis Overview  =====================
Language                           : java
Files analyzed                     : 9
Lines of code                      : 585
Total time                         : 954ms
Total instruction                  : 1537
Executed instruction               : 1537
Execution count                    : 3109
Sources configured                 : 3
Sinks configured                   : 10
Valid entrypoints                  : 37
Avg execution time per instruction : 0.00ms
Avg instruction execution count    : 2.02
Execution time 70%/99%/100%        : 0.00ms/0.00ms/0.00ms
Execution times 70%/99%/100%       : 2.00/4.00/6.00
================================================================


===================  Performance Statistics  ===================
total cost: 954ms
preProcess cost: 680ms
  parseCode cost: 621ms
    parse cost: 619ms
    other cost: 2ms
  preload cost: 453ms
  processModule cost: 21ms
startAnalyze cost: 163ms
makeFullCallGraph(BySymbolInterpret) cost: 103ms
symbolInterpret cost: 111ms
================================================================

Found 3 potential output strategy files
Registered strategy: callgraph from callgraph-output-strategy.js
Registered strategy: interactive from interactive-output-strategy.js
Registered strategy: taintflow from taint-output-strategy.js
Successfully registered 3 output strategies

=======================  outputFindings  =======================
================================================================

analyze done
Image Image

代码如下:

Image

Image

Image

callgraph.json如下
callgraph.json

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions