JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
General

Warnings: Instances and Groups

A warning describes a single (potential) weakness identified by CodeSonar.

Individual warnings are not securable resources. Access to warning information is controlled by the ANALYSIS_WARNING_EXISTS and ANALYSIS_WARNING_READ permissions; warning ownership is subject to the ANALYSIS_OWN_WARNINGS permission. If a role has one or more of these permissions for a particular analysis, all warnings issued by that analysis are covered.

In discussing warnings, we sometimes need to make a distinction between a single instance of a warning and closely related groups of instances. We use the following terminology.

warning instance A warning with a specific path and location, issued by a specific analysis.
warning group A set of warning instances that CodeSonar has determined to be closely related - because they have the same fingerprint - will have the same Group ID (but different Instance IDs). This will happen if:
  • The "same" warning is issued by two different analyses.
  • Very similar warnings are issued by a single analysis.

By default, the scope of a warning group is hub-wide: all warnings with the same fingerprint will be assigned to the same group, even if they are issued by analyses of different projects. To restrict warning group scope to individual projects, deselect Share annotations between projects in the Analysis tab of the Settings page. For more information, see Warning Group Scope.
representative instance For each analysis, one instance in every warning group is designated the representative instance by the hub.
  • If there is only one instance in the group, that is the representative instance.
overall representative instance The overall representative instance of a warning group is the representative instance for the most recent analysis that issued a warning belonging to the group.
  • Only the overall representative instance for each group has a Change Warning form on its Warning Report page. All other instances provide a link to the overall representative instance report instead.
warning cluster A set of warning groups that CodeSonar has determined to be related with respect to a single analysis. Warning clusters provide an opportunity to consider sets of warnings at a broader granularity than that provided by warning groups. A warning cluster that contains only one warning group is a singleton cluster .
cluster representative For each analysis, one instance in each cluster is designated the cluster representative instance by the hub. The cluster representative is always the representative instance of a group in the cluster.

Properties

This section describes each of the properties of a warning. The full list of properties is (in alphabetical order):

Some properties are associated with individual warning instances, some are shared between all the instances of a warning group. The Stored By column in the table below indicates whether each property is associated with an instance or a group.

  Name
( Search Language Field Name, if any)		 Stored By Description

Identification

  Warning ID
( id )		 instance The full unique identifier for a warning instance, formatted as g.i where g is a Group ID and i is an Instance ID.
Group ID instance Warnings that CodeSonar has determined to be closely related will have the same Group ID (but different Instance IDs).
Instance ID
( iid )		 instance The short unique identifier for a warning instance; this allows multiple warnings with the same Group ID to be distinguished. The Instance ID is sufficient to uniquely identify the warning instance, but does not convey any information about the group the instance belongs to.
Fingerprint instance A hash value based on certain properties of the warning instance.
  • The exact set of properties depends on the class of the warning.
    • The warning class name is always included.
    • Location information is included in a way that provides some flexibility for code changes between analyses.
      • For warning classes associated with execution paths, the portion of the call stack that lies within the core path is included in the fingerprint.
      • Line content (but not the precise location of that line) is included in the fingerprint. In particular, file names, directory names, and line numbers are not included.
  • If two warning instances (on the same hub) have the same Group ID, they will have the same fingerprint.
  • If warning group sharing is ON (and has always been so) then there is a 1:1 correspondence between Group ID and Fingerprint across the hub.
  • If warning group sharing is OFF, two warnings in different projects on the hub must always be in separate warning groups and so can never have the same Group ID. There will be a 1:1 correspondence between Fingerprint and Group ID within each project on the hub.
Scope group Specifies the extent to which the group (and its associated properties and annotations) is shared across the hub. There are two possibilities:
  • global scope: multiple projects can have instances of this warning group
  • project scope, with respect to a specific project P: instances of this warning group can only be issued by analyses of P.
For more information, see Warning Group Scope.
Representative?
( similar )		 instance "true" if the warning instance is a representative instance for its group, "false" otherwise.
Cluster
( cluster )		 instance A hash value based on certain properties of the warning. This is distinct from the Fingerprint value. Warnings instances in the same cluster will have the same Cluster value and the same Warning Analysis. The properties used to compute the hash value are:
Cluster Representative?
( clustered)		 instance "true" if the warning instance is the cluster representative for its cluster, "false" otherwise.

Classification

  Warning Class
 instance Every warning instance is associated with exactly one warning class.

The GUI and warning search language provide direct access to several Warning Class properties:

(class) class name
(categories) class categories
(significance) class significance
Score
 instance CodeSonar computes and reports Score in order to suggest a review order for warnings: warnings with a higher Score value before warnings with a lower Score value.

Score is a composite of several factors:

  • The likelihood that the warning represents a true positive.
  • The severity of the problem being warned about; in particular, whether it is security-related.
  • The complexity of the warning, with more-complex warnings generally receiving lower Score values than less-complex warnings - more-complex warnings take longer to review and diagnose, so it is typically preferable to address less-complex warnings first.

Score is calculated directly from Rank:

Score = 100 - Rank

Score Coloring

When the Score column is displayed in a table of warnings (in Analysis: Warnings Tab, Warning Cluster, or Warning Search Results), each Score cell has a colored background. The color reflects a Score partitioning whose default "pivots" are 21 and 56, meaning that coloring is applied as follows.

Score Color
[0..21] Green
(21..56] Yellow
(56..100] Red

To change the boundaries ("pivots") of these color bands:

  1. Shut down the hub.
  2. Edit $CSONAR/codesonar/py/hub/build_options.py to change one or both of the values in the score_color_pivots tuple.
  3. Save your changes.
  4. Restart the hub.

The score coloring in warning tables will now reflect your updated pivot values.
Rank
( rank )		 instance CodeSonar computes and reports Rank in order to suggest a review order for warnings: warnings with a lower Rank value (minimum 0) before warnings with a higher Rank value (maximum 100).

With factory settings, the CodeSonar Web GUI presents Score (computed as 100-Rank) rather than Rank, but you can view Rank values by adding the Rank column to any table of warning classes. Rank itself is unlikely to be interesting unless you are implementing a custom warning class and want to set up its Rank calculations: these will determine the Scores of the resulting warnings.

Rank is a composite of several factors:

  • The likelihood that the warning represents a true positive.
  • The severity of the problem being warned about; in particular, whether it is security-related.
  • The complexity of the warning, with more-complex warnings generally receiving larger Rank values than less-complex warnings.

Rank is determined as follows:

  1. CodeSonar determines the base rank for the warning.
    • For warning classes defined using configuration file BAD_FUNCTION_* rules, the base rank is specified by BAD_FUNCTION_BASE_RANK.
    • For warning classes defined using configuration file BAD_MACRO_* rules, the base rank is specified by BAD_MACRO_BASE_RANK.
    • For warning classes defined using configuration file METRIC_WARNING_* rules, the base rank is specified by METRIC_WARNING_BASE_RANK.
    • For warning classes defined using the CodeSonar Plug-in API, the base rank is specified as an argument to the warning class creation function.
    • For other built-in warning classes, the base rank is computed internally by CodeSonar.
  2. Starting with this base rank, CodeSonar applies all the adjustment rules in $CSONAR/codesonar/py/hub/codesonar/rank_rules.py whose @pattern matches the properties of the warning. When TAINT_RANK_BONUS=Yes, CodeSonar also applies an adjustment if values relevant to the warning are tainted.
  3. The resulting value is the Rank.
You can use the CodeSonar SQL query mechanism to investigate Rank values on the hub. For example, to see the Rank distributions for different warning classes in the analysis with Analysis ID 5: 
select cs_warningclass.label_xml, 
       min(cs_warninginstance.rank),
       avg(cs_warninginstance.rank), 
       stddev(cs_warninginstance.rank),
       count(cs_warninginstance.rank) 
  from cs_warninginstance,
       cs_warninginstdata, 
       cs_warningclass 
  where cs_warninginstance.data_id=cs_warninginstdata.id and
        cs_warningclass.id=cs_warninginstdata.warningclass_id and
        analysis_id=5
  group by cs_warningclass.label_xml 
  order by min(cs_warninginstance.rank)
Effective Parse Error? instance "true" if the warning instance is also effectively a parse error (which will likely appear in the parse log), "false" otherwise.
  • If the instance Warning Class is a C/C++ parser warning class, parse error status is determined by the parser: for a given warning class, there may be some warning instances that are parse errors but other warning instances that are not.
  • For warnings that do not belong to a C/C++ parser warning class, Effective Parse Error? is always "false".
Parse Diagnostic Severity instance The parse diagnostic severity associated with the warning instance.
  • If the instance Warning Class is a C/C++ parser warning class, the parse diagnostic severity is one of: {"remark", "warning", "cmdline_warning", "discretionary_error", "error", "catastrophe", "cmdline_error", "internal_error"}.
    The severity is determined by the parser. Different instances of the same warning class may have different severity values.
  • For warnings that do not belong to a C/C++ parser warning class, Parse Diagnostic Severity is always "undefined".

Analysis Details

  Warning Analysis instance The analysis that issued the warning instance. The GUI and warning search language provide direct access to several Warning Analysis properties:
Analysis ID (aid)
Analysis (analysis)
Analysis Description (adesc)
(For other properties of the analysis, refer to the corresponding Analysis page or issue an SQL query.)
Warning Project instance The project that was analyzed by Warning Analysis. The GUI and warning search language provide direct access to several Warning Project properties:
Project ID (pid)
Name (project)
Project Description (pdesc)
Project Path (ptree_path)
(For other properties of the project, refer to the corresponding Project page or issue an SQL query.)
Detected
( detected )		 instance The date and time at which the warning instance was issued.
First Detected
( firstdetected )		 group The date and time at which the first warning instance in the group was issued.

Note that this value never changes, even if the analysis that issued the first warning is subsequently deleted.
New?
( new_warning )		 instance true if Detected is no more than 10 seconds from First Detected, false otherwise.

Source Details

  Warning File instance The source file in which the warning was issued. The GUI and warning search language provide direct access to several Warning File properties:
(directory) Directory
(file) File
(path) File Path
(language) Language
(For other properties of the source file, refer to the corresponding Source Listing page or issue an SQL query.) Note that warnings of some classes are not associated with source files.
Procedure
( procedure )		 instance The name of the procedure in which the warning was issued. Note that warnings of some classes are not associated with procedures, and warnings of some other classes may occur in locations that are not inside any procedure.
Line Number
( line )		 instance The line number in Warning File at which the warning was issued.
Line Content
( line_content )		 instance The contents of the line in Warning File at which the warning was issued.
Line Content XML
( line_content_xml)		 instance An enhanced version of Line Content that includes some semantic detail.
Listing
( listing )		 instance A representation of the code context in which the warning was issued, including information about the execution path leading to the warning (if any).

For warnings associated with execution paths, we refer to the path fragment covered by the Listing as the core path. This is the sequence of calls and program statements whose execution will trigger the warning. Users can examine the possible call sequences leading into the core path with the Explore Callers and Search Callers functionality.
Listing XML
( listing_xml )		 instance An enhanced version of Listing that contains file names and the expanded forms of all call sites, among other information.
  Source File Name instance For a warning issued by a binary code analysis with source information available, the basename of the source file corresponding to the warning location.
This field is empty if the warning was issued by a source code analysis or a binary code analysis with no source information available.
Source File Path instance For a warning issued by a binary code analysis with source information available, the absolute path name of the source file corresponding to the warning location. Depending on the method used to obtain source correspondence information, this may be the same as Source File Name.
This field is empty if the warning was issued by a source code analysis or a binary code analysis with no source information available.
Source Line Number instance For a warning issued by a binary code analysis with source information available, the line in Source File Name corresponding to the warning location.
This field is empty if the warning was issued by a source code analysis or a binary code analysis with no source information available.

Conditions

  Preconditions instance The set of conditions that must hold in order for the vulnerability described by the warning to occur.
Postconditions instance The set of conditions that must hold directly after the vulnerability described by the warning has occurred.

User-Controlled

  Priority
( priority )		 group A ranking that reflects the relative importance placed on the warning group.

Use the Settings page to specify a default priority for new warnings.
State
( state )		 group The current state of the weakness(es) described by the warning group.

Use the Settings page to specify a default state for new warnings.
Finding
( finding )		 group Whether or not the warning group corresponds to a real weakness in the code.
Owner
( owner )		 group The user responsible for the warning group. This must be a user with ANALYSIS_OWN_WARNINGS permission for the analysis that issued the warning.
Notes
 group A list of comments associated with the warning group. There are two kinds of note:
User Notes (notes) Users can explicitly add comments using the Web GUI.
Automated Notes - CodeSonar automatically adds a comment every time a user changes the Priority, State, Finding or Owner for the group.
Both sets of comments are displayed together (ordered by timestamp) in the CodeSonar Web GUI, but only user notes are searchable.
Modified group The date and time at which the report was last modified (user-controlled indirectly only). This is the most recent of:
  • The most recent user edit to group information.
  • The date and time at which the most recent warning instance in the group was issued.

Accessing Warning Information

Warning information is available in the CodeSonar GUI as follows.

Warning Report Full information about a single warning instance.
Warning Search Results A table with one line for each warning instance that matches the search conditions.
Analysis The Warnings tab contains a table with one line for each warning instance issued by the analysis.
Warning Cluster Full information about a single warning cluster from a single analysis.
Source Listing When Show warnings is selected CodeSonar will display annotations at locations where warnings were issued (if any).
 

To report problems with this documentation, please visit https://support.codesecure.com/.