I’m not a big user of annotations, historically, and I only recently discovered “Pluggable Type Systems” in Java, so possibly this is a dumb question, but are there any annotation libraries where you can declare a variable or field something like “sensitive” and method parameters “insecure” so that the compiler can enforce good security control? Like, I envision declaring a variable “@sensitive val password = getPasswordFromSomewhere()” or a method like
def getPasswordFromSomewhere(): @sensitive String = { … }
(not sure about the syntax there; I’d like to declare that the result is @sensitive, not that the method does something sensitive, but maybe that’s not right) and a method like:
class MyLogger {
def debug(@insecure message: String, @insecure variable: Any) { … }
}
(I don’t know if this is a thing that annotations can do, but it would be nice if the compiler could infer that “val password: String” is @sensitive if getPasswordFromSomewhere is @sensitive, like how the compiler can trace a variable’s provenance and know that it may not be initialized)
and the compiler enforcing that you can’t write passwords to log files. I’ve taken a quick look at The Checker Framework, but didn’t see anything, though I intend to look more.
Thank you for reading and thank you for your patience if there’s an obvious answer I’ve overlooked.