Adds verify taint config only option

client/command_arguments.py

@@ -275,6 +275,7 @@ class AnalyzeArguments:
     maximum_trace_length: Optional[int] = None
     no_verify: bool = False
     verify_dsl: bool = False
+    verify_taint_config_only: bool = False
     output: str = TEXT
     repository_root: Optional[str] = None
     rule: List[int] = field(default_factory=list)

client/commands/analyze.py

@@ -56,6 +56,7 @@ class Arguments:
     maximum_trace_length: Optional[int] = None
     no_verify: bool = False
     verify_dsl: bool = False
+    verify_taint_config_only: bool = False
     repository_root: Optional[str] = None
     rule_filter: Optional[Sequence[int]] = None
     source_filter: Optional[Sequence[str]] = None
@@ -172,6 +173,7 @@ def serialize(self) -> Dict[str, Any]:
             ),
             "no_verify": self.no_verify,
             "verify_dsl": self.verify_dsl,
+            "verify_taint_config_only": self.verify_taint_config_only,
             **({} if repository_root is None else {"repository_root": repository_root}),
             **({} if rule_filter is None else {"rule_filter": rule_filter}),
             **({} if source_filter is None else {"source_filter": source_filter}),
@@ -278,6 +280,7 @@ def create_analyze_arguments(
         maximum_trace_length=analyze_arguments.maximum_trace_length,
         no_verify=analyze_arguments.no_verify,
         verify_dsl=analyze_arguments.verify_dsl,
+        verify_taint_config_only=analyze_arguments.verify_taint_config_only,
         repository_root=repository_root,
         rule_filter=None if len(rule) == 0 else rule,
         source_filter=None if len(source) == 0 else source,

client/pyre.py

@@ -399,6 +399,12 @@ def pyre(
     default=False,
     help="Verify DSL model queries for the taint analysis.",
 )
+@click.option(
+    "--verify-taint-config-only",
+    is_flag=True,
+    default=False,
+    help="Verify taint.config files. Skips analysis.",
+)
 @click.option(
     "--version",
     is_flag=True,
@@ -541,6 +547,7 @@ def analyze(
     taint_models_path: Iterable[str],
     no_verify: bool,
     verify_dsl: bool,
+    verify_taint_config_only: bool,
     version: bool,
     save_results_to: Optional[str],
     output_format: Optional[str],
@@ -604,6 +611,7 @@ def analyze(
             maximum_trace_length=maximum_trace_length,
             no_verify=no_verify,
             verify_dsl=verify_dsl,
+            verify_taint_config_only=verify_taint_config_only,
             output=command_argument.output,
             repository_root=repository_root,
             rule=list(rule),

source/command/analyzeCommand.ml

@@ -43,6 +43,7 @@ module AnalyzeConfiguration = struct
     maximum_tito_depth: int option;
     no_verify: bool;
     verify_dsl: bool;
+    verify_taint_config_only: bool;
     repository_root: PyrePath.t option;
     rule_filter: int list option;
     source_filter: string list option;
@@ -105,6 +106,9 @@ module AnalyzeConfiguration = struct
           let maximum_tito_depth = optional_int_member "maximum_tito_depth" json in
           let no_verify = bool_member "no_verify" ~default:false json in
           let verify_dsl = bool_member "verify_dsl" ~default:false json in
+          let verify_taint_config_only =
+            bool_member "verify_taint_config_only" ~default:false json
+          in
           let repository_root = optional_path_member "repository_root" json in
           let rule_filter = optional_list_member ~f:to_int "rule_filter" json in
           let source_filter = optional_list_member ~f:to_string "source_filter" json in
@@ -140,6 +144,7 @@ module AnalyzeConfiguration = struct
               maximum_tito_depth;
               no_verify;
               verify_dsl;
+              verify_taint_config_only;
               repository_root;
               rule_filter;
               source_filter;
@@ -204,6 +209,7 @@ module AnalyzeConfiguration = struct
         maximum_tito_depth;
         no_verify;
         verify_dsl;
+        verify_taint_config_only;
         rule_filter;
         source_filter;
         sink_filter;
@@ -260,6 +266,7 @@ module AnalyzeConfiguration = struct
       dump_call_graph;
       verify_models = not no_verify;
       verify_dsl;
+      verify_taint_config_only;
       rule_filter;
       source_filter;
       sink_filter;
@@ -305,6 +312,13 @@ let with_performance_tracking ~debug ~f =
   result
 
 
+let verify_configuration ~static_analysis_configuration () =
+  let (_ : Taint.TaintConfiguration.Heap.t) =
+    TaintAnalysis.initialize_configuration ~static_analysis_configuration
+  in
+  ()
+
+
 let run_analyze analyze_configuration =
   let { AnalyzeConfiguration.base = { CommandStartup.BaseConfiguration.source_paths; debug; _ }; _ }
     =
@@ -324,11 +338,14 @@ let run_analyze analyze_configuration =
           | _ -> true)
         ~f:(fun scheduler ->
           with_performance_tracking ~debug ~f:(fun () ->
-              TaintAnalysis.run_taint_analysis
-                ~static_analysis_configuration
-                ~build_system
-                ~scheduler
-                ());
+              if static_analysis_configuration.verify_taint_config_only then
+                verify_configuration ~static_analysis_configuration ()
+              else
+                TaintAnalysis.run_taint_analysis
+                  ~static_analysis_configuration
+                  ~build_system
+                  ~scheduler
+                  ());
           Lwt.return (ExitStatus.CheckStatus CheckCommand.ExitStatus.Ok)))
 
 

source/command/analyzeCommand.mli

@@ -36,6 +36,7 @@ module AnalyzeConfiguration : sig
     maximum_tito_depth: int option;
     no_verify: bool;
     verify_dsl: bool;
+    verify_taint_config_only: bool;
     repository_root: PyrePath.t option;
     rule_filter: int list option;
     source_filter: string list option;

source/command/test/analyzeTest.ml

@@ -54,6 +54,7 @@ let test_json_parsing context =
       use_cache = false;
       no_verify = false;
       verify_dsl = false;
+      verify_taint_config_only = false;
       check_invariants = false;
       limit_entrypoints = false;
     }

source/configuration.ml

@@ -520,6 +520,7 @@ module StaticAnalysis = struct
     dump_call_graph: PyrePath.t option;
     verify_models: bool;
     verify_dsl: bool;
+    verify_taint_config_only: bool;
     (* Analysis configuration *)
     configuration: Analysis.t;
     rule_filter: int list option;
@@ -553,6 +554,7 @@ module StaticAnalysis = struct
       ?dump_call_graph
       ?(verify_models = true)
       ?(verify_dsl = true)
+      ?(verify_taint_config_only = false)
       ?rule_filter
       ?source_filter
       ?sink_filter
@@ -583,6 +585,7 @@ module StaticAnalysis = struct
       dump_call_graph;
       verify_models;
       verify_dsl;
+      verify_taint_config_only;
       configuration;
       rule_filter;
       source_filter;

source/configuration.mli

@@ -232,6 +232,7 @@ module StaticAnalysis : sig
     dump_call_graph: PyrePath.t option;
     verify_models: bool;
     verify_dsl: bool;
+    verify_taint_config_only: bool;
     (* Analysis configuration *)
     configuration: Analysis.t;
     rule_filter: int list option;
@@ -265,6 +266,7 @@ module StaticAnalysis : sig
     ?dump_call_graph:PyrePath.t ->
     ?verify_models:bool ->
     ?verify_dsl:bool ->
+    ?verify_taint_config_only:bool ->
     ?rule_filter:int list ->
     ?source_filter:string list ->
     ?sink_filter:string list ->

source/interprocedural_analyses/taint/taintAnalysis.ml

@@ -36,10 +36,10 @@ let initialize_configuration
         _;
       }
   =
-  Log.info "Verifying model syntax and configuration.";
+  Log.info "Verifying taint configuration.";
   let timer = Timer.start () in
+  let open Core.Result in
   let taint_configuration =
-    let open Core.Result in
     TaintConfiguration.from_taint_model_paths taint_model_paths
     >>= TaintConfiguration.with_command_line_options
           ~rule_filter
@@ -61,19 +61,33 @@ let initialize_configuration
           ~maximum_tito_depth
     |> TaintConfiguration.exception_on_error
   in
-  (* In order to save time, sanity check models before starting the analysis. *)
   let () =
-    ModelParser.get_model_sources ~paths:taint_model_paths
+    Statistics.performance
+      ~name:"Verified taint configuration"
+      ~phase_name:"Verifying taint configuration"
+      ~timer
+      ()
+  in
+  taint_configuration
+
+
+let verify_model_syntax ~static_analysis_configuration =
+  Log.info "Verifying model syntax.";
+  let timer = Timer.start () in
+  let () =
+    ModelParser.get_model_sources
+      ~paths:
+        static_analysis_configuration.Configuration.StaticAnalysis.configuration.taint_model_paths
     |> List.iter ~f:(fun (path, source) -> ModelParser.verify_model_syntax ~path ~source)
   in
   let () =
     Statistics.performance
-      ~name:"Verified model syntax and configuration"
-      ~phase_name:"Verifying model syntax and configuration"
+      ~name:"Verified model syntax"
+      ~phase_name:"Verifying model syntax"
       ~timer
       ()
   in
-  taint_configuration
+  ()
 
 
 let parse_decorator_preprocessing_configuration
@@ -343,6 +357,9 @@ let run_taint_analysis
   =
   let taint_configuration = initialize_configuration ~static_analysis_configuration in
 
+  (* In order to save time, sanity check models before starting the analysis. *)
+  let () = verify_model_syntax ~static_analysis_configuration in
+
   (* Parse taint models to find decorators to inline or discard. This must be done early because
      inlining is a preprocessing phase of type-checking. *)
   let decorator_configuration =

source/interprocedural_analyses/taint/taintAnalysis.mli

@@ -11,3 +11,7 @@ val run_taint_analysis
   scheduler:Scheduler.t ->
   unit ->
   unit
+
+val initialize_configuration
+  :  static_analysis_configuration:Configuration.StaticAnalysis.t ->
+  Taint.TaintConfiguration.Heap.t