Summary
Repeated scans of the same codebase produce different partialFingerprints.vulnerabilityWithTraceHash/v1 values for java.security.xss-in-spring-app findings. The total finding count also shifts by 1-3 between scans.
Reproduction
Run opentaint scan with the built-in ruleset on apache/hertzbeat or Stirling-Tools/Stirling-PDF multiple times. There are up to 16 hash shifts between scans for hertzbeat and up to 6 for Stirling-PDF.
Example
This is probably due to non-deterministic selection of property accessor chains when propagating taint through DTO-to-entity conversions.
For the finding at StatusPagePublicController.java:67 (hertzbeat), comparing two scans:
Scan 1 trace picks the method property chain:
StatusPageComponentInfo#toEntity() -> component.setMethod(...)
-> StatusPageComponent#setMethod()
...
StatusPageComponentInfo#fromEntity() -> component.getMethod()
-> StatusPageComponent#getMethod()
-> info.setMethod(...)
Scan 2 trace picks the orgId property chain:
StatusPageComponentInfo#toEntity() -> component.setOrgId(...)
-> StatusPageComponent#setOrgId()
...
StatusPageComponentInfo#fromEntity() -> component.getOrgId()
-> StatusPageComponent#getOrgId()
-> info.setOrgId(...)
Summary
Repeated scans of the same codebase produce different
partialFingerprints.vulnerabilityWithTraceHash/v1values forjava.security.xss-in-spring-appfindings. The total finding count also shifts by 1-3 between scans.Reproduction
Run
opentaint scanwith the built-in ruleset on apache/hertzbeat or Stirling-Tools/Stirling-PDF multiple times. There are up to 16 hash shifts between scans for hertzbeat and up to 6 for Stirling-PDF.Example
This is probably due to non-deterministic selection of property accessor chains when propagating taint through DTO-to-entity conversions.
For the finding at
StatusPagePublicController.java:67(hertzbeat), comparing two scans:Scan 1 trace picks the
methodproperty chain:Scan 2 trace picks the
orgIdproperty chain: