Analysis Trace view

When you select an issue, the Analysis Trace view displays the relevant analysis trace. This is a set of program points that show how the analyzer found the issue. For dataflow and control flow issues, the set is presented in the order executed. For dataflow issues, this trace view presents the path that the tainted data follows from the source function to the sink function.

For example, when you select an issue that is related to potentially tainted dataflow, the Analysis Trace view shows the direction the dataflow moves in this section of the source code.

The Analysis Trace view uses the symbols described in the following table to show how the dataflow moves in this section of the source code or execution order.

Symbol Description
Data assigned to a field or variable icon

Data is assigned to a field or variable
Info read from external source icon

Information is read from a source external to the code such as an HTML form or a web address
Data assigned globally icon

Data is assigned to a globally scoped field or variable
Comparison icon

A comparison is made
Function call receives taint icon

The function call receives tainted data
Function call returns taint icon

The function call returns tainted data
passthrough icon

Passthrough, tainted data passes from one place to another

This is typically shown as functionA(x : y) to indicate that data is transferred from x to y. The x and y values are one of the following:

  • An argument index

  • return—The return value of a function

  • this—The instance of the current object

  • A specific object field or key
alias icon

An alias is created for a memory location
Read icon

Data is read from a variable
Read global icon

Data is read from a global variable
Return tainted data icon

Tainted data is returned from a function
Pointer icon

A pointer is created
Dereferenced Pointer icon

A pointer is dereferenced
End Scope icon

The scope of a variable ends
Execution jumps icon

The execution jumps
Branch Taken icon

A branch is taken in the code execution
Branch not taken icon

A branch is not taken in the code execution
Generic icon

Generic
Runtime Source icon

A runtime source, sink, or validation step
Taint Change icon

Taint change

The Analysis Trace view can include inductions. Inductions provide supporting evidence for their parent nodes. Inductions consist of:

  • A text node, displayed in italics as a child of the trace node. This text node is expanded by default.

  • An induction trace, displayed as a child of the text node (a box surrounds the induction trace).

The italics and the box distinguish the induction from a standard subtrace. To display the induction reference information for that induction, click it.