v0.3.5-alpha

Fixes soundness problems with field sensitivity and predefined summaries in the taint analysis.

What's Changed

• Fix field sensitivity by @victornicolet in #125

Full Changelog: v0.3.4-alpha...v0.3.5-alpha

v0.3.4-alpha

A few changes in the backtrace analysis to:

• eliminate false positives due to how arguments of variadic functions are stored in a slice and
• traces exceeding max depth being unreported when checking for statically defined arguments. Now, a trace exceeding unsafe-max-depth is reported.

What's Changed

• Report an error if backtrace max depth is exceeded by @samarth-aws in #123
• Extending the IsStatic definition used by the backtrace analysis. by @victornicolet in #122
• Documentation refresh by @victornicolet in #124

Full Changelog: v0.3.3-alpha...v0.3.4-alpha

v0.3.3-alpha

Releasing minor enhancements and fixes:

• adding the -targets option allows the user to select only specific targets that are defined in a config file to run the analysis on.
• making calls to builtins explicit in the dataflow graph allows user to specify, for example, that len is a sanitizer.
• changes in how annotations are loaded fixes a bug where some line annotations (//argot:ignore tag) were missed.
• refactoring internal code with some minor improvements in performance, and more modular interface.

What's Changed

• State refactor pt1 by @victornicolet in #118
• Option -targets by @victornicolet in #120
• Explicit builtin nodes by @victornicolet in #121
• Fix annotation loading for comments in the AST by @samarth-aws in #119

Full Changelog: v0.3.2-alpha...v0.3.3-alpha

v0.3.2-alpha

Small additions to the interface:

• Added a new must-be-static option for slicing problems that lets user leverage the backwards dataflow analysis to check that the arguments of some function are entirely statically defined.
• Added a new -tag command line option for taint and backtrace tools that lets users run the analyzers only for problems with a specific tag. This is especially useful if the config file has many specifications, but you need to test only one small analysis.

And some fixes in how directories relative to project root are handled.

What's Changed

• Run with tags by @victornicolet in #115
• Fix bugs 2 by @victornicolet in #116
• Must be static option in backtrace by @victornicolet in #117

Full Changelog: v0.3.1-alpha...v0.3.2-alpha

v0.3.1-alpha

Minor changes and a fix in the usage of tags and targets:

• syntactic now uses targets.
• fixing problem with tags not working when sources are channels or struct field reads.

What's Changed

• Using targets and tags in struct init analysis. by @victornicolet in #113
• Fix: synthetic nodes' tags were ignored. by @victornicolet in #114

Full Changelog: v0.3.0-alpha...v0.3.1-alpha

New `syntactic` tool + user config experience overhaul

This release adds a new tool to Argot: syntactic performs syntactic or lightweight semantic analyses at the SSA level. The syntactic tool supports checking that the field of a struct of a certain type is always initialized either with a specific constant or a specific function.

The configuration file format has changed significantly to move options closer to the problem they apply to; for example, you'll find the source-taints-args options in a taint analysis problem, and the dataflow specific options in the dataflow-problems category.

The concept of "targets" is a significant addition to the config files: you can now define a project-root and targets in the config, and then specify, in each analysis problem (like taint-tracking or slicing problems) which target should be analyzed. Each target is a set of paths to the files of a main package, every path being taken relatively to the project root. This simplifies running argot in projects with multiple executables and many analysis problems. For an example, see payload/selfcheck/config.yaml.

What's Changed

• Refactor code identifier matching by @victornicolet in #103
• Syntactic struct initialization analysis by @samarth-aws in #106
• Config and new options by @victornicolet in #107
• Removing dead code with dependencies, reactivating deadcode check and… by @victornicolet in #108
• Minor doc updates. by @victornicolet in #109
• Analysis targets by @victornicolet in #110
• Support functions in struct-init analysis by @samarth-aws in #111
• Json reports for taint and backtrace by @victornicolet in #112

Full Changelog: v0.2.2-alpha...v0.3.0

v0.2.2-alpha

Several user interface improvements to the dataflow analyses:

• struct assignments can now be used as sinks. This is useful if you want to check some specific member of a struct is never assigned some tainted data.
• //argot:ignore tag annotations are now used by the analysis to suppress data flows for the problems annotated with tag, which can be the "any tag" _. When tainted data reaches a sink on a line that contains the //argot:ignore _ annotation, the flow is not reported (although the fact that the flow is ignored is reported in the logs).

What's Changed

• Adding error hints to help user by @victornicolet in #98
• Selfcheck improvements by @victornicolet in #99
• Struct assignment as sink by @victornicolet in #100
• Using argot:ignore annotations in the taint analysis. by @victornicolet in #101

Full Changelog: v0.2.1-alpha...v0.2.2-alpha

v0.2.1-alpha

This release brings some minor fixes and improvements in user experience. Notably, the tool will now also warn you when functions that use reflection or unsafe are being used, on top of the warnings for go calls, recover and unbounded defers.

What's Changed

• Minor fixes and improvements in dataflow analyses and cli by @victornicolet in #91
• Updating documentation. by @victornicolet in #93
• Add a rewriting step to inline function calls in some interface consuming functions by @victornicolet in #94
• Adding warning for usage of unsound features when a function is being used by @victornicolet in #97

Full Changelog: v0.2.0-alpha...v0.2.1-alpha

v0.2.0-alpha

Second alpha release brings many fixes and quality of life improvements.
Breaking changes:

• We have now a unique binary for all tools in Argot (except race detection). You would have typed taint -config ... now you would type argot taint -config ... (or argot backtrace ..., argot dependencies ... and so on).
• The minimum go version supported is 1.22, although the tool should still work with go1.21 and previous versions.

What's Changed

• Fix Calling Context Computation by @ArquintL in #69
• Evaluate symlinks when parsing test filepaths by @samarth-aws in #68
• Fix non-determinism due to ignoring multiple target for bound labels by @victornicolet in #70
• Changing ExplicitFlowsOnly to FailOnImplicitFlow by @victornicolet in #71
• Embed test files by @samarth-aws in #66
• Copy x/tools pointer analysis to internal package by @samarth-aws in #72
• Adding max-context option and calling max-depth unsafe. by @victornicolet in #74
• Upgrade analysis packages. by @victornicolet in #75
• Adding pointer analysis configuration: no-effect functions and reflection by @victornicolet in #76
• Update backtrace and add tuple-sensitivity by @samarth-aws in #77
• Fixes handling of EdgeInfo indices by @ArquintL in #79
• Fixes in tuple handling + output format improvements by @victornicolet in #78
• Updating dependency analysis using new analyzer state framework + doc. by @victornicolet in #80
• Improve backtrace output by @samarth-aws in #82
• Support individual field-sensitive functions by @victornicolet in #83
• Adding annotation framework by @victornicolet in #81
• Udpate dependencies, fix logging and context for code identifiers. by @victornicolet in #85
• De-duplicate backtrace traces by @samarth-aws in #84
• Dependency analysis improvements by @victornicolet in #86
• Fix summary building logic: all decisions in ShouldBuildSummary. by @victornicolet in #88
• Min go version 1.21 -> 1.22 due to vulnerability report, support go 1.23 by @victornicolet in #89
• Unify argot binaries by @samarth-aws in #90

New Contributors

• @ArquintL made their first contribution in #69

Full Changelog: v0.1.0-alpha.1...v0.2.0-alpha

Argot v0.1.0-alpha.1

• First release!
• Released the following tools:
  • taint analysis tool for taint analysis,
  • argot-cli is a terminal-like interface for various part of the analysis (in cmd/cli)
  • compare prints a comparison of the functions that are reachable according to two different analyses, and the functions that appear in the binary,
  • dependencies prints the dependencies of a given program,
  • maypanic performs a may-panic analysis on a given program,
  • packagescan scans imports in packages,
  • reachability analyzes the program and prints the functions that are reachable within it,
  • render can be used to render a graph representation of the callgraph or to print the SSA form of a given program,
  • statistics prints statistics about the program.