Tai-e detects a wrong taintflow

[SevenCold777]

📝 Overall Description

when I ues the taintanalysis of Tai-e to detect the taintflow,I got a wrong taintflow which I can't understand
the detected java file is:

public class Hello { @GetMapping("/hello") public String hello(@RequestParam String cmd) { List<String> a = new ArrayList<>(); a.add(cmd); return cmd; } }

public class hello2 { @PostMapping("/H") public String hello2() { Map<String, String[]> s = new HashMap<>(); s.put("cmd", new String[]{"aa"}); String cmdStr = s.get("cmd")[0]; sink(cmdStr); return cmdStr; } public static void sink(String s) { System.out.println(s); } }

I set the param of Hello.hello(String cmd) to Source, and hello2.sink to Sink
the options is

analyses: pta: cs:1-call;implicit-entries:false;taint-config:java-benchmarks/springbootdemo/taint-config.yml;

🎯 Expected Behavior

no tainflow

🐛 Current Behavior

detect one taintflow :

TaintFlow{<org.example.springbootdemo.controller.Hello: java.lang.String hello(java.lang.String)>/0 -> <org.example.springbootdemo.controller.hello2: java.lang.String hello2()>[12@L16] invokestatic org.example.springbootdemo.controller.hello2.sink(r4)/0}

it's amazing,I don't know why it can detect this taintflow.

🔄 Reproducible Example

No response

⚙️ Tai-e Arguments

🔍 Click here to see Tai-e Options

{{The content of 'output/options.yml' file}}

🔍 Click here to see Tai-e Analysis Plan

{{The content of 'output/tai-e-plan.yml' file}}

📜 Tai-e Log

🔍 Click here to see Tai-e Log

{{The content of 'output/tai-e.log' file}}

ℹ️ Additional Information

No response

[zhangt2333]

In fact, the reason why taint flow doesn't align with intuition is due to the insufficient analysis precision of the current configuration. For example, the taint object flows from the source to the library code and then to the sink. You can refer to this example by outputting the complete-taint-flow-graph.dot or taint-flow-path-*.dot to carefully examine the taint flow path and further troubleshoot.