diff --git a/sast-go/cases/accuracy/field_sensitive/one_dimensional_collection/numeric_index_state_no_solver/array_index_no_solver_005_T/array_index_no_solver_005_T.go b/sast-go/cases/accuracy/field_sensitive/one_dimensional_collection/numeric_index_state_no_solver/array_index_no_solver_005_T/array_index_no_solver_005_T.go index d2acfe5e..48ee4532 100644 --- a/sast-go/cases/accuracy/field_sensitive/one_dimensional_collection/numeric_index_state_no_solver/array_index_no_solver_005_T/array_index_no_solver_005_T.go +++ b/sast-go/cases/accuracy/field_sensitive/one_dimensional_collection/numeric_index_state_no_solver/array_index_no_solver_005_T/array_index_no_solver_005_T.go @@ -1,4 +1,3 @@ - // evaluation information start // real case = true // evaluation item = 准确度->对象敏感与域敏感分析->区分一维字典/列表/数组的不同元素->索引值为数字的场景,能够区分不同索引上特定元素的状态(无需求解) @@ -7,8 +6,8 @@ // bind_url = accuracy/field_sensitive/one_dimensional_collection/numeric_index_state_no_solver/array_index_no_solver_005_T/array_index_no_solver_005_T // evaluation information end -// YASA中现在处理memberAccess时,以property的符号字面量作为key进行存取。导致精度损失。 package main + import "os/exec" func array_index_no_solver_005_T(__taint_src string) { @@ -23,8 +22,8 @@ func array_index_no_solver_005_T(__taint_src string) { func __taint_sink(o interface{}) { _ = exec.Command("sh", "-c", o.(string)).Run() - } +} func main() { - __taint_src := "taint_src_value" - array_index_no_solver_005_T(__taint_src) -} \ No newline at end of file + __taint_src := "taint_src_value" + array_index_no_solver_005_T(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/config.json b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/config.json index 99274d08..e74b9ab4 100644 --- a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/config.json +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/config.json @@ -25,6 +25,34 @@ { "compose": "(cross_directory_009_T/cross/cross_directory_009_T.go || cross_directory_009_T/cross/cross_init/cross_directory_init_009_T.go) && !(cross_directory_010_F/cross/cross_directory_010_F.go || cross_directory_010_F/cross/cross_init/cross_directory_init_010_F.go)", "scene": "跨package5" + }, + { + "compose": "(cross_directory_011_T/cross/cross_01/cross_directory_011_T_b.go || cross_directory_011_T/cross_directory_011_T_a/cross_directory_011_T_a.go) && !(cross_directory_012_F/cross/cross_01/cross_directory_012_F_b.go || cross_directory_012_F/cross_directory_012_F_a/cross_directory_012_F_a.go)", + "scene": "replace包层级调用链1" + }, + { + "compose": "(cross_directory_013_T/cross/other/cross_01/cross_directory_013_T_b.go || cross_directory_013_T/cross_directory_013_T_a/cross_directory_013_T_a.go) && !(cross_directory_014_F/cross/other/cross_01/cross_directory_014_F_b.go || cross_directory_014_F/cross_directory_014_F_a/cross_directory_014_F_a.go)", + "scene": "replace包层级调用链2" + }, + { + "compose": "(cross_directory_021_T/cross/cross_same_name_021_T.go || cross_directory_021_T/main_dir/cross_directory_021_T_a.go || cross_directory_021_T/main_dir/cross_directory_021_T_b.go || cross_directory_021_T/other/cross/cross_same_name_021_T.go) && !(cross_directory_022_F/cross/cross_same_name_022_F.go || cross_directory_022_F/main_dir/cross_directory_022_F_a.go || cross_directory_022_F/main_dir/cross_directory_022_F_b.go || cross_directory_022_F/other/cross/cross_same_name_022_F.go)", + "scene": "同名包导入区分" + }, + { + "compose": "(cross_directory_023_T/cross/cross_directory_023_T.go || cross_directory_023_T/cross/cross_01/cross_directory_023_T_a.go) && !(cross_directory_024_F/cross/cross_directory_024_F.go || cross_directory_024_F/cross/cross_01/cross_directory_024_F_a.go)", + "scene": "可见性校验" + }, + { + "compose": "(cross_directory_025_T/cross/cross_01/cross_directory_025_T_a.go || cross_directory_025_T/cross/cross_directory_025_T.go) && !(cross_directory_026_F/cross/cross_01/cross_directory_026_F_a.go || cross_directory_026_F/cross/cross_directory_026_F.go)", + "scene": "导入路径与包名解耦" + }, + { + "compose": "(cross_directory_027_T/cross_01/cross_same_name_027_T.go || cross_directory_027_T/cross_02/cross_same_name_027_T.go || cross_directory_027_T/cross_directory_027_T.go) && !(cross_directory_028_F/cross_01/cross_same_name_028_F.go || cross_directory_028_F/cross_02/cross_same_name_028_F.go || cross_directory_028_F/cross_directory_028_F.go)", + "scene": "同名包路径区分" + }, + { + "compose": "(cross_directory_029_T/cross/cross_01/cross_directory_029_T_a.go || cross_directory_029_T/cross/cross_directory_029_T.go) && !(cross_directory_030_F/cross/cross_01/cross_directory_030_F_a.go || cross_directory_030_F/cross/cross_directory_030_F.go)", + "scene": "识别导入根目录" } ] } diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross/cross_01/cross_directory_011_T_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross/cross_01/cross_directory_011_T_b.go new file mode 100644 index 00000000..cf7daea6 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross/cross_01/cross_directory_011_T_b.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross/cross_01/cross_directory_011_T_b +// evaluation information end + +package cross_directory_011_T_b +import "os/exec" + +func SayHello(taint_src string) { + __taint_sink(taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross/cross_01/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross/cross_01/go.mod new file mode 100644 index 00000000..2c7edc9e --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross/cross_01/go.mod @@ -0,0 +1,3 @@ +module cross/cross_01 + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross_directory_011_T_a/cross_directory_011_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross_directory_011_T_a/cross_directory_011_T_a.go new file mode 100644 index 00000000..b39f0ded --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross_directory_011_T_a/cross_directory_011_T_a.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/cross_directory_011_T_a/cross_directory_011_T_a +// evaluation information end + +// 这里有两个go.mod文件 cross_directory_011_T文件夹下的go.mod文件是负责"指路"(replace指令),当看到 import "cross/cross_01" 时 +// 不要去其他地方寻找 应该去本地的 ./cross/cross_01 目录找,cross_01文件夹下的go.mod文件是"亮明身份",告诉go模块 我确实是你要找的文件。 +// 执行跨模块文件时需先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T +// 再执行go run cross_directory_011_T_a/cross_directory_011_T_a.go +package main +import "cross/cross_01" + +func cross_directory_011_T_a(__taint_src string) { + cross_directory_011_T_b.SayHello(__taint_src) +} + +func main() { + __taint_src := "taint_src_value" + cross_directory_011_T_a(__taint_src) +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/go.mod new file mode 100644 index 00000000..bb2fdd71 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_011_T/go.mod @@ -0,0 +1,7 @@ +module cross_directory_011_T + +go 1.20 + +replace cross/cross_01 => ./cross/cross_01 + +require cross/cross_01 v0.0.0-00010101000000-000000000000 // indirect diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross/cross_01/cross_directory_012_F_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross/cross_01/cross_directory_012_F_b.go new file mode 100644 index 00000000..4dfdba1c --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross/cross_01/cross_directory_012_F_b.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross/cross_01/cross_directory_012_F_b +// evaluation information end + +package cross_directory_012_F_b +import "os/exec" + +func SayHello(taint_src string) { + __taint_sink("_") +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross/cross_01/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross/cross_01/go.mod new file mode 100644 index 00000000..2c7edc9e --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross/cross_01/go.mod @@ -0,0 +1,3 @@ +module cross/cross_01 + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross_directory_012_F_a/cross_directory_012_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross_directory_012_F_a/cross_directory_012_F_a.go new file mode 100644 index 00000000..c3e493ea --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross_directory_012_F_a/cross_directory_012_F_a.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/cross_directory_012_F_a/cross_directory_012_F_a +// evaluation information end + +// 这里有两个go.mod文件 cross_directory_012_F文件夹下的go.mod文件是负责"指路"(replace指令),当看到 import "cross/cross_01" 时 +// 不要去其他地方寻找 应该去本地的 ./cross/cross_01 目录找,cross_01文件夹下的go.mod文件是"亮明身份",告诉go模块 我确实是你要找的文件。 +// 执行跨模块文件时需先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F +// 再执行go run cross_directory_012_F_a/cross_directory_012_F_a.go +package main +import "cross/cross_01" + +func cross_directory_012_F_a(__taint_src string) { + cross_directory_012_F_b.SayHello(__taint_src) +} + +func main() { + __taint_src := "taint_src_value" + cross_directory_012_F_a(__taint_src) +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/go.mod new file mode 100644 index 00000000..1158d2fa --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_012_F/go.mod @@ -0,0 +1,7 @@ +module cross_directory_012_F + +go 1.20 + +replace cross/cross_01 => ./cross/cross_01 + +require cross/cross_01 v0.0.0-00010101000000-000000000000 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross/other/cross_01/cross_directory_013_T_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross/other/cross_01/cross_directory_013_T_b.go new file mode 100644 index 00000000..8e708924 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross/other/cross_01/cross_directory_013_T_b.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross/other/cross_01/cross_directory_013_T_b +// evaluation information end + +package cross_directory_013_T_b +import "os/exec" + +func SayHello(taint_src string) { + __taint_sink(taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross/other/cross_01/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross/other/cross_01/go.mod new file mode 100644 index 00000000..35cbddd5 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross/other/cross_01/go.mod @@ -0,0 +1,3 @@ +module cross/other/cross_01 + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross_directory_013_T_a/cross_directory_013_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross_directory_013_T_a/cross_directory_013_T_a.go new file mode 100644 index 00000000..56b2b1d8 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross_directory_013_T_a/cross_directory_013_T_a.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/cross_directory_013_T_a/cross_directory_013_T_a +// evaluation information end + +// 这里有两个go.mod文件 cross_directory_013_T文件夹下的go.mod文件是负责"指路"(replace指令),当看到 import "cross/other/cross_01" 时 +// 不要去其他地方寻找 应该去本地的 .cross/other/cross_01 目录找,cross_01文件夹下的go.mod文件是"亮明身份",告诉go模块 我确实是你要找的文件。 +// 执行跨模块文件时需先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T +// 再执行go run cross_directory_013_T_a/cross_directory_013_T_a.go +package main +import "cross/other/cross_01" + +func cross_directory_013_T_a(__taint_src string) { + cross_directory_013_T_b.SayHello(__taint_src) +} + +func main() { + __taint_src := "taint_src_value" + cross_directory_013_T_a(__taint_src) +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/go.mod new file mode 100644 index 00000000..80d03798 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_013_T/go.mod @@ -0,0 +1,7 @@ +module cross_directory_013_T + +go 1.20 + +replace cross/other/cross_01 => ./cross/other/cross_01 + +require cross/other/cross_01 v0.0.0-00010101000000-000000000000 // indirect diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross/other/cross_01/cross_directory_014_F_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross/other/cross_01/cross_directory_014_F_b.go new file mode 100644 index 00000000..f6820707 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross/other/cross_01/cross_directory_014_F_b.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross/other/cross_01/cross_directory_014_F_b +// evaluation information end + +package cross_directory_014_F_b +import "os/exec" + +func SayHello(taint_src string) { + __taint_sink("_") +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross/other/cross_01/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross/other/cross_01/go.mod new file mode 100644 index 00000000..35cbddd5 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross/other/cross_01/go.mod @@ -0,0 +1,3 @@ +module cross/other/cross_01 + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross_directory_014_F_a/cross_directory_014_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross_directory_014_F_a/cross_directory_014_F_a.go new file mode 100644 index 00000000..bc2831d0 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross_directory_014_F_a/cross_directory_014_F_a.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = replace包层级调用链 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/cross_directory_014_F_a/cross_directory_014_F_a +// evaluation information end + +// 这里有两个go.mod文件 cross_directory_014_F文件夹下的go.mod文件是负责"指路"(replace指令),当看到 import "cross/other/cross_01" 时 +// 不要去其他地方寻找 应该去本地的 .cross/other/cross_01 目录找,cross_01文件夹下的go.mod文件是"亮明身份",告诉go模块 我确实是你要找的文件。 +// 执行跨模块文件时需先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F +// 再执行go run cross_directory_014_F_a/cross_directory_014_F_a.go +package main +import "cross/other/cross_01" + +func cross_directory_014_F_a(__taint_src string) { + cross_directory_014_F_b.SayHello(__taint_src) +} + +func main() { + __taint_src := "taint_src_value" + cross_directory_014_F_a(__taint_src) +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/go.mod new file mode 100644 index 00000000..6bb8be51 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_014_F/go.mod @@ -0,0 +1,7 @@ +module cross_directory_014_F + +go 1.20 + +replace cross/other/cross_01 => ./cross/other/cross_01 + +require cross/other/cross_01 v0.0.0-00010101000000-000000000000 // indirect diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_directory_015_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_directory_015_T.go new file mode 100644 index 00000000..23de2576 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_directory_015_T.go @@ -0,0 +1,31 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = init函数自动执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_directory_015_T +// evaluation information end + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross +// 再执行go run cross_directory_015_T.go +package main +import ( + "cross_directory_015_T/cross/cross_init" + "os/exec" + "fmt" +) + +// Go语言支持包中定义init函数,在这个包被首次初始化(import)时,会自动触发这个包的init函数 +func cross_directory_015_T() { + // 看cross_init.Status是否被init处理过 + __taint_sink(cross_init.Status) +} + +func __taint_sink(o interface{}) { + fmt.Println("o 的值:", o) + _ = exec.Command("sh", "-c", o.(string)).Run() + } + +func main() { + cross_directory_015_T() +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_export_015_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_export_015_T.go new file mode 100644 index 00000000..3a1f8c66 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_export_015_T.go @@ -0,0 +1,11 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = init函数自动执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_export_015_T +// evaluation information end + +package cross_init + +var Taint_src = "taint_src_value" \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_init_015_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_init_015_T.go new file mode 100644 index 00000000..c3034416 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_init_015_T.go @@ -0,0 +1,14 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = init函数自动执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_init_015_T +// evaluation information end + +package cross_init + +var Status string +func init() { + Status = Taint_src +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/go.mod new file mode 100644 index 00000000..af303122 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/go.mod @@ -0,0 +1,3 @@ +module cross_directory_015_T + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_directory_016_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_directory_016_F.go new file mode 100644 index 00000000..320f9aa8 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_directory_016_F.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = init函数自动执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_directory_016_F +// evaluation information end +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross +// 再执行go run cross_directory_016_F.go +package main +import ( + "cross_directory_016_F/cross/cross_init" + "os/exec" +) +func cross_directory_016_F() { + __taint_sink(cross_init.Status) +} +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } +func main() { + cross_directory_016_F() +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_init/cross_directory_export_016_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_init/cross_directory_export_016_F.go new file mode 100644 index 00000000..efdc3922 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_init/cross_directory_export_016_F.go @@ -0,0 +1,11 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = init函数自动执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_015_T/cross/cross_init/cross_directory_export_016_F +// evaluation information end + +package cross_init + +var Taint_src = "taint_src_value" \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_init/cross_directory_init_016_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_init/cross_directory_init_016_F.go new file mode 100644 index 00000000..d3d82891 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_init/cross_directory_init_016_F.go @@ -0,0 +1,14 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = init函数自动执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/cross/cross_init/cross_directory_init_016_F +// evaluation information end +package cross_init + +var Status string +func init() { + Status = Taint_src + Status = "_" +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/go.mod new file mode 100644 index 00000000..021168fc --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_016_F/go.mod @@ -0,0 +1,3 @@ +module cross_directory_016_F + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_directory_017_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_directory_017_T.go new file mode 100644 index 00000000..23107ad2 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_directory_017_T.go @@ -0,0 +1,32 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_directory_017_T +// evaluation information end + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross +// 再执行go run cross_directory_017_T.go + +package main +import ( + "cross_directory_017_T/cross/cross_init" + "os/exec" +) + +// Go语言支持同一个包中有多个init函数,这些init可以在同一个文件也可以在不同文件中。 +// init函数之间的执行是有顺序的,不同文件中则按文件排序顺序、同一文件则按init声明从上之下的顺序 +// init函数是先执行的,所有init函数执行完后才会执行自定义函数 +func cross_directory_017_T() { + // 若正确处理,Status的值应该是"taint_src_value234" + __taint_sink(cross_init.Status) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + +func main() { + cross_directory_017_T() +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_export_017_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_export_017_T.go new file mode 100644 index 00000000..905898d5 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_export_017_T.go @@ -0,0 +1,11 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_export_017_T +// evaluation information end + +package cross_init + +var Taint_src = "taint_src_value" \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_a.go new file mode 100644 index 00000000..5ca360f3 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_a.go @@ -0,0 +1,17 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_a +// evaluation information end + +package cross_init + +func init() { + Status = Taint_src +} + +func init() { + Status += "2" +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_b.go new file mode 100644 index 00000000..77796bc2 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_b.go @@ -0,0 +1,19 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/cross/cross_init/cross_directory_init_017_T_b +// evaluation information end + +package cross_init + +var Status string + +func init() { + Status += "3" +} + +func init() { + Status += "4" +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/go.mod new file mode 100644 index 00000000..5242c6b6 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_017_T/go.mod @@ -0,0 +1,3 @@ +module cross_directory_017_T + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_directory_018_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_directory_018_F.go new file mode 100644 index 00000000..fdd680cf --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_directory_018_F.go @@ -0,0 +1,32 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_directory_018_F +// evaluation information end + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross +// 再执行go run cross_directory_018_F.go + +package main +import ( + "cross_directory_018_F/cross/cross_init" + "os/exec" +) + +// Go语言支持同一个包中有多个init函数,这些init可以在同一个文件也可以在不同文件中。 +// init函数之间的执行是有顺序的,不同文件中则按文件排序顺序、同一文件则按init声明从上之下的顺序 +// init函数是先执行的,所有init函数执行完后才会执行自定义函数 +func cross_directory_018_F() { + // 若正确处理,Status的值应该是"_234" + __taint_sink(cross_init.Status) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + +func main() { + cross_directory_018_F() +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_export_018_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_export_018_F.go new file mode 100644 index 00000000..62300bcd --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_export_018_F.go @@ -0,0 +1,11 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_export_018_F +// evaluation information end + +package cross_init + +var Taint_src = "taint_src_value" \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_a.go new file mode 100644 index 00000000..b0222b25 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_a.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_a +// evaluation information end + +package cross_init + +func init() { + Status = Taint_src + Status = "_" +} + +func init() { + Status += "2" +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_b.go new file mode 100644 index 00000000..81456e89 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_b.go @@ -0,0 +1,19 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/cross/cross_init/cross_directory_init_018_F_b +// evaluation information end + +package cross_init + +var Status string + +func init() { + Status += "3" +} + +func init() { + Status += "4" +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/go.mod new file mode 100644 index 00000000..894d75bf --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_018_F/go.mod @@ -0,0 +1,3 @@ +module cross_directory_018_F + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_directory_019_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_directory_019_T.go new file mode 100644 index 00000000..12b89b68 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_directory_019_T.go @@ -0,0 +1,31 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_directory_019_T +// evaluation information end +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross +// 再执行go run cross_directory_019_T.go + +package main +import ( + "cross_directory_019_T/cross/cross_init" + "os/exec" + "fmt" +) + +// Go语言支持同一个包中有多个init函数,这些init可以在同一个文件也可以在不同文件中。 +// 当这个包被import时,所有包中的init函数都会被执行 +func cross_directory_019_T() { + // 若正确处理,pkg.Status的值应该是20 + __taint_sink(cross_init.Status) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", fmt.Sprintf("%v", o)).Run() + } + +func main() { + cross_directory_019_T() +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_export_019_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_export_019_T.go new file mode 100644 index 00000000..842bae46 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_export_019_T.go @@ -0,0 +1,11 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_export_019_T +// evaluation information end + +package cross_init + +var Taint_src = 10 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_a.go new file mode 100644 index 00000000..7d94ba88 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_a.go @@ -0,0 +1,17 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_a +// evaluation information end + +package cross_init + +func init() { + Status += Taint_src +} + +func init() { + Status += 2 +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_b.go new file mode 100644 index 00000000..a0cb564d --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_b.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/cross/cross_init/cross_directory_init_019_T_b +// evaluation information end + +package cross_init + +var Status int = 1 + +func init() { + Status += 3 +} +func init() { + Status += 4 +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/go.mod new file mode 100644 index 00000000..e6689719 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_019_T/go.mod @@ -0,0 +1,3 @@ +module cross_directory_019_T + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_directory_020_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_directory_020_F.go new file mode 100644 index 00000000..490498fc --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_directory_020_F.go @@ -0,0 +1,32 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_directory_020_F +// evaluation information end + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross +// 再执行go run cross_directory_020_F.go + +package main +import ( + "cross_directory_020_F/cross/cross_init" + "os/exec" + "fmt" +) + +// Go语言支持同一个包中有多个init函数,这些init可以在同一个文件也可以在不同文件中。 +// 当这个包被import时,所有包中的init函数都会被执行 +func cross_directory_020_F() { + // 若正确处理,pkg.Status的值应该是0 + __taint_sink(cross_init.Status) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", fmt.Sprintf("%v", o)).Run() + } + +func main() { + cross_directory_020_F() +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_export_020_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_export_020_F.go new file mode 100644 index 00000000..f9f1aa96 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_export_020_F.go @@ -0,0 +1,11 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_export_020_F +// evaluation information end + +package cross_init + +var Taint_src = 10 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_a.go new file mode 100644 index 00000000..c3cc9146 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_a.go @@ -0,0 +1,17 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_a +// evaluation information end + +package cross_init + +func init() { + Status += Taint_src +} + +func init() { + Status += 2 +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_b.go new file mode 100644 index 00000000..cfcac003 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_b.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 多init函数顺序执行 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/cross/cross_init/cross_directory_init_020_F_b +// evaluation information end + +package cross_init + +var Status int = 1 + +func init() { + Status += 3 +} +func init() { + Status = 0 +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/go.mod new file mode 100644 index 00000000..57f04550 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_020_F/go.mod @@ -0,0 +1,3 @@ +module cross_directory_020_F + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/cross/cross_same_name_021_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/cross/cross_same_name_021_T.go new file mode 100644 index 00000000..e85ff593 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/cross/cross_same_name_021_T.go @@ -0,0 +1,20 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/cross/cross_same_name_021_T +// evaluation information end + +package cross_same_name_021_T +import "os/exec" + +func SayHello(taint_src string) { + __taint_sink(taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + + \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/go.mod new file mode 100644 index 00000000..6e69eece --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/go.mod @@ -0,0 +1,3 @@ +module cross_directory_021_T + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_a.go new file mode 100644 index 00000000..00dbc022 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_a.go @@ -0,0 +1,24 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_a +// evaluation information end + + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T +// 再执行go run main_dir/cross_directory_021_T_a.go + +package main +import "cross_directory_021_T/cross" + +var __taint_src = "taint_src_value" + +func init() { + cross_same_name_021_T.SayHello(__taint_src) +} + +func main() { + return +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_b.go new file mode 100644 index 00000000..22301eb1 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_b.go @@ -0,0 +1,25 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/main_dir/cross_directory_021_T_b +// evaluation information end + + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T +// 再执行go run main_dir/cross_directory_021_T_b.go + + +package main +import "cross_directory_021_T/other/cross" + +var __taint_src = "taint_src_value" + +func init() { + cross_same_name_021_T.SayHello(__taint_src) +} + +func main() { + return +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/other/cross/cross_same_name_021_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/other/cross/cross_same_name_021_T.go new file mode 100644 index 00000000..a861ccef --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/other/cross/cross_same_name_021_T.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_021_T/other/cross/cross_same_name_021_T +// evaluation information end + + +package cross_same_name_021_T +import "os/exec" +func SayHello(taint_src string) { + __taint_sink(taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/cross/cross_same_name_022_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/cross/cross_same_name_022_F.go new file mode 100644 index 00000000..18c85d90 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/cross/cross_same_name_022_F.go @@ -0,0 +1,20 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/cross/cross_same_name_022_F +// evaluation information end + +package cross_same_name_022_F +import "os/exec" + +func SayHello(taint_src string) { + __taint_sink(taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + + \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/go.mod new file mode 100644 index 00000000..fadb9201 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/go.mod @@ -0,0 +1,3 @@ +module cross_directory_022_F + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_a.go new file mode 100644 index 00000000..b948b04a --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_a.go @@ -0,0 +1,24 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_a +// evaluation information end + + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F +// 再执行go run main_dir/cross_directory_022_F_a.go + +package main +import "cross_directory_022_F/cross" + +var __taint_src = "_" + +func init() { + cross_same_name_022_F.SayHello(__taint_src) +} + +func main() { + return +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_b.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_b.go new file mode 100644 index 00000000..bb0eecaf --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_b.go @@ -0,0 +1,25 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/main_dir/cross_directory_022_F_b +// evaluation information end + + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F +// 再执行go run main_dir/cross_directory_022_F_b.go + + +package main +import "cross_directory_022_F/other/cross" + +var __taint_src = "abc" + +func init() { + cross_same_name_022_F.SayHello(__taint_src) +} + +func main() { + return +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/other/cross/cross_same_name_022_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/other/cross/cross_same_name_022_F.go new file mode 100644 index 00000000..79b1c443 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/other/cross/cross_same_name_022_F.go @@ -0,0 +1,19 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包导入区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_022_F/other/cross/cross_same_name_022_F +// evaluation information end + + +package cross_same_name_022_F +import "os/exec" + +func SayHello(taint_src string) { + __taint_sink(taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_01/cross_directory_023_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_01/cross_directory_023_T_a.go new file mode 100644 index 00000000..b90bb7da --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_01/cross_directory_023_T_a.go @@ -0,0 +1,14 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 可见性校验 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_01/cross_directory_023_T_a +// evaluation information end + + +package cross_01 + +var status string = "private" + +var Status string = "taint_src_value" diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_directory_023_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_directory_023_T.go new file mode 100644 index 00000000..7bea4cfa --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_directory_023_T.go @@ -0,0 +1,32 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 可见性校验 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/cross/cross_directory_023_T +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T +// 再执行 go run cross/cross_directory_023_T.go +package main + +import ( + "cross_directory_023_T/cross/cross_01" + "fmt" + "os/exec" +) + +// Go语言中,一个包内只有大写开头的Symbol能够被导出(对外部可见) +// 考察特性:@@@@是否会错误地将小写的(非public的)Symbol错误的import过来 + +func cross_directory_023_T() { + __taint_sink(cross_01.Status) //Status大写 应该被正确import过来 +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", fmt.Sprintf("%v", o)).Run() +} + +func main() { + cross_directory_023_T() +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/go.mod new file mode 100644 index 00000000..d97f3000 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_023_T/go.mod @@ -0,0 +1,3 @@ +module cross_directory_023_T + +go 1.20 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_01/cross_directory_024_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_01/cross_directory_024_F_a.go new file mode 100644 index 00000000..e0de314f --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_01/cross_directory_024_F_a.go @@ -0,0 +1,14 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 可见性校验 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_01/cross_directory_024_F_a +// evaluation information end + + +package cross_01 + +var status string = "private" + +var Status string = "taint_src_value" diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_directory_024_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_directory_024_F.go new file mode 100644 index 00000000..76c4b5d5 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_directory_024_F.go @@ -0,0 +1,32 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 可见性校验 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/cross/cross_directory_024_F +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F +// 再执行 go run cross/cross_directory_024_F.go + +package main + +import ( + "fmt" + "os/exec" +) + +// Go语言中,一个包内只有大写开头的Symbol能够被导出(对外部可见) +// 考察特性:@@@@是否会错误地将小写的(非public的)Symbol错误的import过来 + +func cross_directory_024_F() { + __taint_sink(cross_01.status) //status小写 若正确处理,无法获取到cross_01.status +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", fmt.Sprintf("%v", o)).Run() +} + +func main() { + cross_directory_024_F() +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/go.mod new file mode 100644 index 00000000..501fc33c --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_024_F/go.mod @@ -0,0 +1,3 @@ +module cross_directory_024_F + +go 1.20 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_01/cross_directory_025_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_01/cross_directory_025_T_a.go new file mode 100644 index 00000000..49240120 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_01/cross_directory_025_T_a.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 导入路径与包名解耦 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_01/cross_directory_025_T_a +// evaluation information end + + +package cross_directory_025_T_a + +var status string + +type Person struct { + Name string + Age int +} + +func (p Person) Swimming(taint_src string) string { + status = taint_src + return status +} + diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_directory_025_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_directory_025_T.go new file mode 100644 index 00000000..3d216b90 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_directory_025_T.go @@ -0,0 +1,32 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 导入路径与包名解耦 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/cross/cross_directory_025_T +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T +// 再执行 go run cross/cross_directory_025_T.go +package main +import ( + "fmt" + "cross_directory_025_T/cross/cross_01" + "os/exec" +) + +// Go语言中,import路径从第二项开始的每项一定是目录名,包括最后一项(并非包名)。 +// 然而,导入后,使用的符号值是包名。比如这边,import cross_01,使用的却是cross_directory_025_T_a + +func cross_directory_025_T(__taint_src string) { + __taint_sink(cross_directory_025_T_a.Person{}.Swimming(__taint_src)) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", fmt.Sprintf("%v", o)).Run() + } + +func main() { + __taint_src := "taint_src_value" + cross_directory_025_T(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/go.mod new file mode 100644 index 00000000..23b5d919 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_025_T/go.mod @@ -0,0 +1,3 @@ +module cross_directory_025_T + +go 1.20 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_01/cross_directory_026_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_01/cross_directory_026_F_a.go new file mode 100644 index 00000000..6837a63a --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_01/cross_directory_026_F_a.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 导入路径与包名解耦 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_01/cross_directory_026_F_a +// evaluation information end + + +package cross_directory_026_F_a + +var status string + +type Person struct { + Name string + Age int +} + +func (p Person) Swimming(taint_src string) string { + status = taint_src + return status +} + diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_directory_026_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_directory_026_F.go new file mode 100644 index 00000000..203557cd --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_directory_026_F.go @@ -0,0 +1,32 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 导入路径与包名解耦 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/cross/cross_directory_026_F +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F +// 再执行 go run cross/cross_directory_026_F.go +package main +import ( + "fmt" + "cross_directory_026_F/cross/cross_01" + "os/exec" +) + +// Go语言中,import路径从第二项开始的每项一定是目录名,包括最后一项(并非包名)。 +// 然而,导入后,使用的符号值是包名。比如这边,import cross_01,使用的却是pkg + +func cross_directory_026_F(__taint_src string) { + __taint_sink(cross_directory_026_F_a.Person{}.Swimming("_")) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", fmt.Sprintf("%v", o)).Run() + } + +func main() { + __taint_src := "taint_src_value" + cross_directory_026_F(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/go.mod new file mode 100644 index 00000000..e34eb465 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_026_F/go.mod @@ -0,0 +1,3 @@ +module cross_directory_026_F + +go 1.20 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_01/cross_same_name_027_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_01/cross_same_name_027_T.go new file mode 100644 index 00000000..c027d647 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_01/cross_same_name_027_T.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包路径区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_01/cross_same_name_027_T +// evaluation information end + + +package cross_same_name_027_T +import "os/exec" + +var dir string + +func Fun(__taint_src string) { + dir = __taint_src + __taint_sink(dir) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_02/cross_same_name_027_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_02/cross_same_name_027_T.go new file mode 100644 index 00000000..ec4aa3c7 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_02/cross_same_name_027_T.go @@ -0,0 +1,22 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包路径区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_02/cross_same_name_027_T +// evaluation information end + + +package cross_same_name_027_T +import "os/exec" + +var dir string + +func Fun(__taint_src string) { + dir = "abc" + __taint_sink(dir) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_directory_027_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_directory_027_T.go new file mode 100644 index 00000000..10f8b3f9 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_directory_027_T.go @@ -0,0 +1,25 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包路径区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/cross_directory_027_T +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T +// 再执行 go run cross_directory_027_T.go + +package main + +// Go语言中,一个包以文件结构路径唯一标识。允许同名包。 +// 旧版@@@@以包名作为key来进行包管理,导致同名包丢失。 + +// 考察特性:@@@@-Go的**包管理逻辑**(this.packageManager),是否能够区分并保存同名包 +func cross_directory_027_T(__taint_src string) { + cross_same_name_027_T.Fun(__taint_src) +} + +func main() { + __taint_src := "taint_src_value" + cross_directory_027_T(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/go.mod new file mode 100644 index 00000000..40b6f045 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_027_T/go.mod @@ -0,0 +1,3 @@ +module cross_directory_027_T + +go 1.20 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_01/cross_same_name_028_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_01/cross_same_name_028_F.go new file mode 100644 index 00000000..3b064e08 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_01/cross_same_name_028_F.go @@ -0,0 +1,23 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包路径区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_01/cross_same_name_028_F +// evaluation information end + + +package cross_same_name_028_F +import "os/exec" + +var dir string + +func Fun(__taint_src string) { + dir = __taint_src + __taint_sink(dir) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_02/cross_same_name_028_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_02/cross_same_name_028_F.go new file mode 100644 index 00000000..cf574b2d --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_02/cross_same_name_028_F.go @@ -0,0 +1,21 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包路径区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_02/cross_same_name_028_F +// evaluation information end + + +package cross_same_name_028_F +import "os/exec" +var dir string + +func Fun(__taint_src string) { + dir = "abc" + __taint_sink(dir) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_directory_028_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_directory_028_F.go new file mode 100644 index 00000000..f3f38c67 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_directory_028_F.go @@ -0,0 +1,27 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 同名包路径区分 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/cross_directory_028_F +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F +// 再执行 go run cross_directory_028_F.go + +package main + +import cross_same_name_028_F "cross_directory_028_F/cross_02" + +// Go语言中,一个包以文件结构路径唯一标识。允许同名包。 +// 旧版@@以包名作为key来进行包管理,导致同名包丢失。 + +// 考察特性:@@-Go的**包管理逻辑**(this.packageManager),是否能够区分并保存同名包 +func cross_directory_028_F(__taint_src string) { + cross_same_name_028_F.Fun(__taint_src) +} + +func main() { + __taint_src := "taint_src_value" + cross_directory_028_F(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/go.mod new file mode 100644 index 00000000..eafff194 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_028_F/go.mod @@ -0,0 +1,3 @@ +module cross_directory_028_F + +go 1.20 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_01/cross_directory_029_T_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_01/cross_directory_029_T_a.go new file mode 100644 index 00000000..13aa02e0 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_01/cross_directory_029_T_a.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 识别导入根目录 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_01/cross_directory_029_T_a +// evaluation information end + +package cross_directory_029_T_a + +type Person struct { + Name string + Age int +} + +func (p Person) Skiing(__taint_src string) string{ + return __taint_src +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_directory_029_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_directory_029_T.go new file mode 100644 index 00000000..687bf49f --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_directory_029_T.go @@ -0,0 +1,36 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 识别导入根目录 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/cross_directory_029_T +// evaluation information end + + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross +// 再执行go run cross_directory_029_T.go + +package main + +import ( + "rainy/cross_01" + "os/exec" +) +// Go语言中的import: import 项目名(代表根目录)/目录名1/目录名2/目录名3 +// 所谓的根目录 指 go.mod所在的目录 +// 考察特性:是否支持识别go项目的根目录,从根目录开始解析并找到import语句 + + +func cross_directory_029_T(__taint_src string) { + value := cross_directory_029_T_a.Person{}.Skiing(__taint_src)// 看这些符号值能不能被解析出来 + __taint_sink(value) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + +func main() { + __taint_src := "taint_src_value" + cross_directory_029_T(__taint_src) +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/go.mod new file mode 100644 index 00000000..c88bf90c --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_029_T/cross/go.mod @@ -0,0 +1,3 @@ +module rainy + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_01/cross_directory_030_F_a.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_01/cross_directory_030_F_a.go new file mode 100644 index 00000000..13969309 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_01/cross_directory_030_F_a.go @@ -0,0 +1,18 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 识别导入根目录 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_01/cross_directory_030_F_a +// evaluation information end + +package cross_directory_030_F_a + +type Person struct { + Name string + Age int +} + +func (p Person) Skiing(__taint_src string) string{ + return __taint_src +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_directory_030_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_directory_030_F.go new file mode 100644 index 00000000..9a82e327 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_directory_030_F.go @@ -0,0 +1,36 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨包 +// scene introduction = 识别导入根目录 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/cross_directory_030_F +// evaluation information end + + +// 先cd到sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross +// 再执行go run cross_directory_030_F.go + +package main + +import ( + "rainy/cross_01" + "os/exec" +) +// Go语言中的import: import 项目名(代表根目录)/目录名1/目录名2/目录名3 +// 所谓的根目录 指 go.mod所在的目录 +// 考察特性:是否支持识别go项目的根目录,从根目录开始解析并找到import语句 + + +func cross_directory_030_F(__taint_src string) { + value := cross_directory_030_F_a.Person{}.Skiing("_")// 看这些符号值能不能被解析出来 + __taint_sink(value) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() + } + +func main() { + __taint_src := "taint_src_value" + cross_directory_030_F(__taint_src) +} \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/go.mod new file mode 100644 index 00000000..c88bf90c --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_directory/cross_directory_030_F/cross/go.mod @@ -0,0 +1,3 @@ +module rainy + +go 1.20 \ No newline at end of file diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/config.json b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/config.json index 95611ba3..65b4f607 100644 --- a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/config.json +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/config.json @@ -13,6 +13,10 @@ { "compose": "(cross_module_003_T/cross_module_003_T_a/cross_module_003_T_a.go || cross_module_003_T/cross_module_003_T_b/cross_module_003_T_b.go) && !(cross_module_004_F/cross_module_004_F_a/cross_module_004_F_a.go || cross_module_004_F/cross_module_004_F_b/cross_module_004_F_b.go)", "scene": "跨module-别名" + }, + { + "compose": "(cross_module_005_T/cross_module_005_T_a/cross_module_005_T.go || cross_module_005_T/cross_module_005_T_b/cross_module_005_T.go) && !(cross_module_006_F/cross_module_006_F_a/cross_module_006_F.go || cross_module_006_F/cross_module_006_F_b/cross_module_006_F.go)", + "scene": "多Main包模块化管理" } ] } diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_a/cross_module_005_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_a/cross_module_005_T.go new file mode 100644 index 00000000..a74b8beb --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_a/cross_module_005_T.go @@ -0,0 +1,29 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨模块 +// scene introduction = 多Main包模块化管理 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_a/cross_module_005_T +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T +// 在执行 go run ./cross_module_005_T_a +package main + +import "os/exec" + +// Go语言中,允许多个main包和main函数(只要不在同一个目录) +// 考察特性:@@是否能否对多个main包和main函数的情况正确包管理和找到main函数 + +func cross_module_005_T_a(__taint_src string) { + __taint_sink(__taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() +} + +func main() { + __taint_src := "taint_src_value_main1" + cross_module_005_T_a(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_b/cross_module_005_T.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_b/cross_module_005_T.go new file mode 100644 index 00000000..0b996094 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_b/cross_module_005_T.go @@ -0,0 +1,29 @@ +// evaluation information start +// real case = true +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨模块 +// scene introduction = 多Main包模块化管理 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/cross_module_005_T_b/cross_module_005_T +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T +// 在执行 go run ./cross_module_005_T_b +package main + +import "os/exec" + +// Go语言中,允许多个main包和main函数(只要不在同一个目录) +// 考察特性:@@是否能否对多个main包和main函数的情况正确包管理和找到main函数 + +func cross_module_005_T_b(__taint_src string) { + __taint_sink(__taint_src) +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() +} + +func main() { + __taint_src := "taint_src_value_main2" + cross_module_005_T_b(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/go.mod new file mode 100644 index 00000000..7934c85a --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_005_T/go.mod @@ -0,0 +1,3 @@ +module cross_module_005_T + +go 1.14 diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_a/cross_module_006_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_a/cross_module_006_F.go new file mode 100644 index 00000000..a1d349cf --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_a/cross_module_006_F.go @@ -0,0 +1,29 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨模块 +// scene introduction = 多Main包模块化管理 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_a/cross_module_006_F +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F +// 在执行 go run ./cross_module_006_F_a +package main + +import "os/exec" + +// Go语言中,允许多个main包和main函数(只要不在同一个目录) +// 考察特性:@@是否能否对多个main包和main函数的情况正确包管理和找到main函数 + +func cross_module_006_F_a(__taint_src string) { + __taint_sink("this is main1") +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() +} + +func main() { + __taint_src := "taint_src_value_main1" + cross_module_006_F_a(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_b/cross_module_006_F.go b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_b/cross_module_006_F.go new file mode 100644 index 00000000..b6f93e06 --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_b/cross_module_006_F.go @@ -0,0 +1,29 @@ +// evaluation information start +// real case = false +// evaluation item = 完整度->单应用跟踪完整度->文件、包、命名空间->跨模块 +// scene introduction = 多Main包模块化管理 +// level = 2 +// bind_url = completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/cross_module_006_F_b/cross_module_006_F +// evaluation information end + +// 先cd sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F +// 在执行 go run ./cross_module_006_F_b +package main + +import "os/exec" + +// Go语言中,允许多个main包和main函数(只要不在同一个目录) +// 考察特性:@@是否能否对多个main包和main函数的情况正确包管理和找到main函数 + +func cross_module_006_F_b(__taint_src string) { + __taint_sink("this is main2") +} + +func __taint_sink(o interface{}) { + _ = exec.Command("sh", "-c", o.(string)).Run() +} + +func main() { + __taint_src := "taint_src_value_main2" + cross_module_006_F_b(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/go.mod b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/go.mod new file mode 100644 index 00000000..e21c91bd --- /dev/null +++ b/sast-go/cases/completeness/single_app_tracing/cross_file_package_namespace/cross_module/cross_module_006_F/go.mod @@ -0,0 +1,3 @@ +module cross_module_006_F + +go 1.14 diff --git a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_001_T/if_return_nil_001_T.go b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_001_T/if_return_nil_001_T.go index dd00b2a2..88d20fb6 100644 --- a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_001_T/if_return_nil_001_T.go +++ b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_001_T/if_return_nil_001_T.go @@ -18,7 +18,7 @@ type S struct { id int } -func Func1(__taint_src string) (*S, string) { +func Func1(__taint_src string) (*S) { s1 := &S{ name: __taint_src, id: 98, @@ -26,14 +26,14 @@ func Func1(__taint_src string) (*S, string) { err := "nil" if err != "nil" { - return nil, err + return nil } - return s1, "abc" + return s1 } func if_return_nil_001_T(__taint_src string) { - res, _ := Func1(__taint_src) + res := Func1(__taint_src) __taint_sink(res) } diff --git a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_002_F/if_return_nil_002_F.go b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_002_F/if_return_nil_002_F.go index b6729530..31919a39 100644 --- a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_002_F/if_return_nil_002_F.go +++ b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_nil_002_F/if_return_nil_002_F.go @@ -12,28 +12,29 @@ import ( "os/exec" ) +// 旧版中,对nil没有进行处理限制,允许将nil值转换成返回值类型(S),且允许对nil进行memberAccess读取 type S struct { name string id int } -func Func1(__taint_src string) (*S, string) { +func Func1(__taint_src string) (*S) { s1 := &S{ name: __taint_src, id: 98, } - err := "abc" + err := "error" if err != "nil" { - return nil, err + return nil } - return s1, "abc" + return s1 } func if_return_nil_002_F(__taint_src string) { - res, _ := Func1(__taint_src) + res := Func1(__taint_src) __taint_sink(res) } diff --git a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_tuple_001_T/if_return_tuple_001_T.go b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_tuple_001_T/if_return_tuple_001_T.go index f7da7dd2..d1ef8431 100644 --- a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_tuple_001_T/if_return_tuple_001_T.go +++ b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/if_return_tuple_001_T/if_return_tuple_001_T.go @@ -7,6 +7,7 @@ // evaluation information end package main + import "os/exec" func callee(taint string) (string, string) { @@ -17,16 +18,16 @@ func callee(taint string) (string, string) { } func if_return_tuple_001_T(__taint_src string) { - a,b := callee(__taint_src) + a, b := callee(__taint_src) _ = a __taint_sink(b) } func __taint_sink(o interface{}) { _ = exec.Command("sh", "-c", o.(string)).Run() - } +} func main() { - __taint_src := "taint_src_value" - if_return_tuple_001_T(__taint_src) -} \ No newline at end of file + __taint_src := "taint_src_value" + if_return_tuple_001_T(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_001_F/multiple_return_struct_001_F.go b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_001_F/multiple_return_struct_001_F.go index 7e28d99d..1f5cbefa 100644 --- a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_001_F/multiple_return_struct_001_F.go +++ b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_001_F/multiple_return_struct_001_F.go @@ -1,13 +1,12 @@ - // evaluation information start // real case = false // evaluation item = 完整度->单应用跟踪完整度->函数和方法调用->返回值传递 -// scene introduction = 多返回值传递给结构体 +// scene introduction = 多返回值传递给结构体 // level = 2 // bind_url = completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_001_F/multiple_return_struct_001_F // evaluation information end - package main + import ( "fmt" "os/exec" @@ -33,9 +32,8 @@ func processData(s string, i interface{}) (string, interface{}) { func __taint_sink(o interface{}) { _ = exec.Command("sh", "-c", fmt.Sprintf("%+v", o)).Run() - } - +} func main() { - __taint_src := "taint_src_value" - multiple_return_struct_001_F(__taint_src) -} \ No newline at end of file + __taint_src := "taint_src_value" + multiple_return_struct_001_F(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_002_T/multiple_return_struct_002_T.go b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_002_T/multiple_return_struct_002_T.go index f49e93a3..6e731c40 100644 --- a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_002_T/multiple_return_struct_002_T.go +++ b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_002_T/multiple_return_struct_002_T.go @@ -1,13 +1,12 @@ - // evaluation information start // real case = true // evaluation item = 完整度->单应用跟踪完整度->函数和方法调用->返回值传递 -// scene introduction = 多返回值传递给结构体 +// scene introduction = 多返回值传递给结构体 // level = 2 // bind_url = completeness/single_app_tracing/function_call/return_value_passing/multiple_return_struct_002_T/multiple_return_struct_002_T // evaluation information end - package main + import ( "fmt" "os/exec" @@ -33,9 +32,9 @@ func processData(s string, i interface{}) (string, interface{}) { func __taint_sink(o interface{}) { _ = exec.Command("sh", "-c", fmt.Sprintf("%+v", o)).Run() - } +} func main() { - __taint_src := "taint_src_value" - multiple_return_struct_002_T(__taint_src) -} \ No newline at end of file + __taint_src := "taint_src_value" + multiple_return_struct_002_T(__taint_src) +} diff --git a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/named_return_004_T/named_return_004_T.go b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/named_return_004_T/named_return_004_T.go index 7a7b8b93..56de69c5 100644 --- a/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/named_return_004_T/named_return_004_T.go +++ b/sast-go/cases/completeness/single_app_tracing/function_call/return_value_passing/named_return_004_T/named_return_004_T.go @@ -19,7 +19,7 @@ func named_return_004_T(__taint_src interface{}) { func processData(s interface{}, i interface{}) (ret interface{}) { ret = "_" - return s + return s // 主要区别位于这里,在具名返回值的情况下 裸返回return默认返回ret。但uast4Go在处理具名返回值时存在bug,导致此处的return s被覆盖成return ret } func __taint_sink(o interface{}) {