Refactored AccessControlIncompletenessChecker to differentiate between possible and definite access control incompleteness vulnerabilities based on function protection status

merendamattia · merendamattia · commit 96672a6eb3cc · 2025-12-16T13:11:41.000+01:00
diff --git a/src/main/java/it/unipr/crosschain/checker/AccessControlIncompletenessChecker.java b/src/main/java/it/unipr/crosschain/checker/AccessControlIncompletenessChecker.java
@@ -252,24 +252,32 @@ private void reportVulnerability(CheckToolWithAnalysisResults<
 		if (functionSignatureByStatement.equals("no-function-found"))
 			return;
 
-		log.warn(
-				"[DEFINITE] Access Control Incompleteness vulnerability at pc {} (line {}) coming from pc {} (line {}).",
-				((ProgramCounterLocation) sink.getLocation()).getPc(),
-				((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine(),
-				((ProgramCounterLocation) source.getLocation()).getPc(),
-				((ProgramCounterLocation) source.getLocation()).getSourceCodeLine());
-
-		String warn = "[DEFINITE] Access Control Incompleteness vulnerability at "
-				+ ((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine();
-		tool.warn(warn);
-		MyCache.getInstance().addAccessControlIncompletenessWarning(cfg.hashCode(), warn);
-
-		warn = "[DEFINITE] Access Control Incompleteness vulnerability in " + contract.getName() + " at "
-				+ functionSignatureByStatement
-				+ " (pc: " + ((ProgramCounterLocation) sink.getLocation()).getPc() + ", "
-				+ "line: " + ((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine() + ")";
-		MyCache.getInstance().addVulnerabilityPerFunction(cfg.hashCode(), warn);
-
+		if (contract.getFunctionSignatureByString(functionSignatureByStatement).isProtected()) {
+			log.warn(
+					"[POSSIBLE] Access Control Incompleteness vulnerability at pc {} (line {}) coming from pc {} (line {}).",
+					((ProgramCounterLocation) sink.getLocation()).getPc(),
+					((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine(),
+					((ProgramCounterLocation) source.getLocation()).getPc(),
+					((ProgramCounterLocation) source.getLocation()).getSourceCodeLine());
+		} else {
+			log.warn(
+					"[DEFINITE] Access Control Incompleteness vulnerability at pc {} (line {}) coming from pc {} (line {}).",
+					((ProgramCounterLocation) sink.getLocation()).getPc(),
+					((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine(),
+					((ProgramCounterLocation) source.getLocation()).getPc(),
+					((ProgramCounterLocation) source.getLocation()).getSourceCodeLine());
+
+			String warn = "[DEFINITE] Access Control Incompleteness vulnerability at "
+					+ ((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine();
+			tool.warn(warn);
+			MyCache.getInstance().addAccessControlIncompletenessWarning(cfg.hashCode(), warn);
+
+			warn = "[DEFINITE] Access Control Incompleteness vulnerability in " + contract.getName() + " at "
+					+ functionSignatureByStatement
+					+ " (pc: " + ((ProgramCounterLocation) sink.getLocation()).getPc() + ", "
+					+ "line: " + ((ProgramCounterLocation) sink.getLocation()).getSourceCodeLine() + ")";
+			MyCache.getInstance().addVulnerabilityPerFunction(cfg.hashCode(), warn);
+		}
 	}
 
 }
