Static analysis tools, referred to herein as “static analyzers,” are well known automated tools that provide information about computer software while applying only static considerations (i.e., without executing a computer software application). In one type of static analysis, application variables whose inputs are provided to the application from sources that are external to the application are assumed to be “tainted,” as they potentially expose the application to malicious attacks. Such tainted variables are typically identified and reported by static analyzers as security vulnerabilities that may require further analysis by a software developer and possibly corrective action. However, many such tainted variables may encounter one or more points within an application, referred to herein as “downgraders” that validate and/or sanitize their data to ensure that they are not malicious, thus downgrading the threat they pose from “tainted” to “benign.” A tainted variable that is downgraded by an application need not be reported by static analyzers as security vulnerabilities.
One common type of downgrading is performed for computer network-based client-server applications that store data at the client, which data is later sent hack to the server for use by it. In order to prevent computer users from tampering with client-side data, a cryptographic signature is created of the data, and the signature is stored at the client along with the data. Data that is sent from the client back to the server is sent together with the signature. The server then downgrades the signature by recreating the signature from the data and comparing the recreated signature with the original signature to determine whether the data was tampered with. Such downgrades are referred to herein as “cryptographic down graders.”
Although static analyzers should not identify and report downgraded variables as security vulnerabilities, they typically do so anyway, resulting in “false positive” reports that software developers waste time evaluating. To avoid this, users of static analyzers typically resort to the tedious process of manually specifying downgrades prior to performing static analysis, often after modifying the software to segregate downgraders from the rest of the application. Manually specifying and segregating cryptographic downgrades is particularly tedious. Systems and methods for eliminating false reports of security vulnerabilities when testing computer software without requiring cryptographic downgraders to be manually specified or segregated would therefore be advantageous.