Common actions performed by the handler
Create a web service entry point
Many frameworks provide their own entry
points into an application. A common example is to expose web services
that are either identified in a configuration file or in annotations
in the code. After searching in the application's configuration
files or directly in the bytecode for designated entry points, the
method F4FAction.addTaintedCallback
can be used to
create a tainted data entry point at the appropriate method.
Observe
in the example: In EJB 2, web service entry points are declared
by defining endpoints in the application's configuration
file (ejb-jar.xml). Then handleApp
loops
through the beans declared in ejb-jar.xml and
whenever an endpoint class is defined, it obtains the list of method
names. It then declares their implementations as web service entry
points using the addTaintedCallback
method.
Replace a method
Modern frameworks frequently
make use of virtual functions and abstraction to more loosely couple
business components. While this can be an improvement to the development
process, it creates difficulties for static analysis when the connection
between virtual function and its implementation is handled in a configuration
file or via annotations in the code. F4FAction.replaceCalls
allows
a handler to designate these connections.
Observe in the
example: In EJB 2, each bean has a set of interfaces (local and
remote) that declare how other beans may interact with it. This means
that, wherever a bean's interface class.method
is
called, it is replaced by the framework with the actual ImplementationClass.method
.
Starting at line 62, our example handler loops through each bean and takes its remote and local interfaces and replaces them with their actual implementations.
Logging
A handler can use the com.ibm.wala.andromeda.util.logging.TaintLogger
class
to log informative messages during execution - and to cause error
messages to appear in the AppScan®
Source user
interface. The TaintLogger
class employs the log4j
library.
To log a message, first obtain a Logger
object by
calling TaintLogger.i().getLogger()
. Then, invoke
logging methods on the Logger
(for example, Logger.warn
)
to log the messages that you want. Log messages will appear in <data_dir>\logs\scanner_exceptions.log (where <data_dir> is the location of your
AppScan
Source program data, as described in Installation and user data file locations).
If Logger.error
or Logger.fatal
is
used to log a message, the error the message will also appear in the
Console view in the AppScan
Source user
interface.