Skip to content

分析自写的漏洞demo,无法扫描出漏洞结果 #98

Open
Open
分析自写的漏洞demo,无法扫描出漏洞结果#98
@7uup

Description

@7uup
7uup
opened on Jan 6, 2026

描述

使用自写漏洞demo进行测试的时候未检测出结果,根据console中显示的内容明确Source和Sink的配置规则有正确加载,查看调用关系似乎跳了两级他就没发现出了testcontroller->WatermarkService.runCmd->WatermarkServiceImpl.runCmd->cmd的调用关系了

main file:/snapshot/YASA-Engine/dist/main.js
Specific checkerIds: [ 'taint_flow_java_input' ]
Rule config file:  /root/yasa-engine/example-rule-config/rule_config_java.json
source path: /root/demo/
Report directory: /root/yasa-engine/report/demo2
Analyze Language: java
Analyze Analyer: SpringAnalyzer

=======================  Register rules  =======================
resolveCheckerPath projectRoot : /snapshot/YASA-Engine
Resolved checker path :/snapshot/YASA-Engine/dist/checker/taint/java/java-default-taint-checker.js
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
load checkers: [ 'taint_flow_java_input' ]
================================================================

[YASA] Begin execution
[YASA] Executing preProcess
[YASA][preProcess] Executing parseCode
[YASA][preProcess] Executing preload
[YASA][preProcess] Completed preload, cost: 0ms
[YASA][preProcess] Completed parseCode, cost: 621ms
[YASA][preProcess] Executing processModule
[YASA][preProcess] Completed processModule, cost: 21ms
[YASA] Completed preProcess, cost: 680ms
[YASA] Executing startAnalyze
YASA will collect Entrypoint and Source
[YASA] Executing makeFullCallGraph(BySymbolInterpret)
rules-basic-handler [CONFIG] Loaded from: /snapshot/YASA-Engine/dist/config.js
makeAllCG-start
        makeAllCG-10%
        makeAllCG-30%
        makeAllCG-70%
        makeAllCG-100%
[YASA] Completed makeFullCallGraph(BySymbolInterpret), cost: 103ms
[YASA] Completed startAnalyze, cost: 163ms
[YASA] Executing symbolInterpret
EntryPoint [/src/main/java/com/example/demo/DemoApplication.main] is executing
EntryPoint [/src/main/java/com/example/demo/Api/testController.testContent] is executing
EntryPoint [/src/main/java/com/example/demo/Api/testController.testExec] is executing
EntryPoint [/src/main/java/com/example/demo/DemoApplication.main] is executing
EntryPoint [/src/main/java/com/example/demo/Api/testController.testExec] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.setName] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.setPolicyObj] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.equals] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.canEqual] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.hashCode] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/ExpressBO.toString] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setId] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setName] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setClassifyType] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setContent] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setStyleType] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setFontName] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setFontSize] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setAngular] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setHorizontalDensity] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setLongitudinalDensity] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setTransparency] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setDisplayRange] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setColor] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setGroupIds] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setPriority] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.setStatus] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.equals] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.canEqual] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.hashCode] is executing
EntryPoint [/src/main/java/com/example/demo/Dto/WatermarkDTO.toString] is executing
EntryPoint [/src/main/java/com/example/demo/Service/IQleService.executeJavaCode] is executing
EntryPoint [/src/main/java/com/example/demo/Service/IWatermarkService.testContent] is executing
EntryPoint [/src/main/java/com/example/demo/Service/IWatermarkService.runCmd] is executing
EntryPoint [/src/main/java/com/example/demo/Service/impl/QleServiceImpl.executeJavaCode] is executing
EntryPoint [/src/main/java/com/example/demo/Service/impl/WatermarkServiceImpl.testContent] is executing
EntryPoint [/src/main/java/com/example/demo/Service/impl/WatermarkServiceImpl.runCmd] is executing
[YASA] Completed symbolInterpret, cost: 111ms
[YASA] Execution completed, cost: 954ms

======================  Analysis Overview  =====================
Language                           : java
Files analyzed                     : 9
Lines of code                      : 585
Total time                         : 954ms
Total instruction                  : 1537
Executed instruction               : 1537
Execution count                    : 3109
Sources configured                 : 3
Sinks configured                   : 10
Valid entrypoints                  : 37
Avg execution time per instruction : 0.00ms
Avg instruction execution count    : 2.02
Execution time 70%/99%/100%        : 0.00ms/0.00ms/0.00ms
Execution times 70%/99%/100%       : 2.00/4.00/6.00
================================================================


===================  Performance Statistics  ===================
total cost: 954ms
preProcess cost: 680ms
  parseCode cost: 621ms
    parse cost: 619ms
    other cost: 2ms
  preload cost: 453ms
  processModule cost: 21ms
startAnalyze cost: 163ms
makeFullCallGraph(BySymbolInterpret) cost: 103ms
symbolInterpret cost: 111ms
================================================================

Found 3 potential output strategy files
Registered strategy: callgraph from callgraph-output-strategy.js
Registered strategy: interactive from interactive-output-strategy.js
Registered strategy: taintflow from taint-output-strategy.js
Successfully registered 3 output strategies

=======================  outputFindings  =======================
================================================================

analyze done
Image Image

代码如下:

Image

Image

Image

callgraph.json如下
callgraph.json

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions