SinkFinder is a semi-automated vulnerability discovery tool for closed-source Java applications. It performs static code analysis on JAR, WAR, and ZIP files to identify potential vulnerability paths from sources to sinks. The tool integrates with large language models (LLMs) to validate path reachability and assign a confidence score based on the code context, aiming to reduce false positives.

How It Works

SinkFinder analyzes compiled Java code to trace data flow from defined sources to known vulnerable sink methods. It uses a configurable rule set (JSON format) to specify sources, sinks, and exclusion/inclusion patterns for classes and JARs. The optional LLM integration (via Tongyi Qianwen API) provides an additional layer of analysis, assessing the contextual validity and risk of identified paths, thereby enhancing the accuracy of vulnerability detection.

Quick Start & Requirements

• Install/Run: java -jar SinkFinder-1.0-SNAPSHOT-jar-with-dependencies.jar -p <path_to_analyze> [options]
• Prerequisites: Java Runtime Environment (JRE). LLM functionality requires a Tongyi Qianwen API key, configurable via -lk parameter or DASHSCOPE_API_KEY environment variable.
• Configuration: A rules.json file is generated after the first run, allowing customization of analysis parameters.
• Documentation: Usage examples and configuration details are provided in the README.

Highlighted Details

• Static analysis of JAR, WAR, ZIP archives.
• LLM-powered path validation and confidence scoring.
• Customizable source, sink, class, and JAR filtering.
• Supports regular expressions for sink method matching (excluding parentheses).
• Output includes filtered paths, LLM details, and risk assessments.

Maintenance & Community

The project is hosted on GitHub by TheKingOfDuck. There are no explicit mentions of community channels, roadmap, or notable contributors in the provided README.

Licensing & Compatibility

The README does not explicitly state a license. The project appears to be closed-source, with the executable JAR provided. Commercial use or linking with closed-source projects may be restricted.

Limitations & Caveats

The LLM integration relies on the Tongyi Qianwen API, which requires an API key and may incur costs. The README notes that parentheses () are not supported in regular expressions for sink method definitions due to conflicts with method parameter parsing. The project is presented as a JAR file, suggesting limited extensibility or modification without decompilation.