--- codesonar-3.5p2/codesonar/template.conf 2010-05-14 01:51:36.000000000 -0400 +++ codesonar-3.6p0/codesonar/template.conf 2011-01-05 19:48:29.000000000 -0500 @@ -162,8 +162,10 @@ # COMPILER_MODELS += picc.exe -> picc # COMPILER_MODELS += shc.exe -> shc # COMPILER_MODELS += shcpp.exe -> shcpp # COMPILER_MODELS += ch38.exe -> ch38 +# COMPILER_MODELS += dcc.exe -> dcc +# COMPILER_MODELS += dplus.exe -> dcc # COMPILER_MODELS += null-cc.exe -> xcc # \endcode # # Posix default models: @@ -252,8 +254,9 @@ # # Windows: # \code # DISABLED_COMPILERS += armcc.exe +# DISABLED_COMPILERS += armcpp.exe # DISABLED_COMPILERS += ch38.exe # DISABLED_COMPILERS += cl.exe # DISABLED_COMPILERS += cl30.exe # DISABLED_COMPILERS += cl6x.exe @@ -261,46 +264,63 @@ # DISABLED_COMPILERS += clmips.exe # DISABLED_COMPILERS += clsh.exe # DISABLED_COMPILERS += clthumb.exe # DISABLED_COMPILERS += cw-cc.exe +# DISABLED_COMPILERS += dcc.exe +# DISABLED_COMPILERS += dplus.exe +# DISABLED_COMPILERS += ecom68.exe # DISABLED_COMPILERS += ecom86.exe # DISABLED_COMPILERS += ecomarm.exe # DISABLED_COMPILERS += ecomppc.exe # DISABLED_COMPILERS += ecomx86.exe # DISABLED_COMPILERS += g++.exe +# DISABLED_COMPILERS += g++-3.exe +# DISABLED_COMPILERS += g++-4.exe # DISABLED_COMPILERS += gcc.exe +# DISABLED_COMPILERS += gcc-3.exe +# DISABLED_COMPILERS += gcc-4.exe # DISABLED_COMPILERS += gpp.exe # DISABLED_COMPILERS += gxx.exe +# DISABLED_COMPILERS += iccarm.exe +# DISABLED_COMPILERS += icc430.exe +# DISABLED_COMPILERS += iccm32c.exe # DISABLED_COMPILERS += mcpcom.exe # DISABLED_COMPILERS += null-cc.exe # DISABLED_COMPILERS += picc.exe # DISABLED_COMPILERS += shc.exe # DISABLED_COMPILERS += shcpp.exe # DISABLED_COMPILERS += tcc.exe +# DISABLED_COMPILERS += tcpp.exe # \endcode +# # Posix: # \code -# DISABLED_COMPILERS += gcc -# DISABLED_COMPILERS += gxx -# DISABLED_COMPILERS += g++ -# DISABLED_COMPILERS += gpp +# DISABLED_COMPILERS += armcc +# DISABLED_COMPILERS += armcpp # DISABLED_COMPILERS += c++ # DISABLED_COMPILERS += cc -# DISABLED_COMPILERS += null-cc -# DISABLED_COMPILERS += dcc -# DISABLED_COMPILERS += dplus # DISABLED_COMPILERS += ccppc +# DISABLED_COMPILERS += ch38 # DISABLED_COMPILERS += c++ppc +# DISABLED_COMPILERS += dcc +# DISABLED_COMPILERS += dplus +# DISABLED_COMPILERS += ecomarm +# DISABLED_COMPILERS += ecom68 +# DISABLED_COMPILERS += ecom86 # DISABLED_COMPILERS += ecomppc # DISABLED_COMPILERS += ecomx86 -# DISABLED_COMPILERS += ecom86 -# DISABLED_COMPILERS += ecomarm +# DISABLED_COMPILERS += g++ +# DISABLED_COMPILERS += gcc +# DISABLED_COMPILERS += gpp +# DISABLED_COMPILERS += gxx # DISABLED_COMPILERS += mcpcom +# DISABLED_COMPILERS += null-cc # DISABLED_COMPILERS += shc # DISABLED_COMPILERS += shcpp -# DISABLED_COMPILERS += ch38 # DISABLED_COMPILERS += armcc # DISABLED_COMPILERS += tcc +# DISABLED_COMPILERS += tcpp +# # \endcode # Parameter FORCE_ENVIRONMENT @@ -361,8 +381,12 @@ # # Setting this to "Yes" can be useful if running an interactive # Cygwin shell inside a hook command. # +# For example: +# \code +# UNIX_TEXT_MODE = No +# \endcode # UNIX_TEXT_MODE = No @@ -379,12 +403,50 @@ # This parameter is ignored on non-Windows systems. Its only known # use is to make sure the parser has access to output files produced # by the compiler when using Microsoft's \tt #import directive. # +# For example: +# \code +# INVOKE_COMPILER_FIRST = Yes +# \endcode # INVOKE_COMPILER_FIRST = Yes +# Parameter HOLD_STDIO +# +# Purpose +# Specifies whether or not to hold the stdout, stderr, and stdin +# streams open. +# +# Type +# {Yes, No} +# +# Behavior +# When this is set to "Yes", the stdout, stderr, and stdin streams +# will be kept open even after the real compiler closes them or +# exits. +# +# Notes +# Setting this to "Yes" can cause deadlock if closing one of these +# streams signals something to another process. +# +# Setting this to "Yes" can reduce the probability of exercising +# race conditions in the IAR Embedded Workbench IDE. If that IDE is +# producing the spurious and harmless error message "Error while +# running C/C++ Compiler" then setting this to "Yes" may prevent the +# message. It has also been observed that setting \param +# INVOKE_COMPILER_FIRST to "No" while running an expensive program +# in the background can prevent the error message. +# +# For example: +# \code +# HOLD_STDIO = Yes +# \endcode + +# HOLD_STDIO = No + + # Parameter CODEWARRIOR_INSTALLS # # Purpose # Specifies CodeWarrior install directories so that compiler IDE @@ -1086,11 +1148,11 @@ # Parameter BADFS_NOSLEEP # # Purpose -# Specifies whether or not to give users a chance to stop -# the build when we detect that the file system the project -# is being putting on could cause performance problems. +# Specifies whether or not to give users a chance to stop the build +# when we detect that the file system the project is being put on +# could cause reliability or performance problems. # # Type # {Yes, No} # @@ -1168,9 +1230,9 @@ # Do not use \tt DRY_RUN if the hub is running version 3.5p1 or earlier: # older hubs do not understand this parameter and will consume # licensed lines regardless of its setting. -# DRY_RUN = No +DRY_RUN = No # Parameter HUB_ADDRESS # @@ -1183,11 +1245,11 @@ # Behavior # CodeSonar will use the specified hub address. # - If an address is specified on the command line, then it takes # precedence. -# - The HUB_ADDRESS setting takes precedence over the -# CODESONAR_HUB environment variable. -# - Setting HUB_ADDRESS in template.conf affects the hub-start, +# - The \tt HUB_ADDRESS setting takes precedence over the +# \tt CODESONAR_HUB environment variable. +# - Setting \tt HUB_ADDRESS in template.conf affects the hub-start, # hub-stop, hub-info, hook, and hook-html commands. Setting it in # any other configuration file will affect only hook and hook-html # commands using that file. # @@ -1248,8 +1310,12 @@ # This parameter is ignored by the Windows project builder GUI. # # This parameter has no effect on non-Windows systems. # +# For example: +# \code +# USE_SERVICES = Yes +# \endcode # USE_SERVICES = Yes @@ -1276,8 +1342,12 @@ # hook-html command's stdout and stderr. By default, analysis # processes run in the background and can continue running after the # user has logged out. # +# For example: +# \code +# FOREGROUND = No +# \endcode # FOREGROUND = No @@ -1363,8 +1433,9 @@ # WARNING_FILTER += discard class="Free Non-Heap Variable" # WARNING_FILTER += discard class="Free Null Pointer" # WARNING_FILTER += discard class="Function Call Has No Effect" # WARNING_FILTER += discard class="Ignored Return Value" +# WARNING_FILTER += discard class="Integer Overflow of Allocation Size" # WARNING_FILTER += discard class="Leak" # WARNING_FILTER += discard class="Misaligned Object" # WARNING_FILTER += discard class="Missing Return Statement" # WARNING_FILTER += discard class="Negative Character Value" @@ -1408,13 +1479,14 @@ # The following checks are disabled by default. To enable checks for # a particular class, use the corresponding "allow" rule. # \code # WARNING_FILTER += allow class="Conditional Compilation" +# WARNING_FILTER += allow class="Dynamic Allocation After Initialization" # WARNING_FILTER += allow class="Excessive Stack Depth" # WARNING_FILTER += allow class="Function Too Long" # WARNING_FILTER += allow class="Function Pointer" # WARNING_FILTER += allow class="Goto Statement" -# WARNING_FILTER += allow class="Integer Overflow of Allocation Size" +# WARNING_FILTER += allow class="High Risk Loop" # WARNING_FILTER += allow class="Macro Does Not End With ) or }" # WARNING_FILTER += allow class="Macro Does Not Start With ( or {" # WARNING_FILTER += allow class="Macro Uses -> Operator" # WARNING_FILTER += allow class="Macro Uses [] Operator" @@ -1448,8 +1520,10 @@ # Parameter BAD_FUNCTION_REGEX # Parameter BAD_FUNCTION_MESSAGE # Parameter BAD_FUNCTION_CATEGORIES # Parameter BAD_FUNCTION_RANK +# Parameter BAD_FUNCTION_INFO +# Parameter BAD_FUNCTION_LINK # # Purpose # Specifies functions that are prohibited. # @@ -1459,11 +1533,13 @@ # Boost regular expression\endlink # - \tt BAD_FUNCTION_MESSAGE: string # - \tt BAD_FUNCTION_CATEGORIES: string # - \tt BAD_FUNCTION_RANK: number +# - \tt BAD_FUNCTION_INFO: string +# - \tt BAD_FUNCTION_LINK: string representing a URL # # Behavior -# These four parameters are used together to specify bad functions to +# These parameters are used together to specify bad functions to # check for and warnings to issue when those functions occur. # - \tt BAD_FUNCTION_REGEX is a regular expression. If a reference # to a function that matches this is found, then a warning # is issued. @@ -1473,8 +1549,19 @@ # - \tt BAD_FUNCTION_CATEGORIES is the set of categories for the warning, # as a semicolon-separated list. This defaults to the empty string. # - \tt BAD_FUNCTION_RANK is the rank assigned to the warning, with # default 15.0. +# - \tt BAD_FUNCTION_INFO will be used in the warning endbox sentence +# 'Use of [\tt funcname()] is not recommended because ...'. The +# default value is "it is correlated with security or safety +# problems." +# - \tt BAD_FUNCTION_LINK is the URL that will be used in the warning +# endbox sentence 'See here for more information.' +# If not specified, CodeSonar will look for a category beginning with +# "BADFUNC" in the \tt BAD_FUNCTION_CATEGORIES list. If there is such +# a category, CodeSonar will link to the corresponding warning class +# page in the "See here..." sentence. Otherwise, the sentence will +# not be shown in the endbox. # # Notes # # If two or more sets of \tt BAD_FUNCTION_* rules have the same \tt @@ -1557,9 +1644,9 @@ BAD_FUNCTION_RANK = 1.0 BAD_FUNCTION_REGEX = ^_?tmpfile$ BAD_FUNCTION_MESSAGE = $Insecure Temporary File$Use of tmpfile -BAD_FUNCTION_CATEGORIES = BADFUNC.TEMP.TMPNAM;BSI:TMPNAM-TMPFILE;BSI:Truncate;CWE:377 +BAD_FUNCTION_CATEGORIES = BADFUNC.TEMP.TMPFILE;BSI:TMPNAM-TMPFILE;BSI:Truncate;CWE:377 BAD_FUNCTION_RANK = 42.0 BAD_FUNCTION_REGEX = ^tmpnam(_r)?$|^_(t|w)tmpnam$ BAD_FUNCTION_MESSAGE = $Insecure Temporary File$Use of tmpnam @@ -1577,19 +1664,20 @@ BAD_FUNCTION_RANK = 43.0 BAD_FUNCTION_REGEX = ^setjmp$ BAD_FUNCTION_MESSAGE = $Call to setjmp$Use of setjmp -BAD_FUNCTION_CATEGORIES = BADFUNC.SETJMP;POW10:1 +BAD_FUNCTION_CATEGORIES = BADFUNC.SETJMP;POW10:1;CWE:691;CWE:710 BAD_FUNCTION_RANK = 1.0 BAD_FUNCTION_REGEX = ^longjmp$ BAD_FUNCTION_MESSAGE = $Call to longjmp$Use of longjmp -BAD_FUNCTION_CATEGORIES = BADFUNC.LONGJMP;POW10:1 +BAD_FUNCTION_CATEGORIES = BADFUNC.LONGJMP;POW10:1;CWE:691;CWE:710 BAD_FUNCTION_RANK = 12.0 -BAD_FUNCTION_REGEX = ^mks?temp$|^_(t|w)?mktemp$ +BAD_FUNCTION_REGEX = ^mktemp$|^_(t|w)?mktemp$ BAD_FUNCTION_MESSAGE = $Insecure Temporary File$Use of mktemp -BAD_FUNCTION_CATEGORIES = BADFUNC.TEMP.MKTEMP;BSI:MKTEMP;BSI:Mkstemp;CWE:377 +BAD_FUNCTION_INFO = it creates filenames that are easily guessed, so the resulting files can be manipulated by other processes. Its use is therefore a security risk. +BAD_FUNCTION_CATEGORIES = BADFUNC.TEMP.MKTEMP;BSI:MKTEMP;CWE:377 BAD_FUNCTION_RANK = 47.0 # Parameter PLUGINS @@ -1703,9 +1791,9 @@ # if( i < 0 ) # A[i] = 42; # \endcode # -# It may be difficult to find vulnerabilitiess in functions that are +# It may be difficult to find vulnerabilities in functions that are # never called when this is set to "No", since the values of the # procedure inputs are never assigned. # # This is set to "No" by default because loops often have conditions @@ -1757,9 +1845,9 @@ # Notes # A low value may cause the analysis to frequently recompute the # values of local and static constants. # -CONSTANT_CACHE_CAPACITY = 16 +CONSTANT_CACHE_CAPACITY = 64 # Parameter TOKEN_RENDERER_CAPACITY # @@ -1929,11 +2017,9 @@ # back and the analysis will treat call sites to the procedure as if # the procedure is not defined in the project. # # Notes -# On Windows, this specifies elapsed time. On unix and linux, this -# specifies a limit on user+system time. The default limit is -# unlikely to expire using the default value for \param SEARCH_BOUND. +# This specifies elapsed time. # # This parameter affects checks for most warning classes. The classes # NOT affected are: # - \wclink LANG.CAST.FN Dangerous Function Cast \endwclink @@ -1963,11 +2049,10 @@ # procedure are ignored until the analysis moves on to the next # procedure. # # Notes -# On Windows, this specifies elapsed time. On Solaris/Linux/OS X, it -# specifies a limit on user+system time. The default limit is likely -# to be exceeded in large procedures. +# This specifies elapsed time. The default limit is likely to be +# exceeded in large procedures. # # This parameter affects checks for most warning classes. The classes # NOT affected are: # - \wclink LANG.CAST.FN Dangerous Function Cast \endwclink @@ -2008,11 +2093,10 @@ # procedure are ignored until the analysis moves on to the next # procedure. # # Notes -# On Windows, this specifies elapsed time. On Solaris/Linux/OS X, it -# specifies a limit on user+system time. The default limit is very -# likely to be exceeded in large procedures. +# This specifies elapsed time. The default limit is likely to be +# exceeded in large procedures. # # The warning classes affected by this parameter are the same as those for # \param TIME_LIMIT_INTRA_CLASSIFY. # @@ -2033,12 +2117,11 @@ # refinement step takes place. This preference limits the amount of # time spent on the refinement step. # # Notes -# On Windows, this specifies elapsed time. On Solaris/Linux/OS X, it -# specifies a limit on user+system time. The default limit is -# extremely unlikely to be exceeded and exists to guard against -# pathological behavior. +# This specifies elapsed time. The default limit is extremely +# unlikely to be exceeded and exists to guard against pathological +# behavior. # # The warning classes affected by this parameter are the same as those for # \param TIME_LIMIT_INTRA_CLASSIFY. # @@ -2061,12 +2144,9 @@ # contained in the warning reports. If this limit expires, then # yet-to-be-refined likely vulnerabilities will be dropped. # # Notes -# On Windows, this specifies elapsed time. On Solaris/Linux/OS X, it -# specifies a limit on user+system time. The default limit is -# not likely to be exceeded: it exists to guard against pathological -# behavior. +# This specifies elapsed time. # # The warning classes affected by this parameter are the same as those for # \param TIME_LIMIT_INTRA_CLASSIFY. # @@ -2086,10 +2166,9 @@ # Potential leaks nearer to the beginning of procedures receive # preferential treatment. # # Notes -# On Windows, this specifies elapsed time. On Solaris/Linux/OS X, it -# specifies a limit on user+system time. The default limit is +# This specifies elapsed time. The default limit is # not likely to be exceeded when the default value for \param # SEARCH_BOUND is used. # TIME_LIMIT_LEAK_CLASSIFY = 20 @@ -2104,19 +2183,16 @@ # Type # integer # # Behavior -# Once likely leaks have been identified in the classificition phase, +# Once likely leaks have been identified in the classification phase, # the analysis applies a refinement step both to eliminate false # positives and to enhance the information contained in the warning # reports. If this limit expires, then yet-to-be-refined leaks # will be dropped. # # Notes -# On Windows, this specifies elapsed time. On Solaris/Linux/OS X, it -# specifies a limit on user+system time. The default limit is -# not likely to be exceeded: it exists to guard against pathological -# behavior. +# This specifies elapsed time. # TIME_LIMIT_LEAK_REFINE = 60 @@ -2136,10 +2212,9 @@ # explored. Making this determination can sometimes be extremely # expensive (typically in generated code). # # Notes -# On Windows, this specifies elapsed time. On Solaris/Linux/OS X, it -# specifies a limit on user+system time. The default limit is not +# This specifies elapsed time. The default limit is not # likely to be exceeded: it exists to guard against pathological # behavior. # # The warning classes affected by this parameter are the same as those for @@ -2184,10 +2259,11 @@ # When the number is larger, more paths are searched, but more time # is used. # # Notes -# This preference represents the trade-off between time and -# thoroughness +# This preference represents a trade-off between time and +# thoroughness. If this preference is raised, then \param +# TIME_LIMIT_INTRA_EXPLORE should usually also be raised. # SEARCH_BOUND = 100 @@ -2206,13 +2282,40 @@ # (positive) setting can cause false negatives, but might save some # time in pathological cases. # # Notes -# This bound is usually unnecessary, even on large projects. +# If this preference is raised, then \param TIME_LIMIT_RESOLVE should +# usually also be raised. # PATH_FINDING_EFFORT = 500 +# Parameter PATH_SHORTENING_EFFORT +# +# Purpose +# Once a set of paths believed to contain at least one vulnerability +# is obtained, and we have found a particular dangerous path within +# the set, this many total paths will be searched in an effort +# to find additional similar warnings within the set, or shorter +# versions of the same warning. Similar, in this context, is defined +# as a warning that violates the same (interprocedural) contract. +# +# Type +# integer +# +# Behavior +# A negative setting indicates that there is no limit. Too low a +# (positive) setting can cause false negatives, but might save some +# time. Setting this to 0 will prevent some warnings with similar +# causes to other warnings from being flagged. +# +# Notes +# If this preference is raised, then \param TIME_LIMIT_RESOLVE should +# usually also be raised. +# +PATH_SHORTENING_EFFORT = 30 + + # Parameter REPORT_SIMILAR_WARNINGS # # Type # {Yes, No} @@ -2271,11 +2374,11 @@ # Type # integer # # Notes -# MAX_SIMILAR_PATHS is similar to this except that it bounds the -# number of reported warnings. MAX_ATTEMPTED_SIMILAR_PATHS should -# always be at least as large as MAX_SIMILAR_PATHS. +# \param MAX_SIMILAR_PATHS is similar to this except that it bounds the +# number of reported warnings. \tt MAX_ATTEMPTED_SIMILAR_PATHS should +# always be at least as large as \tt MAX_SIMILAR_PATHS. # MAX_ATTEMPTED_SIMILAR_PATHS = 4 @@ -3370,20 +3473,20 @@ # if( i != 5 ) # *p; # \endcode # -# The following test case will produce a \wclink Division By Zero -# \endwclink warning if this preference is set to +# The following test case will produce a \wclink LANG.ARITH.DIVZERO +# Division By Zero \endwclink warning if this preference is set to # "ADVERSARIAL". # \code # volatile int i; # i = 5; # 10 / i; # \endcode # -# The following test case will produce a \wclink Division By Zero -# \endwclink warning if this preference is set to -# "ADVERSARIAL" or "IGNORE". +# The following test case will produce a \wclink +# LANG.ARITH.DIVZERO Division By Zero \endwclink warning if this +# preference is set to "ADVERSARIAL" or "IGNORE". # \code # volatile int i; # i = 0; # 10 / i;