Skip to content

Reported error location for implications #896

New issue
New issue
Closed
#901
Closed
Reported error location for implications#896
#901
@brenkec

Description

@brenkec
brenkec
opened on Jul 9, 2025

Some constraints are implications where if the left side is true the right side must also be true and an error is reported if that isn't the case. However, the location of the reported error is the left side of the implication. This can make it unnecessarily complicated to find the actual error, especially if the values important for the left side and the right side are in different classes.

Example for constraint "algorithm in {"RSA"} => keysize in {4096, 3072};" of CrySL rule KeyPairGenerator:

2 classes:

  package com.example.demo;
  
  import java.security.KeyPairGenerator;
  import java.security.NoSuchAlgorithmException;
  import java.security.PrivateKey;
  
  public class DemoClass {
  
      public PrivateKey getPrivate() throws NoSuchAlgorithmException {
          KeyPairGenerator kpGen = DifferentClass.getKPGen();
          kpGen.initialize(40);
          return kpGen.generateKeyPair().getPrivate();
      }
  }

and

  package com.example.demo;

  import java.security.KeyPairGenerator;
  import java.security.NoSuchAlgorithmException;
  
  public class DifferentClass {
  
      public static KeyPairGenerator getKPGen() throws NoSuchAlgorithmException {
          return KeyPairGenerator.getInstance("RSA");
      }
  }

An error is reported for line 9 in the second class (where it says return KeyPairGenerator.getInstance("RSA");) with the following message:

Constraint "algorithm in {RSA} => keysize in {4096, 3072}" on object $stack0 is violated due to the following reason:\n|- Constraint "algorithm in {RSA} => keysize in {4096, 3072}" evaluates to :\n\t|- The left side "algorithm in {RSA}" evaluates to :\n\t\t|- First parameter "varReplacer1" (algorithm) with value "RSA" satisfies the constraint @ $stack0 = getInstance(varReplacer1) @ line 9\n\t|- The right side "keysize in {4096, 3072}" evaluates to :\n\t\t|- First parameter "varReplacer0" (keysize) with value 40 violates the constraint @ kpGen.initialize(varReplacer0) @ line 11

However, the actual problem is in line 11 of the first class and while the line is mentioned in the message the class isn't. It might be better to report the error on the right side most of the time and only report on the left side if the right side is a callTo predicate.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions