Pinpoint 2.0 is officially released

Pinpoint 2.0 have many new features and multiple improvements to give you brand new user experience.


New features:

1. Provide a complete user system, supporting Users, User Groups, User Roles, and the corresponding functionalities to meet the isolating and sharing requirements of source codes and analysis tasks.

2. Add smart build support that automatically identifies and builds projects managed by 10 different C/C++/JAVA building systems, including Maven, CMake, etc.

3. Support QNX compilers q++ and qcc.

4. Add Mybatis framework and StringUtils library modeling.

5. Add 6 new privacy leak checkers for Android App.

6. Support Chinese encoding GBK, GB2312, and GB18030.

7. Fix 8 types of false positives, 7 types of false negatives, 3 types of unclear report tips. Improve 7 different checkers, including null pointer dereference and resource leak.

Detailed Changelist:

1. Provide a role based authentication system

Support role based authentication control:

  1. 1. Every role can be configured for different permissions, such the permission for inspecting reports of certain projects.
  2. 2. Every user group can be assigned to multiple roles
  3. 3. Every user can join multiple user groups.

2. Add smart build support

  • ● The smart build mode can automatically recognize the building scripts for widely used build systems inside your project, including:
    • ● make
    • ● cmake
    • ● scons
    • ● autotool
    • ● bazel
    • ● maven
    • ● gradle
    • ● ant
    • ● ninja
    • ● build.sh (customized building script)


If we failed to build your project in either of the ways above, our fuzzing compiler kicked in to compile your source code as much as possible.

  • ● Support compiling based analysis for Java. You can upload the source code and fill in the compiling command, either by manual or by smart build.

3. Support QNX compilers qcc and q++

  • ● And partly support the projects using C++ 17 standards.

4. Improve support for Chinese encoding

  • ● Support Chinese encoding GBK,GB2312,and GB18030 for locale setting.
  • ● Support Chinese file names in the zip folder uploaded to Pinpoint.

6. Improve bug checkers

  • ● Improve precision of resource leak checker:
    • ● Fix the false positive of resource leak checker caused by JAVA reflection
    • ● Fix the false positive of resource leak checker caused by C++ smart pointer such as shared_ptr
    • ● Fix the false positive of resource leak checker caused by unknown library type/class
    • ● Fix the false positive of resource leak checker caused by false judgement of exception throwing on functions that may never throw exceptions
    • ● Fix the false positive of resource leak checker caused by unsuccessfully opened resource
rlc_en.png
  • ● Improve precision of null pointer dereference checker
    • ● Fix the false positive of null pointer dereference checker when a variable is compared to null and reassigned to a non-null value afterwards, such as str.length() in the following code.
cnd_en.png
  • ● Improve precision of buffer overflow checker
    • ● Fix the false positive of buffer overflow checker caused by memcpy/memset on buffer which has the same size as the copy length.
  • ● Improve recall of following bug types
    • ● Resource leak
      • ● Fix the logic on judging whether a variable is controlled by the system, which increases the recall of resource leak checker
      • ● Fix the false negative of resource leak checker caused by uncaught exception.
rlc_ex.png
    • ● Security injection checkers including cross-site script, SQL injection:
      • ● Add 3 possible data source of the injection for better recall
      • -> javax.servlet.http.HttpServletRequest.getQueryString
      • -> javax.servlet.http.HttpServletRequest.getParameterValues
      • -> javax.servlet.http.HttpServletRequest.getHeader
    • ● XML entity injection
      • ● Add the checking of XML parsing on streams from user input or other untrustted source
xxe_en.png
  • Improve the checking capability
    • ● Hard coded password
      • ● Improve the possible password variable testing strategy and the entropy calculation method.
      • ● Improve the case insensitive words matching algorithm for dictionary lookup.
    • ● Double free
      • ● Model the function zfree(), fixing the false negative caused by the function zfree()
  • ● Improve report tip of following bug types
    • ● Improve the report tip on exception throwing procedure, directly marking that an exception is thrown
tipex_en.png
    • ● Fix many grammar errors and ambiguous descriptions.
    • ● Show the triggering condition and bug type in the report tip
tip_en.png

7. Add Mybatis and StringUtils modeling

● Support Mybatis configured code. For example in the following example, a getUser function is configured to accept a parameter ${id} to construct a SQL statement.

mybatis2.png

This getUser function is exposed to SQL injection risk. As in following code, id is passed in as a user input from main function parameter:

mybatis_en.png
  • ● Model the entire JDK functions to aid our analyzer to eliminate false positives, such as the one in below. But these models are not associated with the standard Pinpoint release.
stringUtils.png

8. Add 6 new privacy leak checkers for Android app

  • ● Information leak: contacts list
  • ● Information leak: phone number
  • ● Information leak: email
  • ● Information leak: audio file
  • ● Information leak: image file
  • ● Information leak: video file