show source and sink in output message (#40)

htrgouvea · Mar 23, 2024 · 27d6c65 · 27d6c65
1 parent 303468d
commit 27d6c65
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 13 deletions.
diff --git a/lib/Zarn/AST.pm b/lib/Zarn/AST.pm
@@ -45,15 +45,18 @@ package Zarn::AST {
                                     $var_token -> parent -> isa("PPI::Token::Operator") ||
                                     $var_token -> parent -> isa("PPI::Statement::Expression")
                                 )) {
-                                    my ($line, $rowchar) = @{$token -> location};
+                                    my ($line_sink, $rowchar_sink) = @{$token -> location};
+                                    my ($line_source, $rowchar_source) = @{$var_token -> location};
 
                                     push @results, {
-                                        category => $category,
-                                        file     => $file,
-                                        title    => $title,
-                                        message  => $message,
-                                        line     => $line,
-                                        rowchar  => $rowchar
+                                        category       => $category,
+                                        file           => $file,
+                                        title          => $title,
+                                        message        => $message,
+                                        line_sink      => $line_sink,
+                                        rowchar_sink   => $rowchar_sink,
+                                        line_source    => $line_source,
+                                        rowchar_source => $rowchar_source
                                     };
                                 }
                             }

diff --git a/zarn.pl b/zarn.pl
@@ -55,13 +55,15 @@ sub main {
     }
 
     foreach my $result (@results) {
-        my $category = $result -> {category};
-        my $file     = $result -> {file};
-        my $title    = $result -> {title};
-        my $line     = $result -> {line};
-        my $rowchar  = $result -> {rowchar};
+        my $category       = $result -> {category};
+        my $file           = $result -> {file};
+        my $title          = $result -> {title};
+        my $line_sink      = $result -> {line_sink};
+        my $rowchar_sink   = $result -> {rowchar_sink};
+        my $line_source    = $result -> {line_source};
+        my $rowchar_source = $result -> {rowchar_source};
 
-        print "[$category] - FILE:$file \t Potential: $title. \t Line: $line:$rowchar\n";
+        print "[$category] - FILE:$file \t Potential: $title. \t Dangerous function on line: $line_sink:$rowchar_sink \t Data point possibility controlled: $line_source:$rowchar_source\n";
     }
 
     if ($sarif) {