FlowDroid, in concert with Jasmine, could support taint analysis for Spring programs.
First, modify the fields in the config.properties and config.json files in the ./FlowDroid_Jasmine/dataleak/src/main/resources directory according to the actual situation.
{
"source": "/Users/jasmine/FlowDroid_Jasmine/dataleak/src/main/resources/source.json",
"main_class": "synthetic.method.dummyMainClass",
"edge_config": "/Users/jasmine/FlowDroid_Jasmine/dataleak/src/main/resources/config.properties"
}
The main_class is the main class of the target project. If the target project does not have a main class, use the synthetic.method.dummyMainClass generated by Jasmine.
Then, add Sources and Sinks in the ./FlowDroid_Jasmine/soot-infoflow-android/SourcesAndSinks.txt file, and modify the main method lines 23 and 27 in class com.jasmine.analysis.Main according to the actual situation. Modify the value on line 88 in com.jasmine.analysis.SetUpApplication and the value of the following code in the method initializeSoot and getSootClassPath.
public class SetUpApplication implements ITaintWrapperDataFlowAnalysis{
private void initializeSoot() {
...
dir.add("/Users/jasmine/demo/mall-admin-1.0/BOOT-INF/classes");
dir.add("/Users/jasmine/demo/mall-common-1.0/");
dir.add("/Users/jasmine/demo/mall-mbg-1.0/");
dir.add("/Users/jasmine/demo/mall-security-1.0/");
...
}
private static String getSootClassPath() {
...
String dependencyDirectory = "/Users/jasmine/demo/mall-admin-1.0/BOOT-INF/lib";
...
}
}
After that, running FlowDroid_Jasmine and the taint analysis result in ./FlowDroid_Jasmine/log/ directory.