--- template6.2p0.conf 2022-04-19 15:51:46.841184400 -0400 +++ template7.0p0.conf 2022-04-19 15:52:06.149067400 -0400 @@ -1,7 +1,7 @@ # For emacs: -*- Shell-script -*- # ###################################################################### -# CodeSonar 6.2p0 Configuration File +# CodeSonar 7.0p0 Configuration File ###################################################################### # # CodeSonar will use preferences defined in this file when running @@ -1851,8 +1851,8 @@ # { Yes, No } # # Notes -# If environment variable CS_PREPROCESS_IF_FAIL is set, its value -# will override the setting of this parameter. +# If (deprecated) environment variable CS_PREPROCESS_IF_FAIL is +# set, its value will override the setting of this parameter. # PREPROCESS_IF_FAIL = No @@ -1870,8 +1870,8 @@ # { Yes, No } # # Notes -# If environment variable CS_PREPROCESS_ALWAYS is set, its value -# will override the setting of this parameter. +# If (deprecated) environment variable CS_PREPROCESS_ALWAYS is set, +# its value will override the setting of this parameter. # PREPROCESS_ALWAYS = No @@ -1925,7 +1925,7 @@ # Parameter FATSTATS_DUMP_FILE # # Purpose -# Specifies an output file for certain diagnostic information. +# Use to gather diagnostic information for CodeSonar support. # # Tags # - BUILD_OUTPUT: Additional Outputs from the Build/Analysis @@ -1933,6 +1933,9 @@ # Type # file path # +# Behavior +# If specified, diagnostic information will be saved to this file +# # Notes # If environment variable FATSTATS_DUMP_FILE is set, its value will # override the setting of this parameter. @@ -3544,7 +3547,9 @@ # WARNING_FILTER += discard class="Hardcoded Authentication" # WARNING_FILTER += discard class="Hardcoded Crypto Key" # WARNING_FILTER += discard class="Hardcoded Crypto Salt" +# WARNING_FILTER += discard class="Hardcoded Seed in PRNG" # WARNING_FILTER += discard class="Ignored Return Value" +# WARNING_FILTER += discard class="Inappropriate Call Outside Loop" # WARNING_FILTER += discard class="Input After Output Without Positioning" # WARNING_FILTER += discard class="Integer Overflow of Allocation Size" # WARNING_FILTER += discard class="LDAP Injection" @@ -3570,9 +3575,11 @@ # WARNING_FILTER += discard class="Object Slicing" # WARNING_FILTER += discard class="Output After Input Without Positioning" # WARNING_FILTER += discard class="Overlapping Memory Regions" +# WARNING_FILTER += discard class="Padding Passed Across a Trust Boundary" # WARNING_FILTER += discard class="Plaintext Storage of Password" # WARNING_FILTER += discard class="Plaintext Transmission of Password" # WARNING_FILTER += discard class="Pool Mismatch" +# WARNING_FILTER += discard class="Predictable Seed in PRNG" # WARNING_FILTER += discard class="Raises FE_INVALID" # WARNING_FILTER += discard class="Redundant Condition" # WARNING_FILTER += discard class="Return Pointer to Freed" @@ -3583,6 +3590,7 @@ # WARNING_FILTER += discard class="Subtraction of Unrelated Pointers" # WARNING_FILTER += discard class="Tainted Buffer Access" # WARNING_FILTER += discard class="Tainted Environment Variable" +# WARNING_FILTER += discard class="Thread is not Joinable" # WARNING_FILTER += discard class="Try-lock that will never succeed" # WARNING_FILTER += discard class="Type Mismatch" # WARNING_FILTER += discard class="Type Overrun" @@ -3695,6 +3703,7 @@ # WARNING_FILTER += discard class="JavaScript File Access from File URLs (Java)" # WARNING_FILTER += discard class="LDAP Authentication Disabled (Java)" # WARNING_FILTER += discard class="Lambda Parameter may be null (Java)" +# WARNING_FILTER += discard class="Legacy Random Generator (Java)" # WARNING_FILTER += discard class="Method Enables Debug Features (Java)" # WARNING_FILTER += discard class="Method Names Differ Only in Case (Java)" # WARNING_FILTER += discard class="Method Should Not Return null (Java)" @@ -3861,6 +3870,7 @@ # WARNING_FILTER += discard class="Insecure XSLT Execution (C#)" # WARNING_FILTER += discard class="Instanceof Always False (C#)" # WARNING_FILTER += discard class="Instanceof Always True (C#)" +# WARNING_FILTER += discard class="Legacy Random Generator (C#)" # WARNING_FILTER += discard class="Method Enables Debug Features (C#)" # WARNING_FILTER += discard class="Method Names Differ Only in Case (C#)" # WARNING_FILTER += discard class="Method Should Not Return null (C#)" @@ -3994,6 +4004,7 @@ # WARNING_FILTER += allow class="Conversion: Pointer to Incomplete" # WARNING_FILTER += allow class="Conversion: Pointer/Integer" # WARNING_FILTER += allow class="Conversion: Void Pointer to Object Pointer" +# WARNING_FILTER += allow class="Copy Operation Parameter Is Not const" # WARNING_FILTER += allow class="Dangerous Include File Name" # WARNING_FILTER += allow class="Data Race" # WARNING_FILTER += allow class="Declaration of Flexible Array Member" @@ -4136,6 +4147,7 @@ # WARNING_FILTER += allow class="Recursion" # WARNING_FILTER += allow class="Recursive Macro" # WARNING_FILTER += allow class="Restrict Qualifier Used" +# WARNING_FILTER += allow class="Return from Computational Exception Signal Handler" # WARNING_FILTER += allow class="Risky Integer Promotion" # WARNING_FILTER += allow class="Scope Could Be File Static" # WARNING_FILTER += allow class="Scope Could Be Local Static" @@ -4208,6 +4220,8 @@ # WARNING_FILTER += allow class="Use of AfxParseURL" # WARNING_FILTER += allow class="Use of CoLoadLibrary" # WARNING_FILTER += allow class="Use of Comma Operator" +# WARNING_FILTER += allow class="Use of Condition Variable Signal" +# WARNING_FILTER += allow class="Use of Condition Variable Wait" # WARNING_FILTER += allow class="Use of CreateFile" # WARNING_FILTER += allow class="Use of CreateProcess" # WARNING_FILTER += allow class="Use of CreateThread" @@ -4232,7 +4246,6 @@ # WARNING_FILTER += allow class="Use of bsearch" # WARNING_FILTER += allow class="Use of catopen" # WARNING_FILTER += allow class="Use of chroot" -# WARNING_FILTER += allow class="Use of cnd_wait" # WARNING_FILTER += allow class="Use of cuserid" # WARNING_FILTER += allow class="Use of execlp" # WARNING_FILTER += allow class="Use of execvp" @@ -4249,10 +4262,13 @@ # WARNING_FILTER += allow class="Use of mkstemp" # WARNING_FILTER += allow class="Use of offsetof" # WARNING_FILTER += allow class="Use of popen" +# WARNING_FILTER += allow class="Use of pthread_kill" +# WARNING_FILTER += allow class="Use of putenv" # WARNING_FILTER += allow class="Use of qsort" # WARNING_FILTER += allow class="Use of rand" # WARNING_FILTER += allow class="Use of rand48 Function" # WARNING_FILTER += allow class="Use of random" +# WARNING_FILTER += allow class="Use of realloc" # WARNING_FILTER += allow class="Use of realpath" # WARNING_FILTER += allow class="Use of recvmsg" # WARNING_FILTER += allow class="Use of setjmp" @@ -5228,6 +5244,12 @@ BAD_FUNCTION_BASE_RANK = 10 BAD_FUNCTION_SIGNIFICANCE = STYLE +BAD_FUNCTION_REGEX = ^(putenv)$ +BAD_FUNCTION_MESSAGE = Use of putenv +BAD_FUNCTION_CATEGORIES = BADFUNC.PUTENV +BAD_FUNCTION_BASE_RANK = 10 +BAD_FUNCTION_SIGNIFICANCE = STYLE + BAD_FUNCTION_REGEX = ^(bsearch)$ BAD_FUNCTION_MESSAGE = Use of bsearch BAD_FUNCTION_CATEGORIES = BADFUNC.BSEARCH;Misra2012:21.9;CWE:758;CWE:676 @@ -5374,9 +5396,9 @@ BAD_FUNCTION_BASE_RANK = 10.0 BAD_FUNCTION_SIGNIFICANCE = SECURITY -BAD_FUNCTION_REGEX = ^cnd_(timed)?wait$ -BAD_FUNCTION_MESSAGE = Use of cnd_wait -BAD_FUNCTION_CATEGORIES = BADFUNC.CNDWAIT +BAD_FUNCTION_REGEX = cnd_(timed)?wait|pthread_cond_(timed)?wait|SleepConditionVariableCS|std::condition_variable::wait +BAD_FUNCTION_MESSAGE = Use of Condition Variable Wait +BAD_FUNCTION_CATEGORIES = CONCURRENCY.BADFUNC.CNDWAIT BAD_FUNCTION_BASE_RANK = 10.0 BAD_FUNCTION_SIGNIFICANCE = RELIABILITY @@ -5386,6 +5408,24 @@ BAD_FUNCTION_BASE_RANK = 10.0 BAD_FUNCTION_SIGNIFICANCE = RELIABILITY +BAD_FUNCTION_REGEX = ^pthread_kill$ +BAD_FUNCTION_MESSAGE = Use of pthread_kill +BAD_FUNCTION_CATEGORIES = CONCURRENCY.BADFUNC.PTHREAD_KILL +BAD_FUNCTION_BASE_RANK = 1.0 +BAD_FUNCTION_SIGNIFICANCE = RELIABILITY + +BAD_FUNCTION_REGEX = std::condition_variable::notify_one|cnd_signal|pthread_cond_signal|WakeConditionVariable +BAD_FUNCTION_MESSAGE = Use of Condition Variable Signal +BAD_FUNCTION_CATEGORIES = CONCURRENCY.BADFUNC.CNDSIGNAL +BAD_FUNCTION_BASE_RANK = 1.0 +BAD_FUNCTION_SIGNIFICANCE = RELIABILITY + +BAD_FUNCTION_REGEX = ^realloc$ +BAD_FUNCTION_MESSAGE = Use of realloc +BAD_FUNCTION_CATEGORIES = BADFUNC.REALLOC +BAD_FUNCTION_BASE_RANK = 1.0 +BAD_FUNCTION_SIGNIFICANCE = SECURITY + # Parameter PLUGINS # # Purpose @@ -6422,6 +6462,7 @@ # - Hardcoded Authentication # - Hardcoded Crypto Key # - Hardcoded Crypto Salt +# - Hardcoded Seed in PRNG # - LDAP Injection # - Library Injection # - Multiplication Overflow of Allocation Size @@ -7777,46 +7818,160 @@ TAINT_PLUS_DP_REFINEMENT_DISMISS_TIMEOUT = Yes -# Parameter RETURN_CHECKER_SAMPLE_SIZE +# Parameter RETURN_CHECKER_RATIO # # Purpose -# At least this many heeded calls to a given function must be seen -# before the sample is considered large enough to warn the user -# about an Ignored Return Value for that function. +# Specifies the threshold for reporting Ignored Return Value +# warnings. # # Tags # - WARNING_THRESHOLD: Warning-Class-Specific Settings # - WC_LANG.FUNCS.IRV: Used by Ignored Return Value # # Type -# integer +# Real number between 0 and 1 (inclusive) # # Behavior -# A smaller value will cause more warnings based on statistical -# decisions. Negative values are prohibited. +# If less than this fraction of calls to some function have their +# return code ignored, then CodeSonar will issue Ignored Return +# Value warnings for those calls. +# +# Parameter RETURN_CHECKER_CONFIDENCE specifies the confidence +# interval for making this determination. +# +# Notes +# Making this number larger will cause more warnings. A value of 0 +# will effectively disable statistical warnings. -RETURN_CHECKER_SAMPLE_SIZE = 20 +RETURN_CHECKER_RATIO = 0.1 -# Parameter RETURN_CHECKER_RATIO +# Parameter RETURN_CHECKER_CONFIDENCE # # Purpose -# Sets a threshold T. If the number of ignored call sites to a -# given function is at least T times the number of heeded call -# sites, no Ignored Return Value warnings will be produced. +# Specifies the confidence interval for statistically identifying +# functions whose return value is usually checked. # # Tags # - WARNING_THRESHOLD: Warning-Class-Specific Settings # - WC_LANG.FUNCS.IRV: Used by Ignored Return Value # # Type -# Real number between 0 and 1 (inclusive) +# real number (indicating a number of sigmas) # # Behavior -# Making this number larger will cause more warnings. A value of 0 -# will effectively disable statistical warnings. +# Once all function calls in the program have been analyzed, there +# is a set of remaining candidate Ignored Return Value warnings for +# which all of the following are true: +# - a function return value is ignored, AND +# - the function is not specified as an exception to the +# statistical analysis for Ignored Return Value, AND +# - the candidate warning was not discarded (via +# RETURN_CHECKER_DISCARD_CONFIDENCE and RETURN_CHECKER_RATIO) +# while the function calls were being analyzed. +# +# For each of these candidate warnings, let f() be the function in +# question and R be the fraction of all observed calls to f() that +# have ignored return values. CodeSonar performs a one-sided Wilson +# test to determine whether R <= RETURN_CHECKER_RATIO with at least +# the confidence specified this parameter. If so, the Ignored +# Return Value warning is issued. +# +# For example, with RETURN_CHECKER_RATIO=0.1 and +# RETURN_CHECKER_CONFIDENCE=1.96, CodeSonar will flag ignored calls +# to f() if, with 95% confidence, fewer than 10% of calls to f() in +# the universe have their return code checked, on the assumption +# that the code base under analysis is a random sample of all code +# in the universe. +# +# Notes +# Changing the value of this parameter can affect the number of +# warnings issued. +# - A larger value can decrease the number of warnings issued, +# because it imposes stricter conditions for determining that a +# function's return value is 'usually' checked. +# - Conversely, a smaller value can increase the number of warnings +# issued. +# - A value of 0 will cause RETURN_CHECKER_RATIO to be respected +# precisely, even for small call populations. +# - Negative values are not useful or recommended. +# +# For example, suppose we have the following. +# - Configuration settings for the relevant parameters are +# RETURN_CHECKER_RATIO=0.1, RETURN_CHECKER_CONFIDENCE=1 +# - In analyzing calls for function myfunc(), CodeSonar has +# determined that there are 30 calls to myfunc() and that the +# return value is ignored for one of those calls (and checked for +# the other 29) +# - Once all function calls in the program have been analyzed, +# there is a candidate Ignored Return Value warning representing +# the myfunc() call whose return value is ignored. +# +# With these numbers, the one-sided Wilson test determines that the +# proportion of ignored calls is below 0.1 (RETURN_CHECKER_RATIO) +# with 1 sigma of confidence (RETURN_CHECKER_CONFIDENCE) and so the +# warning is issued. +# +# However, if a second call to myfunc() also had its return value +# ignored (2/30 calls with return value ignored), the Wilson test +# would determine that the proportion of ignored calls is NOT below +# 0.1 with 1 sigma of confidence, and Ignored Return Value warnings +# would not be issued for myfunc(). +# +# The following parameters specify exceptions to the statistical +# analysis for Ignored Return Value. +# - RETURN_CHECKER_BUILT_IN_CHECKED_FUNCS +# - RETURN_CHECKER_CHECKED_FUNCS +# - RETURN_CHECKER_BUILT_IN_CHECKED_PURE_FUNCS +# - RETURN_CHECKER_CHECKED_PURE_FUNCS, +# - RETURN_CHECKER_CHECKED_PURE_SOME_PATHS_FUNCS +# - RETURN_CHECKER_IGNORED_FUNCS -RETURN_CHECKER_RATIO = 0.04 +RETURN_CHECKER_CONFIDENCE = 1 + + +# Parameter RETURN_CHECKER_DISCARD_CONFIDENCE +# +# Purpose +# Specifies the confidence interval for statistically determining +# that a candidate Ignored Return Value warning can be discarded +# immediately (that is, before all function calls have been +# analyzed). +# +# Tags +# - WARNING_THRESHOLD: Warning-Class-Specific Settings +# - WC_LANG.FUNCS.IRV: Used by Ignored Return Value +# +# Type +# real number (indicating a number of sigmas) +# +# Behavior +# +# To produce Ignored Return Value warnings, CodeSonar analyzes the +# function calls in the program. Each time it encounters a call to +# some function f() where the return value is ignored, it +# accumulates a candidate warning. This candidate is discarded +# immediately if a one-sided Wilson test determines that, for all +# calls to f() encountered so far, the proportion with ignored +# return values is greater than RETURN_CHECKER_RATIO with at least +# this many sigmas of confidence. +# +# Notes +# The discard test is performed based on the function calls seen up +# to that point in the analysis (and therefore is based on partial +# information), so it is possible for some or all Ignored Return +# Value warnings for a given function f() to be discarded even if +# the overall proportion of ignored calls to f() in the program +# does not exceed RETURN_CHECKER_RATIO. +# +# A smaller value increases the likelihood of false negatives, +# increases nondeterminism during parallel analysis, and decreases +# disk space consumption. +# +# Candidate warnings are also discarded immediately if the function +# name matches a RETURN_CHECKER_IGNORED_FUNCS rule. + +RETURN_CHECKER_DISCARD_CONFIDENCE = 4 # Parameter RETURN_CHECKER_BUILT_IN_CHECKED_FUNCS @@ -7846,7 +8001,7 @@ # RETURN_CHECKER_BUILT_IN_CHECKED_FUNCS regular expression and the # return value from that function call is ignored on ANY path, an # Ignored Return Value warning will always be issued (regardless of -# the settings of RETURN_CHECKER_SAMPLE_SIZE and +# the settings of RETURN_CHECKER_CONFIDENCE and # RETURN_CHECKER_RATIO). # # If the Ignored Return Value warning class is disabled, such as @@ -8617,7 +8772,7 @@ # RETURN_CHECKER_CHECKED_FUNCS regular expression and the return # value from that function call is ignored on ANY path, an Ignored # Return Value warning will always be issued (regardless of the -# settings of RETURN_CHECKER_SAMPLE_SIZE and RETURN_CHECKER_RATIO). +# settings of RETURN_CHECKER_CONFIDENCE and RETURN_CHECKER_RATIO). # # If the Ignored Return Value warning class is disabled, such as # with a WARNING_FILTER rule, this parameter has no effect. @@ -8662,7 +8817,7 @@ # RETURN_CHECKER_BUILT_IN_CHECKED_PURE_FUNCS regular expression and # the return value from that function call is ignored, an Ignored # Return Value warning will always be issued (regardless of the -# settings of RETURN_CHECKER_SAMPLE_SIZE and RETURN_CHECKER_RATIO). +# settings of RETURN_CHECKER_CONFIDENCE and RETURN_CHECKER_RATIO). # # If the Ignored Return Value warning class is disabled, such as # with a WARNING_FILTER rule, this parameter has no effect. @@ -9725,7 +9880,7 @@ # RETURN_CHECKER_CHECKED_PURE_FUNCS regular expression and the # return value from that function call is ignored on ALL paths, an # Ignored Return Value warning will be issued (regardless of the -# settings of RETURN_CHECKER_SAMPLE_SIZE and RETURN_CHECKER_RATIO). +# settings of RETURN_CHECKER_CONFIDENCE and RETURN_CHECKER_RATIO). # # If the Ignored Return Value warning class is disabled, such as # with a WARNING_FILTER rule, this parameter has no effect. @@ -9777,7 +9932,7 @@ # RETURN_CHECKER_CHECKED_PURE_SOME_PATHS_FUNCS regular expression # and the return value from that function call is ignored on ANY # path, an Ignored Return Value warning will be issued (regardless -# of the settings of RETURN_CHECKER_SAMPLE_SIZE and +# of the settings of RETURN_CHECKER_CONFIDENCE and # RETURN_CHECKER_RATIO). # # For pure functions, this behavior is only likely to be preferred @@ -9823,7 +9978,7 @@ # RETURN_CHECKER_IGNORED_FUNCS regular expression and the return # value from that function call is ignored, an Ignored Return Value # warning will not be issued (regardless of the settings of -# RETURN_CHECKER_SAMPLE_SIZE and RETURN_CHECKER_RATIO). +# RETURN_CHECKER_CONFIDENCE and RETURN_CHECKER_RATIO). # # If the Ignored Return Value warning class is disabled, such as # with a WARNING_FILTER rule, this parameter has no effect. @@ -9850,49 +10005,167 @@ RETURN_CHECKER_IGNORED_FUNCS += ^getchar$ -# Parameter FORMAT_STRING_CHECKER_SAMPLE_SIZE +# Parameter FORMAT_STRING_CHECKER_RATIO # # Purpose -# At least this many calls to a given function with a format string -# in some fixed argument position must be seen before the sample is -# considered large enough to warn the user about Format String -# problems. +# Specifies the threshold for reporting Format String warnings. # # Tags # - WARNING_THRESHOLD: Warning-Class-Specific Settings # - WC_MISC.FMT: Used by Format String # # Type -# integer +# Real number between 0 and 1 (inclusive) # # Behavior -# A smaller value will cause more warnings based on statistical -# decisions. Negative values are prohibited. +# For fixed k, if the proportion of call sites to a given function +# without a format string in the k'th argument position is less +# than this value, then CodeSonar will issue Format String warnings +# for those calls. # -FORMAT_STRING_CHECKER_SAMPLE_SIZE = 20 +# Parameter FORMAT_STRING_CHECKER_CONFIDENCE specifies the +# confidence interval for making this determination. +# +# Notes +# Making this number larger will cause more warnings. A value of 0 +# will effectively disable statistical warnings. +FORMAT_STRING_CHECKER_RATIO = 0.3 -# Parameter FORMAT_STRING_CHECKER_RATIO + +# Parameter FORMAT_STRING_CHECKER_CONFIDENCE # # Purpose -# Sets a threshold T such that for fixed k, if the number of call -# sites to a given function without a format string in the k'th -# argument position is at least T times the number of call sites -# with a format string in the k'th argument position, no Format -# String warnings will be produced for the function/position pair. +# Specifies the confidence interval for statistically identifying +# functions that are usually passed a format string in the k'th +# parameter position for some k. # # Tags # - WARNING_THRESHOLD: Warning-Class-Specific Settings # - WC_MISC.FMT: Used by Format String # # Type -# Real number between 0 and 1 (inclusive) +# real number # # Behavior -# Making this number larger will cause more warnings. A value of 0 -# will effectively disable statistical warnings. +# Once all function calls in the program have been analyzed, there +# is a set of remaining candidate Format String warnings for which +# all of the following are true: +# - a function is passed a non-format string argument in some +# position, AND +# - the function, position pair is not specified as an exception to +# the statistical analysis for Format String with +# FORMAT_STRING_CHECKER_CHECKED_FUNCS or +# FORMAT_STRING_CHECKER_IGNORED_FUNCS, AND +# - the candidate warning was not discarded (via +# FORMAT_STRING_CHECKER_DISCARD_CONFIDENCE and +# FORMAT_STRING_CHECKER_RATIO) while the function calls were +# being analyzed. +# +# For each of these candidate warnings, let f() and k be the +# function and parameter position in question, and R be the +# fraction of all observed calls to f() that have a non-format +# string as the k'th argument. CodeSonar performs a one-sided +# Wilson test to determine whether R <= FORMAT_STRING_CHECKER_RATIO +# with at least the confidence specified this parameter. If so, the +# Format String warning is issued. +# +# For example, with FORMAT_STRING_CHECKER_RATIO=0.1 and +# FORMAT_STRING_CHECKER_CONFIDENCE=1.96, CodeSonar will flag calls +# to f() with a non-format string as the first argument if, with +# 95% confidence, fewer than 10% of calls to f() in the universe +# have a non-format string as the first argument (that is, more +# than 90% of calls pass a format string in this position), on the +# assumption that the code base under analysis is a random sample +# of all code in the universe. +# +# Notes +# Changing the value of this parameter can affect the number of +# warnings issued. +# - A larger value can decrease the number of warnings issued, +# because it imposes stricter conditions for determining that a +# function is 'usually' passed a format string in a particular +# parameter position. +# - Conversely, a smaller value can increase the number of warnings +# issued. +# - A value of 0 will cause FORMAT_STRING_CHECKER_RATIO to be +# respected precisely, even for small call populations. +# - Negative values are not useful or recommended. +# +# For example, suppose we have the following. +# - Configuration settings for the relevant parameters are +# FORMAT_STRING_CHECKER_RATIO=0.1, +# FORMAT_STRING_CHECKER_CONFIDENCE=1 +# - In analyzing calls for function myfunc(), CodeSonar has +# determined that there are 30 calls to myfunc() and that there +# is a non-format string argument in parameter position 3 in one +# of those calls (and a format string in that position for the +# other 29). +# - Once all function calls in the program have been analyzed, +# there is a candidate Format String warning representing the +# myfunc() call with non-format string in parameter position 3. +# +# With these numbers, the one-sided Wilson test determines that the +# proportion of calls with non-format string is below 0.1 +# (FORMAT_STRING_CHECKER_RATIO) with 1 sigma of confidence +# (FORMAT_STRING_CHECKER_CONFIDENCE) and so the warning is issued. +# +# However, if a second call to myfunc() also had a non-format +# string in position 3 (2/30 calls in total), the Wilson test would +# determine that the proportion of calls with non-format string is +# NOT below 0.1 with 1 sigma of confidence, and Format String +# warnings would not be issued for myfunc() position 3. Note that +# there may still be Format String warnings issued for calls to +# myfunc() with non-format strings in other argument positions, +# since each function-position pair is considered independently. + +FORMAT_STRING_CHECKER_CONFIDENCE = 1 + + +# Parameter FORMAT_STRING_CHECKER_DISCARD_CONFIDENCE +# +# Purpose +# Specifies the confidence interval for statistically determining +# that a candidate Format String warning can be discarded +# immediately (that is, before all function calls have been +# analyzed). # -FORMAT_STRING_CHECKER_RATIO = 0.4 +# Tags +# - WARNING_THRESHOLD: Warning-Class-Specific Settings +# - WC_MISC.FMT: Used by Format String +# +# Type +# real number (indicating a number of sigmas) +# +# Behavior +# To produce Format String warnings, CodeSonar analyzes the +# function calls in the program. Each time it encounters a call to +# some function f() where there is a non-format string in some +# parameter position k, it accumulates a candidate warning. This +# candidate is discarded immediately if a one-sided Wilson test +# determines that, for all calls to f() encountered so far, the +# proportion with a non-format string in position k is greater than +# FORMAT_STRING_CHECKER_RATIO with at least this many sigmas of +# confidence. +# +# Notes +# The discard test is performed based on the function calls seen up +# to that point in the analysis (and therefore is based on partial +# information), so it is possible for some or all Format String +# warnings for a given function-position pair f(), k to be +# discarded even if the overall proportion of f() calls in the +# program with non-format string in position k does not exceed +# FORMAT_STRING_CHECKER_RATIO. +# +# A smaller value increases the likelihood of false negatives, +# increases nondeterminism during parallel analysis, and decreases +# disk space consumption. +# +# Candidate warnings are also discarded immediately if the +# function-position pair matches a +# FORMAT_STRING_CHECKER_IGNORED_FUNCS rule. + +FORMAT_STRING_CHECKER_DISCARD_CONFIDENCE = 4 # Parameter FORMAT_STRING_CHECKER_CHECKED_FUNCS @@ -9924,8 +10197,7 @@ # Calling a function whose name matches without a format # string in the 'th parameter position will always trigger # a Format String warning, regardless of the settings of -# FORMAT_STRING_CHECKER_SAMPLE_SIZE and -# FORMAT_STRING_CHECKER_RATIO. +# FORMAT_STRING_CHECKER_CONFIDENCE and FORMAT_STRING_CHECKER_RATIO. # # If is printf or wprintf, the format string contents are # checked against the function argument types. If something does @@ -10142,7 +10414,7 @@ # FORMAT_STRING_CHECKER_CHECKED_FUNCS. Calling a function whose # name matches without a format string in the 'th # parameter position will not trigger a Format String warning, -# regardless of the settings of FORMAT_STRING_CHECKER_SAMPLE_SIZE, +# regardless of the settings of FORMAT_STRING_CHECKER_CONFIDENCE, # FORMAT_STRING_CHECKER_RATIO, and # FORMAT_STRING_CHECKER_CHECKED_FUNCS. # @@ -10171,6 +10443,87 @@ FORMAT_STRING_CHECKER_IGNORED_FUNCS += 2, ::basic_string_view:: +# Parameter PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS +# +# Purpose +# Specifies a function/argument combination for functions that pass +# data over trust boundaries. +# +# Tags +# - WARNING_SPECIAL_FUNCTIONS: Designates Specially-Treated +# Functions +# - WC_MISC.PADDING.POTB: Used by Padding Passed Across a Trust +# Boundary +# +# Type +# A string of the form +# , +# where: +# - is an argument position (counting from 1) +# - is the name of the function +# +# Behavior +# A Padding Passed Across a Trust Boundary warning warning will be +# triggered when a function whose name (as given by +# cs_pdg_procedure_name() +# [doc/html/API/CAPI/cs__pdg_8h.html#func_cs_pdg_procedure_name]) +# matches is called with a reference containing padded +# bits in the 'th parameter position. +# +# Notes +# Examples of trust boundaries include kernel space -> user space, +# memory -> socket, and memory -> file. + +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS = 2, copy_to_user +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 1, copyout_nofault +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 1, copyout + +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, write +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, pwrite +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 1, fwrite +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, writev +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, pwritev +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, pwritev2 +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, send +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, sendto + +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, WriteFile +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, WriteFileEx +PASS_OVER_TRUST_BOUNDARY_CHECKED_FUNCS += 2, WriteFileGather + + +# Parameter LOOP_ONLY_FUNCS +# +# Purpose +# Used by Inappropriate Call Outside Loop to specifie functions +# whose calls should be enclosed in a loop. +# +# Tags +# - WARNING_SPECIAL_FUNCTIONS: Designates Specially-Treated +# Functions +# - WC_LANG.STRUCT.ICOL: Used by Inappropriate Call Outside Loop +# +# Type +# string (representing a function name) +# +# Behavior +# A call to any function whose name (as given by +# cs_pdg_procedure_name() +# [doc/html/API/CAPI/cs__pdg_8h.html#func_cs_pdg_procedure_name]) +# matches one of these names will trigger a Inappropriate Call +# Outside Loop warning if it is not enclosed in a loop. + +LOOP_ONLY_FUNCS = std::condition_variable::wait(std::unique_lock &) +LOOP_ONLY_FUNCS += std::cv_status std::condition_variable::wait_for>(std::unique_lock &, const std::chrono::duration &) +LOOP_ONLY_FUNCS += std::cv_status std::condition_variable::wait_until>>(std::unique_lock &, const std::chrono::time_point &) + +LOOP_ONLY_FUNCS += cnd_wait +LOOP_ONLY_FUNCS += cnd_timedwait + +LOOP_ONLY_FUNCS += pthread_cond_wait +LOOP_ONLY_FUNCS += pthread_cond_timedwait + + # Parameter MULTIPLE_THREADS_PER_ENTRY_PROCEDURE # # Purpose @@ -12288,7 +12641,7 @@ ALLOCATOR_FUNCTIONS += ^(_mmap)$ -# Parameter DYN_INIT_FUNCTION +# Parameter DYN_INIT_FUNCTIONS # # Purpose # Specifies functions that may directly or transitively call @@ -12934,6 +13287,11 @@ HARDCODED_ARGS_CATEGORIES = HARDCODED.SALT;CWE:547 HARDCODED_ARGS_SIGNIFICANCE = SECURITY +HARDCODED_ARGS_REGEX = ^srand((om)|(48))?$ +HARDCODED_ARGS_LIST = 1 +HARDCODED_ARGS_CLASS_NAME = Hardcoded Seed in PRNG +HARDCODED_ARGS_SIGNIFICANCE = SECURITY + # Parameter TAINT_HIGHLIGHTING # @@ -15154,6 +15512,52 @@ POINTED_TO_CAPACITY_DEFAULTS_TO_TYPE_BOUNDARY = Yes +# Parameter TYPE_OVERRUN_ON_LAST_ARRAY_FIELD +# +# Purpose +# Specifies whether or not Type Overrun warnings will be issued for +# a variable length array at the end of a class, struct, or union. +# +# Tags +# - WC_LANG.MEM.TO: Used by Type Overrun +# - WC_LANG.MEM.BO: Used by Buffer Overrun +# - WARNING_TUNING: Fine Tuning for Warnings +# +# Type +# { Yes, No } +# +# Behavior +# - Yes : CodeSonar will issue Type Overrun warnings for variable +# length arrays at the end of a class, struct, or union. +# - No : CodeSonar will not issue Type Overrun warnings for these +# arrays. +# +# Because of the way CodeSonar handles variable length arrays, +# setting this parameter to No will also suppress Type Overrun +# warnings for fixed length arrays of length 0 or 1 when these +# arrays occur at the end of a class, struct, or union. +# +# Notes +# This parameter does not affect Buffer Overrun warnings. +# +# Example: +# struct { int A[1]; } *p = malloc(sizeof(*p) + 100); +# p->A[5] = 123; /* Type Overrun warning issued only if TYPE_OVERRUN_ON_LAST_ARRAY_FIELD=Yes +# * no Buffer Overrun: write is inside allocated buffer +# */ +# +# p->A[555] = 123; /* Type Overrun warning issued only if TYPE_OVERRUN_ON_LAST_ARRAY_FIELD=Yes +# * Buffer Overrun warning always issued: write is outside allocated buffer +# */ +# +# The idiom in this example is in common use, but is not permitted +# by the C and C++ standards. Some compilers have compiler-defined +# behavior for such code, but others will treat it as having +# undefined behavior. + +TYPE_OVERRUN_ON_LAST_ARRAY_FIELD = No + + # Parameter RETAIN_UNNORMALIZED_C_AST # # Purpose