--- template7.1p0.conf 2022-11-14 09:55:37.628511100 -0500 +++ template7.2p0.conf 2022-11-14 09:55:52.053813500 -0500 @@ -1,7 +1,7 @@ # For emacs: -*- Shell-script -*- # ###################################################################### -# CodeSonar 7.1p0 Configuration File +# CodeSonar 7.2p0 Configuration File ###################################################################### # # CodeSonar will use preferences defined in this file when running @@ -2200,7 +2200,7 @@ # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis # - INCREMENTAL_NOCHANGE: Do Not Change Between Incremental -# Analyses +# Analyses or Stages of a Single Build/Analysis # # Type # { Yes, No } @@ -3823,6 +3823,8 @@ # WARNING_FILTER += discard class="Weak Cryptographic Value (Java)" # WARNING_FILTER += discard class="Weak Hash Algorithm (Java)" # WARNING_FILTER += discard class="Weak Hash Algorithm Field (Java)" +# WARNING_FILTER += discard class="Weak Initialization Vector Field (Java)" +# WARNING_FILTER += discard class="Weak Initialization Vector Value (Java)" # WARNING_FILTER += discard class="clone Non-cloneable (Java)" # WARNING_FILTER += discard class="clone not final (Java)" # WARNING_FILTER += discard class="compareTo in Non-Comparable Class (Java)" @@ -4097,6 +4099,8 @@ # WARNING_FILTER += discard class="Weak Cryptographic Value (C#)" # WARNING_FILTER += discard class="Weak Hash Algorithm (C#)" # WARNING_FILTER += discard class="Weak Hash Algorithm Field (C#)" +# WARNING_FILTER += discard class="Weak Initialization Vector Field (C#)" +# WARNING_FILTER += discard class="Weak Initialization Vector Value (C#)" # WARNING_FILTER += discard class="clone Non-cloneable (C#)" # WARNING_FILTER += discard class="clone not final (C#)" # WARNING_FILTER += discard class="compareTo in Non-Comparable Class (C#)" @@ -4192,6 +4196,7 @@ # WARNING_FILTER += allow class="Inappropriate Character Arithmetic" # WARNING_FILTER += allow class="Inappropriate Declaration in Global Namespace" # WARNING_FILTER += allow class="Inappropriate Operand Type" +# WARNING_FILTER += allow class="Inappropriate Test of Error Code" # WARNING_FILTER += allow class="Incomplete Function Prototype" # WARNING_FILTER += allow class="Inconsistent Enumerator Initialization" # WARNING_FILTER += allow class="Inconsistent Function Declarations" @@ -4244,6 +4249,7 @@ # WARNING_FILTER += allow class="Missing Lock Acquisition" # WARNING_FILTER += allow class="Missing Lock Release" # WARNING_FILTER += allow class="Missing Parentheses" +# WARNING_FILTER += allow class="Missing Test of Error Code" # WARNING_FILTER += allow class="Missing break" # WARNING_FILTER += allow class="Missing default" # WARNING_FILTER += allow class="Missing for-loop Step" @@ -4278,6 +4284,7 @@ # WARNING_FILTER += allow class="Non-unique Identifiers: Internal Name" # WARNING_FILTER += allow class="Non-unique Identifiers: Tag" # WARNING_FILTER += allow class="Non-unique Identifiers: Typedef" +# WARNING_FILTER += allow class="Non-zero Error Code" # WARNING_FILTER += allow class="Not All Warnings Are Enabled" # WARNING_FILTER += allow class="Not Enough Assertions" # WARNING_FILTER += allow class="Object Defined in Header File" @@ -6852,7 +6859,7 @@ # procedure. # -TIME_LIMIT_LIVEVAR = 8 +TIME_LIMIT_LIVEVAR = 60 # Parameter CPU_SPEED_ADJUSTMENT @@ -7180,6 +7187,40 @@ SEARCH_BOUND = 100 +# Parameter SEARCH_BOUND_NOISE_THRESHOLD +# +# Purpose +# Control the "noisiness" of the path search. +# +# Tags +# - ANALYSIS_PROPERTY: Analysis Properties +# +# Type +# Real number between 0 and 1 (including 1) +# +# Behavior +# When adding a path to the set of paths under consideration, noise +# is introduced to ensure diversity of coverage. If the size of the +# set is less than this threshold fraction of the maximum, then the +# path is always added. From the threshold up to the maximum, the +# probability that it is added drops linearly to zero. +# +# Notes +# The maximum size is determined by the applicable search bound, +# from SEARCH_BOUND, TAINT_SEARCH_BOUND, BINARY_SEARCH_BOUND +# (CSO/Binaries only), or BINARY_TAINT_SEARCH_BOUND (CSO/Binaries +# only), adjusted so that the average behavior is approximately the +# same across the threshold values. +# +# When SEARCH_BOUND_NOISE_THRESHOLD is 1, noise is eliminated, and +# paths are added as long as the size of the set is not the +# maximum. +# +# The noise is deterministic, so that it doesn't affect the results +# between multiple analyses with the samd theshold. +SEARCH_BOUND_NOISE_THRESHOLD = 1.00 + + # Parameter EXPLORE_MORE_LOOP_PATHS # # Purpose @@ -7300,7 +7341,7 @@ # x += buf[i]; // Tainted Buffer Access # } -LOOP_TAINT_TRANSFER = No +LOOP_TAINT_TRANSFER = Yes # Parameter LOOP_COUNTER_DISTRUST @@ -12875,7 +12916,7 @@ # # Tags # - INCREMENTAL_NOCHANGE: Do Not Change Between Incremental -# Analyses +# Analyses or Stages of a Single Build/Analysis # - HUB_BEHAVIOR: Hub and Web GUI # # Type @@ -16277,6 +16318,8 @@ # # Tags # - BUILD_BEHAVIOR: Governs the Build/Analysis +# - INCREMENTAL_NOCHANGE: Do Not Change Between Incremental +# Analyses or Stages of a Single Build/Analysis # # Type # { Yes, No } @@ -16541,13 +16584,13 @@ # Type # { java1, java2, java3, java4, java5, java6, java7, java8, java9, # java10, java11, java12, java13, java14, java15, java16, java17, -# androidAPI1, androidAPI2, androidAPI3, androidAPI4, androidAPI5, -# androidAPI6, androidAPI7, androidAPI8, androidAPI9, androidAPI10, -# androidAPI11, androidAPI12, androidAPI13, androidAPI14, -# androidAPI15, androidAPI16, androidAPI17, androidAPI18, -# androidAPI19, androidAPI20, androidAPI21, androidAPI22, -# androidAPI23, androidAPI24, androidAPI25, androidAPI26, -# androidAPI27, androidAPI28 } +# java18, androidAPI1, androidAPI2, androidAPI3, androidAPI4, +# androidAPI5, androidAPI6, androidAPI7, androidAPI8, androidAPI9, +# androidAPI10, androidAPI11, androidAPI12, androidAPI13, +# androidAPI14, androidAPI15, androidAPI16, androidAPI17, +# androidAPI18, androidAPI19, androidAPI20, androidAPI21, +# androidAPI22, androidAPI23, androidAPI24, androidAPI25, +# androidAPI26, androidAPI27, androidAPI28 } # # Languages # Java @@ -17794,13 +17837,22 @@ # - BUILD_BEHAVIOR: Governs the Build/Analysis # - WC_JAVA.NULL.RET.UNCHECKED: Used by Call Might Return Null # (Java) +# - WC_JAVA.DEBUG.CEDF: Used by Class Enables Debug Features (Java) +# - WC_JAVA.DEBUG.CALL: Used by Debug Call (Java) +# - WC_JAVA.DEBUG.LOG: Used by Debug Warning (Java) # - WC_JAVA.INSEC.DTP: Used by Deprecated Transfer Protocol (Java) +# - WC_JAVA.DEBUG.ID: Used by Exception Information Disclosure +# (Java) # - WC_JAVA.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (Java) +# - WC_JAVA.STRUCT.URFIELD: Used by Field Never Read (Java) +# - WC_JAVA.STRUCT.UWFIELD: Used by Field Never Written (Java) # - WC_JAVA.DEEPNULL.FIELD: Used by Field may be null (deep) (Java) # - WC_JAVA.CRYPTO.SALT: Used by Inadequate Salt (Java) # - WC_JAVA.NULL.PARAM.LAMBDA: Used by Lambda Parameter may be null # (Java) +# - WC_JAVA.DEBUG.MEDF: Used by Method Enables Debug Features +# (Java) # - WC_JAVA.NULL.RET.NONNULL: Used by Method Should Not Return null # (Java) # - WC_JAVA.NULL.PARAM.ACTUAL: Used by Null Parameter Dereference @@ -17817,6 +17869,7 @@ # (deep) (Java) # - WC_JAVA.STRUCT.UPED: Used by Unchecked Parameter Element # Dereference (deep) (Java) +# - WC_JAVA.STRUCT.UUFIELD: Used by Unused Field (Java) # - WC_JAVA.CLASS.CLONE.SCNC: Used by clone Subclass of Non- # clonable (Java) # - WC_JAVA.DEEPNULL.PARAM.ACTUAL: Used by null Passed to Method @@ -17906,7 +17959,7 @@ # { net10, net11, net20, net30, net35, net40, net45, net451, # net452, net46, net461, net462, net47, net471, net472, net48, # netcoreapp1.0, netcoreapp1.1, netcoreapp2.0, netcoreapp2.1, -# netcoreapp2.2, netcoreapp3.0, netcoreapp3.1, net5.0 } +# netcoreapp2.2, netcoreapp3.0, netcoreapp3.1, net5.0, net6.0 } # # Languages # C# @@ -19091,11 +19144,20 @@ # - BUILD_BEHAVIOR: Governs the Build/Analysis # - WC_CSHARP.NULL.RET.UNCHECKED: Used by Call Might Return Null # (C#) +# - WC_CSHARP.DEBUG.CEDF: Used by Class Enables Debug Features (C#) +# - WC_CSHARP.DEBUG.CALL: Used by Debug Call (C#) +# - WC_CSHARP.DEBUG.LOG: Used by Debug Warning (C#) # - WC_CSHARP.INSEC.DTP: Used by Deprecated Transfer Protocol (C#) +# - WC_CSHARP.DEBUG.ID: Used by Exception Information Disclosure +# (C#) # - WC_CSHARP.DEEPNULL.EFIELD: Used by Field Element may be null # (deep) (C#) +# - WC_CSHARP.STRUCT.URFIELD: Used by Field Never Read (C#) +# - WC_CSHARP.STRUCT.UWFIELD: Used by Field Never Written (C#) # - WC_CSHARP.DEEPNULL.FIELD: Used by Field may be null (deep) (C#) # - WC_CSHARP.CRYPTO.SALT: Used by Inadequate Salt (C#) +# - WC_CSHARP.DEBUG.MEDF: Used by Method Enables Debug Features +# (C#) # - WC_CSHARP.NULL.RET.NONNULL: Used by Method Should Not Return # null (C#) # - WC_CSHARP.NULL.PARAM.ACTUAL: Used by Null Parameter Dereference @@ -19110,6 +19172,7 @@ # (deep) (C#) # - WC_CSHARP.STRUCT.UPED: Used by Unchecked Parameter Element # Dereference (deep) (C#) +# - WC_CSHARP.STRUCT.UUFIELD: Used by Unused Field (C#) # - WC_CSHARP.CLASS.CLONE.SCNC: Used by clone Subclass of Non- # clonable (C#) # - WC_CSHARP.DEEPNULL.PARAM.ACTUAL: Used by null Passed to Method @@ -19221,7 +19284,7 @@ # [http://www.boost.org/doc/libs/1_63_0/libs/regex/doc/html/boost_regex/syntax/basic_extended.html] # # Languages -# C# +# C/C++ # # Behavior # These parameters are used to specify naming rules that @@ -19363,6 +19426,7 @@ # # Tags # - WARNING_THRESHOLD: Warning-Class-Specific Settings +# - WC_LANG.CAST.OBJSLICE: Used by Object Slicing # # Type # { Yes, No } @@ -19406,3 +19470,57 @@ # names. # ## ALWAYS_EXPAND_FUNCTIONS += + +# Parameter ERRNO_SETTING_FUNCTIONS +# +# Purpose +# Specifies the set of functions that are guaranteed to set errno +# when they encounter an error condition. +# +# Tags +# - WC_LANG.ERRCODE.ITEST: Used by Inappropriate Test of Error Code +# - WC_LANG.ERRCODE.NOTEST: Used by Missing Test of Error Code +# +# Type +# string +# +# Languages +# C/C++ +# +# Behavior +# Functions that are in this set are expected to set errno when +# they encounter an error. +# +# - A Missing Test of Error Code warning is issued (if enabled) +# when a call to one of these functions is succeeded by a test of +# errno against zero. +# - An Inappropriate Test of Error Code warning is issued (if +# enabled) when the value of errno is tested and the last +# function call was NOT to one of these functions. + +ERRNO_SETTING_FUNCTIONS += ftell +ERRNO_SETTING_FUNCTIONS += fgetpos +ERRNO_SETTING_FUNCTIONS += fsetpos +ERRNO_SETTING_FUNCTIONS += fgetwc +ERRNO_SETTING_FUNCTIONS += fputwc +ERRNO_SETTING_FUNCTIONS += strtoimax +ERRNO_SETTING_FUNCTIONS += strtoumax +ERRNO_SETTING_FUNCTIONS += strtol +ERRNO_SETTING_FUNCTIONS += strtoul +ERRNO_SETTING_FUNCTIONS += strtoll +ERRNO_SETTING_FUNCTIONS += strtoull +ERRNO_SETTING_FUNCTIONS += strtof +ERRNO_SETTING_FUNCTIONS += strtod +ERRNO_SETTING_FUNCTIONS += strtold +ERRNO_SETTING_FUNCTIONS += wcstoimax +ERRNO_SETTING_FUNCTIONS += wcstoumax +ERRNO_SETTING_FUNCTIONS += wcstol +ERRNO_SETTING_FUNCTIONS += wcstoul +ERRNO_SETTING_FUNCTIONS += wcstoll +ERRNO_SETTING_FUNCTIONS += wcstoull +ERRNO_SETTING_FUNCTIONS += wcstof +ERRNO_SETTING_FUNCTIONS += wcstod +ERRNO_SETTING_FUNCTIONS += wcstold +ERRNO_SETTING_FUNCTIONS += wcrtomb +ERRNO_SETTING_FUNCTIONS += wcsrtombs +ERRNO_SETTING_FUNCTIONS += mbrtowc