[Soot-list] looking at the fields

[daniela antonova]

Hi,

I am new to static analysis and I have been struggling to do this
task. I am doing a security analysis of programs and my aim is to
label fields as high or low security.
For example,

class Test {
      private List emailList;

      public static void main(String[] args) {
             String email = .....;
             emalList.add(email);

             publishToPublicSink();
      }

      publishToPublicSink() {
             ....
             object.write(emailList); //publish the email list to a
public location
      }
}

The analysis needs to label email and emailList as High security,
because they contain private information. This is done by analysing
the main method. Then it needs to find out that emailList is published
in the publishToPublicSink() method. I have the call graph of the
program, but I have not been able to use it to find that when
emailList is used in publishToPublicSink, emailList is already High
security.

Could you give me any ideas as to methods, classes I could use to make
this happen?

Thank you very much indeed for your help.

Dani