Taint Sources for CodeSonar C# Warning Classes

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

Taint sources are locations where data from an untrusted origin may enter a program. Such data can be used to construct injection attacks.

This section lists the methods that the CodeSonar C# analysis automatically recognizes as sources, and explains how to specify additional methods that the analysis should treat as sanitizers.

Taint sources are locations where data from an untrusted origin may enter a progam. This tainted data can be used to construct injection attacks, unless it is subsequently sanitized.

If you have a method that is a taint source but not automatically recognized, you can instruct the CodeSonar analysis to treat it as a source by applying one of the following attributes.

Attribute	Notes
[com.juliasoft.julia.checkers.flows.UntrustedDatabase]	Results of database queries. Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_DATABASE=Yes.
[com.juliasoft.julia.checkers.flows.UntrustedDevice]	Data about the specific device where the program is running, such as its phone number, its geographical location and its IMEI code. Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_DEVICE=Yes.
[com.juliasoft.julia.checkers.flows.UntrustedEnvironment]	Files from the file system, system properties and arguments to main methods. Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_ENVIRONMENT=Yes.
[com.juliasoft.julia.checkers.flows.UntrustedExternalStream]	Input streams from sockets or URL are considered as source locations of untrusted data. Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_EXTERNAL_STREAMS=Yes.
[com.juliasoft.julia.checkers.flows.UntrustedUserInput]	Request objects to servlets and input read from console are considered as source locations of untrusted data. Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_USER_INPUT=Yes.

Attribute

Notes

[com.juliasoft.julia.checkers.flows.UntrustedDatabase]

Results of database queries.
Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_DATABASE=Yes.

[com.juliasoft.julia.checkers.flows.UntrustedDevice]

Data about the specific device where the program is running, such as its phone number, its geographical location and its IMEI code.
Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_DEVICE=Yes.

[com.juliasoft.julia.checkers.flows.UntrustedEnvironment]

Files from the file system, system properties and arguments to main methods.
Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_ENVIRONMENT=Yes.

[com.juliasoft.julia.checkers.flows.UntrustedExternalStream]

Input streams from sockets or URL are considered as source locations of untrusted data.
Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_EXTERNAL_STREAMS=Yes.

[com.juliasoft.julia.checkers.flows.UntrustedUserInput]

Request objects to servlets and input read from console are considered as source locations of untrusted data.
Taint of this kind is not tracked if CSHARP_ANALYSIS_TRUST_USER_INPUT=Yes.

The methods listed below are automatically recognized as taint sources by CodeSonar. The relevant annotation from the table above is shown for each method.

[return: UntrustedDevice] Location android.location.LocationManager.getLastKnownLocation(String arg0)

[return: UntrustedDevice] String android.location.LocationProvider.getName()

[return: UntrustedEnvironment] String android.os.SystemProperties.get(String arg0, String arg1)

[return: UntrustedEnvironment] String android.os.SystemProperties.get(String arg0)

[return: UntrustedDevice] CellLocation android.telephony.TelephonyManager.getCellLocation()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getDeviceId()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getDeviceSoftwareVersion()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getLine1Number()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getNetworkCountryIso()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getNetworkOperator()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getNetworkOperatorName()

[return: UntrustedDevice] int android.telephony.TelephonyManager.getPhoneType()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getSimCountryIso()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getSimOperator()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getSimOperatorName()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getSimSerialNumber()

[return: UntrustedDevice] String android.telephony.TelephonyManager.getVoiceMailNumber()

[return: UntrustedUserInput] Editable android.widget.EditText.getText()

void com.openxc.VehicleLocationProvider.receive([UntrustedDevice] Measurement arg0)

void com.openxc.VehicleManager.Listener.receive([UntrustedDevice] VehicleMessage arg0)

[return: UntrustedDevice] VehicleMessage com.openxc.VehicleManager.get(MessageKey arg0)

[return: UntrustedDevice] Measurement com.openxc.VehicleManager.get(Class arg0)

[return: UntrustedDevice] String com.openxc.VehicleManager.getVehicleInterfaceDeviceId()

[return: UntrustedDevice] String com.openxc.VehicleManager.getVehicleInterfacePlatform()

[return: UntrustedDevice] String com.openxc.VehicleManager.getVehicleInterfaceVersion()

[return: UntrustedDevice] VehicleMessage com.openxc.VehicleManager.request(KeyedMessage arg0)

void com.openxc.measurements.Measurement.Listener.receive([UntrustedDevice] Measurement arg0)

void com.openxc.messages.VehicleMessage.Listener.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.AbstractQueuedCallbackSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.ContextualVehicleDataSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.FileRecorderSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.MessageListenerSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.RemoteCallbackSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.TestSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.UploaderSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.UserSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sinks.VehicleDataSink.receive([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.ApplicationSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.BaseVehicleDataSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.BytestreamDataSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.ContextualVehicleDataSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.NativeLocationSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.RemoteListenerSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.SourceCallback.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.TestSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

void com.openxc.sources.VehicleDataSource.handleMessage([UntrustedDevice] VehicleMessage arg0)

[return: UntrustedDevice] List android.telephony.TelephonyManager.getAllCellInfo()