1. Field
The disclosure relates generally to analyzing source code and in particular, to managing policies for calls in the source code. Still more particularly, the present disclosure relates to a method, system, and computer program product for managing a policy for a call in a first source code to a function in a second source code based on information from a trace of the second source code.
2. Description of the Related Art
Data processing systems provide computing resources, such as a computer, that includes a central processing unit and computer memory. Executable programs are executed by the central processing unit in the computer using the computer memory. The executable programs store and use data in the form of data structures located in the computer memory. During execution of the executable programs the information in these data structures may become corrupted by unforeseen errors in the executable programs and also by unforeseen malevolent uses of the executable programs Responsive to the corruption of a data structure, a subsequent error is likely to occur at unexpected points of execution in the program. Further, in the case of an unforeseen malevolent use of an executable program, the unforeseen malevolent use may result in critical security issues.
Static analysis of source code vulnerabilities is a process for assessing risk for vulnerabilities of executable programs by analyzing the source code or compiled form of the executable program. One technique within the field of static analysis includes a process for identifying potentially malicious data entering a program, then determining where the data flows within the program for the purpose of identifying security vulnerabilities. This process for identifying security vulnerabilities using static analysis is called data flow analysis. Data flow analysis tools use parsers to generate a data flow graph of the program being analyzed. Data flow analysis tools also use pre-defined application programming interface (API) policies that identify the expected behavior of each application programming interface utilized by the program being analyzed as well as potential vulnerabilities. Data flow analysis tools traverse the generated graph of an application to identify instances where potentially malicious data may reach an application programming interface that has been identified as vulnerable to malicious data. However, gaps may exist in the number of application programming interfaces for which a policy exists identifying the expected behavior. For example, all of the application programming interfaces that are in use by external applications may not be known when a data flow analysis tool runs. Further, a data flow analysis tool may only be able to create a partial graph of the data flows of an application due to not having access to all of the source code used by application programming interfaces of the application.
Therefore, it would be advantageous to have a method, apparatus, and computer program product that takes into account at least some of the issues discussed above, as well as possibly other issues.