Checker Gdpr

belongs to group Advanced
Identify privacy issues for GDPR compliance, and produce a detailed report

Frameworks supported by this checker

  • java up to 11
  • android up to API level 28
  • dotnet

Warnings generated by this checker

  • LeakageOfPrivateDataThroughFieldUnknownSourceWarning: some private data from an unknown source is leaked through a field [ CWE359 ]
  • LeakageOfPrivateDataThroughFieldWarning: some private data is leaked through a field [ CWE359 ]
  • LeakageOfPrivateDataThroughParameterUnknownSourceWarning: some private data from an unknown source is leaked through a parameter of a method call [ CWE359 ]
  • LeakageOfPrivateDataThroughParameterWarning: some private data is leaked through a parameter of a method call [ CWE359 ]

Options accepted by this checker

  • compileLeakagePoints: allow to identify and tag automatically the leakage points of analized code.It is disabled in the case of an initial phase with the File specific in active option
    If set to true, it produces a specification file with the leakage points already compiled with a list ofthe most critical common leakage points
  • dumpAnalysis: dump extensive (very large!) log information about the analysis
    Only useful for debugging the analyzer
  • dumpCompleteGraphs: dump the complete backward flow graph derivated from a leakage point
    If set to true, it produces an archive with the complete backward flow graphs that are used for the extraction of source-sink subgraphs
  • flowComputingSpeed: efficiency of the flow reconstruction
    This speciefies the efficiency of the flow reconstruct. Interesting only if option flow is set to true. (AVERAGE by default)
    • AVERAGE: reconstruct graphs until max of 2000 nodes
    • FAST: reconstruct graphs until max of 1000 nodes
    • FASTEST: reconstruct graphs until max of 500 nodes
    • SLOW: reconstruct graphs until max of 4000 nodes
    • SLOWEST: reconstruct graphs until max of integer limit nodes
  • phase: phase of the Gdpr analysis
    If set to Init, it produces the excel file used to annotate sources of sensitive data, leakage points and set a policy.If set to Report (default), it runs the analysis and produces the output files.
    • Init: option to execute Init phase
    • Report: option to execute Report phase
  • specificationFile: Gdpr specification file
    This is the Gdpr specification file and contains settings and information for the analysis

Annotations understood by this checker

  • @com.juliasoft.julia.checkers.gdpr.LeakagePoint
  • @com.juliasoft.julia.checkers.gdpr.SensitiveData


Description

The European GDPR (General Data Protection Regulation) directive will take the companies responsibilities to a new level introducing stricter rules and sanctions for non-compliancy. Protecting sensitive data is a top priority when it comes to information management. Hence Julia provides this checker in order to support GDPR compliance and to track explicit information flow in the program, from manually selected sensitive data locations into manually selected leakage locations. In this way, Julia allows one to have an exhaustive report to identify potential data leaks, with a soundness guarantee derived from the use of abstract interpretation, and with the freedom to bend the analysis to specific needs, through the use of code annotations.

The checker is divided in two phases:

  • Init phase: allows to create an Excel file (Specification File) from the application code analyzed. It contains the possible candidate points that can become leakage locations and possible sensitive data sources locations. Into this file it is possible to tag the program points to analyze and eventually set up a policy with allowed data flows.

    The Excel file is composed by 5 sheet:
    • LeakagePointCategories here it is possible to insert customizable labels for naming at high level the types of leakage point in order to be easily interpreted and recognized
      Categories
      Example of LeakagePointCategories sheet. Type of Leakage Point column contains customizable labels for the tagging of leakage points.
    • SensitiveDataCategories here it is possible to insert customizable labels for naming at high level the types of sensitive data sources in order to be easily interpreted and recognized
      Categories
      Example of SensitiveDataCategories sheet. Type of Sensitive Data column contains customizable labels for the tagging of sensitive data source points.
    • SensitiveData this sheet contains the candidate points that can provide sensitive data and their technical information (class, type, visibility, etc.). The candidates are fields or methods that return a value because it is where sensitive data can be respectively saved or returned. They are tagged using the labels written in the Categories sheet.
      SensitiveData
      Example of SensitiveData sheet. In Type of Sensitive Data column, it is possible to tag parts of code that are considered as sensitive data,using the labels written in the Categories sheet.
    • LeakagePoint here it is possible to find the candidate points that can be leakage points and their technical information.The candidates are all parameters of methods or fields because it is where sensitive data can be leaked. They are tagged using the labels written in the Categories sheet.
      LeakagePoint
      Example of LeakagePoint sheet. In Type of Leakage Point column, it is possible to tag parts of code that are considered as leakage point,using the labels written in the Categories sheet.
    • AllowedFlows indicates whether type of leakage points are allowed to receive a certain sensitive data sources in order to reduce false positive warning (for more details, see policy paragraph in the example)
      AllowedFlows
      Example of AllowedFlows sheet. Each flow allowed are expressed row by row with a pair sensitive data typeleakage point type, using the labels written in the Categories sheet.
    Useful options of Init phase:
    • compileLeakagePoints=true allows to precompile a new specification file with default leakage points because Julia can automatically recognizes the most common methods and fields that potentially lead to data leaks (the Julia's list of leakage point considered by default is available here). This allows to simplify the compilation of the specifications file and could also highlight, in the first measure, potentially unexpected application behaviors. For example if you analyze an application that must not send an email and Julia find and tag a method that send an email probably the application does not do what you expect!
    • specificationFile allows to set a specification file of a previous analysis as input, in this way the new specification file generated by the Init phase will be automatically filled with the old information, in order to facilitate the continuous integration. The columns Status of LeakagePoint and SensitiveData sheets in the new specification file contain row by row the information of auto-compilation.

      The rows of new specification file can have the following status:
      • New, rows that do not exist in the old specification file.

        Example of New status generation:
        Init2
      • Unchanged, rows that already exist in the old specification file and that are not tagged as Deleted.

        Example of Unchanged status generation:
        Init2
      • Deleted, rows with a Type of LeakagePoint or Type of SensitiveData that exist in the old specification file but not in the new specification file or that are already Deleted in the old specification file and not exist in not in the new specification file.

        Example of Deleted status generation:
        Init2
      • Added, rows tagged as Deleted in the Status columns of old specification file and that exist in the new specification file.
        Example of Added status generation:
        Init2
      If it is set a specification file in Init phase the compileLeakagePoints option will not be performed.
  • Report phase: computes the program to be analyzed and the Excel file created by Init phase. This phase returns an exhaustive report with information and if possible the flow graphs of eventually data leaks. The graphs contain more technical and specific information, useful to detect and to fix the issues.

    The report is contained in the analysis results, which are reachable through the web console.

    ReportGDPR
    The report collects the leaks on 3 levels:
    • The first level makes distinction on the policy applied.
      • Expected: are allowed leaks by the policy. They have a graphs which are left in case of consultation needs.
      • Unexpected: are not allowed leaks by the policy. They have graphs that contain the flow from sensitive data location to leakage point location.
    • The middle level makes distinction on the flows at high level using the custom label contained in the sensitive data and leakage points sheets of specification file. The wording sensitivedata and leakagepoint means that exists at least one flow that start from a sensitive data location marked as sensitivedata and leads to a leakage point location marked as leakagepoint.
      ReportGDPR2
    • The last level shows the software components involved in the leak and press on them, if are available, you can view the graphs.
      ReportGDPR3

    Example of flow graph extracted from the analysis:

    GraphGDPR
    The graph starts from the sensitive data source (yellow triangle) and step by step up to the leakage point (red hexagon). This graph represents the maximum level of information detail of analysis. In fact there is information on packages, classes, methods, lines of code (rectangular sets) and instructions (gray circle). Note the instructions are in bytecode, then when working with bytecode level the normal instructions, that usually are implicit, intend are explicit. An example is the instruction append of the second node start from the top, which is used to concatenate two strings, in the source code often is simply written with the symbol +.
    For efficiency reason, Julia could not find any data source from source to leakage point or reconstruct any flow graphs involved in a data leaks, but always triggers a warning with the leakage code point that can be manually checked.

The European GDPR (General Data Protection Regulation) directive will take the companies responsibilities to a new level introducing stricter rules and sanctions for non-compliancy. Protecting sensitive data is a top priority when it comes to information management. Hence Julia provides this checker in order to support GDPR compliance and to track explicit information flow in the program, from manually selected sensitive data locations into manually selected leakage locations. In this way, Julia allows one to have an exhaustive report to identify potential data leaks, with a soundness guarantee derived from the use of abstract interpretation, and with the freedom to bend the analysis to specific needs, through the use of code annotations.

The checker is divided in two phases:

  • Init phase: allows to create an Excel file (Specification File) from the application code analyzed. It contains the possible candidate points that can become leakage locations and possible sensitive data sources locations. Into this file it is possible to tag the program points to analyze and eventually set up a policy with allowed data flows.

    The Excel file is composed by 5 sheet:
    • LeakagePointCategories here it is possible to insert customizable labels for naming at high level the types of leakage point in order to be easily interpreted and recognized
      Categories
      Example of LeakagePointCategories sheet. Type of Leakage Point column contains customizable labels for the tagging of leakage points.
    • SensitiveDataCategories here it is possible to insert customizable labels for naming at high level the types of sensitive data sources in order to be easily interpreted and recognized
      Categories
      Example of SensitiveDataCategories sheet. Type of Sensitive Data column contains customizable labels for the tagging of sensitive data source points.
    • SensitiveData this sheet contains the candidate points that can provide sensitive data and their technical information (class, type, visibility, etc.). The candidates are fields or methods that return a value because it is where sensitive data can be respectively saved or returned. They are tagged using the labels written in the Categories sheet.
      SensitiveData
      Example of SensitiveData sheet. In Type of Sensitive Data column, it is possible to tag parts of code that are considered as sensitive data,using the labels written in the Categories sheet.
    • LeakagePoint here it is possible to find the candidate points that can be leakage points and their technical information.The candidates are all parameters of methods or fields because it is where sensitive data can be leaked. They are tagged using the labels written in the Categories sheet.
      LeakagePoint
      Example of LeakagePoint sheet. In Type of Leakage Point column, it is possible to tag parts of code that are considered as leakage point,using the labels written in the Categories sheet.
    • AllowedFlows indicates whether type of leakage points are allowed to receive a certain sensitive data sources in order to reduce false positive warning (for more details, see policy paragraph in the example)
      AllowedFlows
      Example of AllowedFlows sheet. Each flow allowed are expressed row by row with a pair sensitive data typeleakage point type, using the labels written in the Categories sheet.
    Useful options of Init phase:
    • compileLeakagePoints=true allows to precompile a new specification file with default leakage points because Julia can automatically recognizes the most common methods and fields that potentially lead to data leaks (the Julia's list of leakage point considered by default is available here). This allows to simplify the compilation of the specifications file and could also highlight, in the first measure, potentially unexpected application behaviors. For example if you analyze an application that must not send an email and Julia find and tag a method that send an email probably the application does not do what you expect!
    • specificationFile allows to set a specification file of a previous analysis as input, in this way the new specification file generated by the Init phase will be automatically filled with the old information, in order to facilitate the continuous integration. The columns Status of LeakagePoint and SensitiveData sheets in the new specification file contain row by row the information of auto-compilation.

      The rows of new specification file can have the following status:
      • New, rows that do not exist in the old specification file.

        Example of New status generation:
        Init2
      • Unchanged, rows that already exist in the old specification file and that are not tagged as Deleted.

        Example of Unchanged status generation:
        Init2
      • Deleted, rows with a Type of LeakagePoint or Type of SensitiveData that exist in the old specification file but not in the new specification file or that are already Deleted in the old specification file and not exist in not in the new specification file.

        Example of Deleted status generation:
        Init2
      • Added, rows tagged as Deleted in the Status columns of old specification file and that exist in the new specification file.
        Example of Added status generation:
        Init2
      If it is set a specification file in Init phase the compileLeakagePoints option will not be performed.
  • Report phase: computes the program to be analyzed and the Excel file created by Init phase. This phase returns an exhaustive report with information and if possible the flow graphs of eventually data leaks. The graphs contain more technical and specific information, useful to detect and to fix the issues.

    The report is contained in the analysis results, which are reachable through the web console.

    ReportGDPR
    The report collects the leaks on 3 levels:
    • The first level makes distinction on the policy applied.
      • Expected: are allowed leaks by the policy. They have a graphs which are left in case of consultation needs.
      • Unexpected: are not allowed leaks by the policy. They have graphs that contain the flow from sensitive data location to leakage point location.
    • The middle level makes distinction on the flows at high level using the custom label contained in the sensitive data and leakage points sheets of specification file. The wording sensitivedata and leakagepoint means that exists at least one flow that start from a sensitive data location marked as sensitivedata and leads to a leakage point location marked as leakagepoint.
      ReportGDPR2
    • The last level shows the software components involved in the leak and press on them, if are available, you can view the graphs.
      ReportGDPR3

    Example of flow graph extracted from the analysis:

    GraphGDPR
    The graph starts from the sensitive data source (yellow triangle) and step by step up to the leakage point (red hexagon). This graph represents the maximum level of information detail of analysis. In fact there is information on packages, classes, methods, lines of code (rectangular sets) and instructions (gray circle). Note the instructions are in bytecode, then when working with bytecode level the normal instructions, that usually are implicit, intend are explicit.
    For efficiency reason, Julia could not find any data source from source to leakage point or reconstruct any flow graphs involved in a data leaks, but always triggers a warning with the leakage code point that can be manually checked.


Examples

Consider the following program:

import java.util.*;
import javax.mail.*;
import javax.mail.internet.*;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;
import java.util.Date;

import com.juliasoft.julia.checkers.gdpr.LeakagePoint;
import com.juliasoft.julia.checkers.gdpr.SensitiveData;

public class Gdpr {
	
	public static void main(String[] args) {

		User u = new User("Foo", "surnameFoo");
		u.setCreditcard("XXXX-XXXX-XXXX-XXXX");

		sendToEmail(u.getInfo()); // Triggered warning

		sendToDatabase(u.getInfo()); // OK for the policy, without policy trigger a warning

		sendToDatabase(u.toString()); // with the policy Triggered a warning only for ccn
									  // without policy Triggered a warning for name, surname and ccn

		sendToEmail(u.getDate().toString()); // Triggered a unknown source warning 

	}


	private static void sendToEmail(@LeakagePoint(type = "email") String textToSend) {

		String from = "sender@juliasoft.com";

		String to = "receiver@juliasoft.com";

		String host = "localhost";

		Properties properties = System.getProperties();
		properties.setProperty("mail.smtp.host", host);

		Session session = Session.getDefaultInstance(properties);

		try {

			MimeMessage message = new MimeMessage(session);

			message.setFrom(new InternetAddress(from));

			message.addRecipient(Message.RecipientType.TO, new InternetAddress(to));

			message.setSubject("my subject");

			message.setText(textToSend);

			Transport.send(message);

		} catch (MessagingException mex) {
			mex.printStackTrace();
		}

	}


	static void sendToDatabase(@LeakagePoint(type = "database") String toSave) {
		Connection conn = null;
		String url = "jdbc:mysql://192.168.2.128:3306/";
		String dbName = "anvayaV2";
		String driver = "com.mysql.jdbc.Driver";
		String userName = "root";
		String password = "";

		try {
			Class.forName(driver).newInstance();
			conn = DriverManager.getConnection(url + dbName, userName, password);

			Statement st = conn.createStatement();
			String query = "INSERT INTO Customers(CustomerInfo) " + "VALUES ('" + toSave + "')";
			System.out.printf(query);
			st.executeQuery(query);

			conn.close();
		} catch (Exception e) {
			e.printStackTrace();
		}
	}


	public static class User {

		@SensitiveData(type = "name")
		private String name;

		@SensitiveData(type = "surname")
		private String surname;

		@SensitiveData(type = "ccn")
		private String creditcard;
		
		@LeakagePoint(type="video")
		private String printAll; //variable that shows its contents on output video
		
		private String company;
		private Date date;

		public User(String name, String surname) {
			this.name = name;
			this.surname=surname;
			printAll+="User data: "+ this.name + " " + this.surname;
			
			System.out.println(printAll);
			
		}

		public Date getDate() {
			return date;
		}

		public void setCreditcard(String creditcard) {
			this.creditcard = creditcard;
		}

		public String getCreditcard() {
			return creditcard;
		}
		
		@SensitiveData(type = "mixeddata")
		public String getInfo() {

			return "Company:"+ company+ "BirthDate: " + date;
		}

		@Override
		public String toString() {

			return "Name: " + name + " Surname: " + surname + "Ccn: " + creditcard;
		}

	}
}

This checker issues the following warnings:

Gdpr.java:20: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.java:22: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.java:24: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type ccn to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.java:24: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type name to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.java:24: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type surname to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.java:27: [Gdpr: LeakageOfPrivateDataThroughParameterUnknownSourceWarning] possible leakage of private data of unknown type to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.java:110: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type name to video thorugh field field "printAll"
Gdpr.java:110: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type surname to video thorugh field field "printAll"
[CHECKERS] GDPR policy not provided. All leakages of sensitive data are considered as not allowed

Let us discuss the motivation of such warnings. The @SensitiveData and @LeakagePoint annotations mark respectively sensitive data points and leakage points tagged in the specification file of the Init phase. At lines 93, 96 and 99 are tagged with @SensitiveData two field which contain data for clearly identify one individual or data that should not be disclosed. At line 129 is tagged with @SensitiveData a method that returns sensitive data. The method contains a combination of different data that concatenated together generate a sensitive data. For example a single date may not always be personal data because there are many individuals with that birth date but a birth date that is combined with other information could will be sufficient to clearly identify one individual. At line 32 is tagged with @LeakagePoint a method parameter used as text to send an email. sendToEmail have a leakage point because a sensitive data may be read in plain text inside a email. In this case, the sensitive mixeddata data is directly passed to the parameter tagged as leakage point email and is triggered a LeakageOfPrivateDataThroughParameterWarning because the leak is in a method parameter and the analysis has reconstruct a flow graph. At line 66 is tagged with @LeakagePoint a parameter of sendToDatabase. The method executes a query to save information in a database. This is a possible leakage point because a sensitive data could be passed as parameter and archived. In this case, name, surname, ccn sensitive data are implicitly passed to the parameter tagged as leakage point database by toString function at line 135. The warnings triggered are LeakageOfPrivateDataThroughParameterWarning, once for each sensitive data. At line 102 is tagged with @LeakagePoint a field that it subsequently shows on video all its content. This potentially means that sensitive information can also be viewed by other people them name and surname could be a leak. In this case, name, surname are contained in the field tagged as leakage point video and is triggered a LeakageOfPrivateDataThroughFieldWarning because the leak is in a field and the analysis has reconstruct a flow graph. At line 99 is triggered a UnknownSourceWarning. The source is unknown because the analysis approximates by excess and associates date with u.getInfo() (that contains date) but it can not reconstruct a flow graph because u.getDate() does not lead to u.getInfo(). In this case Julia reports that there may be a potential issue. In other cases the source could be unknown for overflow respect flowComputingSpeed option that drop the flow reconstruction. UnknownSourceWarning anyhow should be checked manually to grant code correctness.

Policy

The policy is designed to allow certain flows, so it will not be necessary to specify which flows to check but only what are allowed flows. It is common for some sensitive data to be saved in a database (name, surname, etc.). To improve the analysis results and reduce possible false positives warnings it is suggested to set a policy. In the example case will be specified that name,surname, birth date are allowed in a database. The credit card data should not specified in the policy because the programmer should check all possible leakage of its.

Policy example:

name → database
surname → database

This checker issues the following warnings with a policy that allows flow of name, surname in a database:

Gdpr.java:20: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.java:22: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.java:24: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type ccn to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.java:27: [Gdpr: LeakageOfPrivateDataThroughParameterUnknownSourceWarning] possible leakage of private data of unknown type to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.java:110: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type name to video thorugh field field "printAll"
Gdpr.java:110: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type surname to video thorugh field field "printAll"

Consider the following program:

using System;
using System.Data.SqlClient;
using System.Net.Mail;
using com.juliasoft.julia.checkers.gdpr;

namespace Example
{
    public class Gdpr
    {
        public static void Main(string[] args)
        {
            
            User u = new User("Foo", "surnameFoo");
            u.creditcard = "XXXX-XXXX-XXXX-XXXX";

            SendToEmail(u.GetInfo()); // Triggered warning

            SendToDatabase(u.GetInfo()); // OK for the policy, without policy trigger a warning

            SendToDatabase(u.ToString()); // with the policy Triggered a warning only for ccn
                                          // without policy Triggered a warning for name, surname and ccn

            SendToEmail(u.date.ToString()); // Triggered a unknown source warning 

        }

        private static void SendToEmail( [LeakagePoint("email")] string textToSend) {


            string from = "sender@juliasoft.com";
            string to = "receiver@juliasoft.com";

            MailMessage mail = new MailMessage(from,to);
            SmtpClient client = new SmtpClient();
            client.Port = 25;
            client.DeliveryMethod = SmtpDeliveryMethod.Network;
            client.UseDefaultCredentials = false;
            client.Host = "mail.smtp.host";
            mail.Subject = "my subject";

            mail.Body = textToSend;

            client.Send(mail);

	}


	    static void SendToDatabase( [LeakagePoint("database")] string toSave) {


            string url = "192.168.2.128:3306";
            string userName = "root";
            string password = "secret";

            using (SqlConnection connection = new SqlConnection("Server=" + url + ";" + "User Instance=true;" + "User Id=" + userName + ";" + "Password=" + password + ";"))
            {
                string query = "INSERT INTO Customers(CustomerInfo) " + "VALUES ('" + toSave + "')";

                using (SqlCommand command = new SqlCommand(query, connection))
                {
                    command.Parameters.AddWithValue("@id", "abc");
                    command.Parameters.AddWithValue("@username", userName);
                    command.Parameters.AddWithValue("@password", password);

                    connection.Open();
                    int result = command.ExecuteNonQuery();

                    // Check Error
                    if (result < 0)
                        Console.WriteLine("Error inserting data into Database!");
                }
            }
        }
      
    }

    public class User {


        [SensitiveData("name")] public string name;


        [SensitiveData("surname")] public string surname;



        [SensitiveData("ccn")] public string creditcard;


        [LeakagePoint("video")] public string printAll;//variable that shows its contents on output video

        public string company { get; set; }
        public DateTime date { get; set; }

        public User(string name, string surname)
        {
            this.name = name;
            this.surname = surname;
            printAll += "User data: " + this.name + " " + this.surname;

            Console.WriteLine(printAll);

        }

        [SensitiveData("mixeddata")]
        public string GetInfo()
        {

            return "Company:" + company + "BirthDate: " + date;
        }

  
        public string ToString()
        {

            return "Name: " + name + " Surname: " + surname + "Ccn: " + creditcard;
        }

    }
}

This checker issues the following warnings:

Gdpr.cs:16: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.cs:18: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.cs:20: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type ccn to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.cs:20: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type name to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.cs:20: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type surname to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.cs:23: [Gdpr: LeakageOfPrivateDataThroughParameterUnknownSourceWarning] possible leakage of private data of unknown type to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.cs:99: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type name to video thorugh field field "printAll"
Gdpr.cs:99: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type surname to video thorugh field field "printAll"
[CHECKERS] GDPR policy not provided. All leakages of sensitive data are considered as not allowed

Let us discuss the motivation of such warnings. The @SensitiveData and @LeakagePoint annotations mark respectively sensitive data points and leakage points tagged in the specification file of the Init phase. At lines 80, 83 and 87 are tagged with @SensitiveData two field which contain data for clearly identify one individual or data that should not be disclosed. At line 106 is tagged with @SensitiveData a method that returns sensitive data. The method contains a combination of different data that concatenated together generate a sensitive data. For example a single date may not always be personal data because there are many individuals with that birth date but a birth date that is combined with other information could will be sufficient to clearly identify one individual. At line 27 is tagged with @LeakagePoint a method parameter used as text to send an email. SendToEmail have a leakage point because a sensitive data may be read in plain text inside a email. In this case, the sensitive mixeddata data is directly passed to the parameter tagged as leakage point email and is triggered a LeakageOfPrivateDataThroughParameterWarning because the leak is in a method parameter and the analysis has reconstruct a flow graph. At line 48 is tagged with @LeakagePoint a parameter of SendToDatabase. The method executes a query to save information in a database. This is a possible leakage point because a sensitive data could be passed as parameter and archived. In this case, name, surname, ccn sensitive data are implicitly passed to the parameter tagged as leakage point database by ToString function at line 135. The warnings triggered are LeakageOfPrivateDataThroughParameterWarning, once for each sensitive data. At line 90 is tagged with @LeakagePoint a field that it subsequently shows on video all its content. This potentially means that sensitive information can also be viewed by other people them name and surname could be a leak. In this case, name, surname are contained in the field tagged as leakage point video and is triggered a LeakageOfPrivateDataThroughFieldWarning because the leak is in a field and the analysis has reconstruct a flow graph. At line 99 is triggered a UnknownSourceWarning. The source is unknown because the analysis approximates by excess and associates date with u.GetInfo() (that contains date) but it can not reconstruct a flow graph because u.date does not lead to u.GetInfo(). In this case Julia reports that there may be a potential issue. In other cases the source could be unknown for overflow respect flowComputingSpeed option that drop the flow reconstruction. UnknownSourceWarning anyhow should be checked manually to grant code correctness.

Policy

The policy is designed to allow certain flows, so it will not be necessary to specify which flows to check but only what are allowed flows. It is common for some sensitive data to be saved in a database (name, surname, etc.). To improve the analysis results and reduce possible false positives warnings it is suggested to set a policy. In the example case will be specified that name,surname, birth date are allowed in a database. The credit card data should not specified in the policy because the programmer should check all possible leakage of its.

Policy example:

name → database
surname → database

This checker issues the following warnings with a policy that allows flow of name, surname in a database:

Gdpr.cs:16: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.cs:18: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type mixeddata to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.cs:20: [Gdpr: LeakageOfPrivateDataThroughParameterWarning] possible leakage of private data of type ccn to database through parameter actual parameter "toSave" of method "sendToDatabase"
Gdpr.cs:23: [Gdpr: LeakageOfPrivateDataThroughParameterUnknownSourceWarning] possible leakage of private data of unknown type to email through parameter actual parameter "textToSend" of method "sendToEmail"
Gdpr.cs:99: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type name to video thorugh field field "printAll"
Gdpr.cs:99: [Gdpr: LeakageOfPrivateDataThroughFieldWarning] possible leakage of private data of type surname to video thorugh field field "printAll"