# This file was generated from template 'codesonar/presets/disa_4r3.conf.in' # # enables warning classes related to the DISA Application Security and # Development STIG Version 4, Release 3 (April 28, 2017) # # This part of this file was generated from 'cso_wcmanifest.py' # # At least one of the classes enabled by this preset requires unnormalized C ASTs RETAIN_UNNORMALIZED_C_AST = Yes # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Addition Overflow of Allocation Size" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Addition Overflow of Size" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Buffer Overrun" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Buffer Underrun" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Cast Alters Value" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Coercion Alters Value" # DISA-4r3:V-70261: The application must protect from command injection. # DISA-4r3:V-70265: The application must validate all input. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Command Injection" # DISA-4r3:V-70261: The application must protect from command injection. # This check is enabled by default for the language(s) C# # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Command Injection (C#)" # DISA-4r3:V-70261: The application must protect from command injection. # This check is enabled by default for the language(s) Java, Kotlin # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Command Injection (Java)" # DISA-4r3:V-70257: The application must protect from Cross-Site Scripting (XSS) vulnerabilities. # This check is enabled by default for the language(s) C# # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Cross Site Scripting (C#)" # DISA-4r3:V-70257: The application must protect from Cross-Site Scripting (XSS) vulnerabilities. # This check is enabled by default for the language(s) Java # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Cross Site Scripting (Java)" # DISA-4r3:V-70257: The application must protect from Cross-Site Scripting (XSS) vulnerabilities. # This check is enabled by default for the language(s) C# # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Cross Site Scripting In Error Message Web Page (C#)" # DISA-4r3:V-70257: The application must protect from Cross-Site Scripting (XSS) vulnerabilities. # This check is enabled by default for the language(s) Java # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Cross Site Scripting In Error Message Web Page (Java)" # DISA-4r3:V-70185: The application must not be vulnerable to race conditions. WARNING_FILTER += allow class="Data Race" # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. WARNING_FILTER += allow class="Default Initialization of Random Number Generator" # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. WARNING_FILTER += allow class="Default Seed in PRNG" # DISA-4r3:V-69257: The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions. # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. # DISA-4r3:V-70229: The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. # DISA-4r3:V-70245: The application must protect the confidentiality and integrity of transmitted information. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Encryption without Padding" # DISA-4r3:V-70185: The application must not be vulnerable to race conditions. # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="File System Race Condition" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Format String" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Format String Injection" # DISA-4r3:V-70363: The application must not contain embedded authentication data. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Hardcoded Authentication" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Hardcoded DNS Name" # DISA-4r3:V-70391: The application must not be subject to error handling vulnerabilities. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Ignored Return Value" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Inappropriate Character Arithmetic" # DISA-4r3:V-70269: The application must not be vulnerable to XML-oriented attacks. # This check is enabled by default for the language(s) C# # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Insecure XSLT Execution (C#)" # DISA-4r3:V-70269: The application must not be vulnerable to XML-oriented attacks. # This check is enabled by default for the language(s) Java # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Insecure XSLT Execution (Java)" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Integer Overflow of Allocation Size" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="LDAP Injection" # DISA-4r3:V-70261: The application must protect from command injection. # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Library Injection" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Multiplication Overflow of Allocation Size" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Multiplication Overflow of Size" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="No Space For Null Terminator" # DISA-4r3:V-69567: The application must only store cryptographic representations of passwords. # DISA-4r3:V-69569: The application must transmit only cryptographically-protected passwords. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Plaintext Storage of Password" # DISA-4r3:V-69567: The application must only store cryptographic representations of passwords. # DISA-4r3:V-69569: The application must transmit only cryptographically-protected passwords. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Plaintext Transmission of Password" # DISA-4r3:V-70269: The application must not be vulnerable to XML-oriented attacks. # This check is enabled by default for the language(s) C# # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Possible XML External Entity Reference (C#)" # DISA-4r3:V-70269: The application must not be vulnerable to XML-oriented attacks. # This check is enabled by default for the language(s) Java, Kotlin # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Possible XML External Entity Reference (Java)" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Risky Integer Promotion" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70267: The application must not be vulnerable to SQL Injection. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="SQL Injection" # DISA-4r3:V-70267: The application must not be vulnerable to SQL Injection. # This check is enabled by default for the language(s) C# # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="SQL Injection (C#)" # DISA-4r3:V-70267: The application must not be vulnerable to SQL Injection. # This check is enabled by default for the language(s) Java, Kotlin # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="SQL Injection (Java)" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Subtraction Underflow of Allocation Size" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Subtraction Underflow of Size" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. WARNING_FILTER += allow class="Tainted Allocation Size" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Tainted Buffer Access" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. WARNING_FILTER += allow class="Tainted Configuration Setting" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Tainted Filename" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. WARNING_FILTER += allow class="Tainted Network Address" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. WARNING_FILTER += allow class="Tainted Write" # DISA-4r3:V-70269: The application must not be vulnerable to XML-oriented attacks. # This check is enabled by default for the language(s) C# # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Tainted XML (C#)" # DISA-4r3:V-70269: The application must not be vulnerable to XML-oriented attacks. # This check is enabled by default for the language(s) Java, Kotlin # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Tainted XML (Java)" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Unreasonable Size Argument" # DISA-4r3:V-70261: The application must protect from command injection. # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. WARNING_FILTER += allow class="Untrusted Library Load" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. WARNING_FILTER += allow class="Untrusted Network Host" # DISA-4r3:V-70265: The application must validate all input. # DISA-4r3:V-70271: The application must not be subject to input handling vulnerabilities. WARNING_FILTER += allow class="Untrusted Network Port" # DISA-4r3:V-70261: The application must protect from command injection. # DISA-4r3:V-70265: The application must validate all input. WARNING_FILTER += allow class="Untrusted Process Creation" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of OemToAnsi" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of OemToChar" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of StrCatChainW" # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. # DISA-4r3:V-70191: The application must utilize FIPS-validated cryptographic modules when signing application components. # DISA-4r3:V-70193: The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. # DISA-4r3:V-70195: The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. # DISA-4r3:V-70217: The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. # DISA-4r3:V-70229: The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Use of crypt" # DISA-4r3:V-70261: The application must protect from command injection. WARNING_FILTER += allow class="Use of execlp" # DISA-4r3:V-70261: The application must protect from command injection. WARNING_FILTER += allow class="Use of execvp" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of getopt" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of getpass" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Use of gets" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of getwd" # DISA-4r3:V-70261: The application must protect from command injection. WARNING_FILTER += allow class="Use of popen" # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. # DISA-4r3:V-70191: The application must utilize FIPS-validated cryptographic modules when signing application components. # DISA-4r3:V-70193: The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. # DISA-4r3:V-70195: The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. # DISA-4r3:V-70217: The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. WARNING_FILTER += allow class="Use of rand" # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. # DISA-4r3:V-70191: The application must utilize FIPS-validated cryptographic modules when signing application components. # DISA-4r3:V-70193: The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. # DISA-4r3:V-70195: The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. # DISA-4r3:V-70217: The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. WARNING_FILTER += allow class="Use of rand48 Function" # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. # DISA-4r3:V-70191: The application must utilize FIPS-validated cryptographic modules when signing application components. # DISA-4r3:V-70193: The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. # DISA-4r3:V-70195: The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. # DISA-4r3:V-70217: The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. WARNING_FILTER += allow class="Use of random" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of realpath" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of recvmsg" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strcat" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strchr" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strcmp" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strcoll" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strcpy" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strcspn" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strlen" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strpbrk" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strrchr" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strspn" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strstr" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strtok" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of strtrns" # DISA-4r3:V-70277: The application must not be vulnerable to overflow attacks. WARNING_FILTER += allow class="Use of syslog" # DISA-4r3:V-70261: The application must protect from command injection. WARNING_FILTER += allow class="Use of system" # DISA-4r3:V-69259: The application must implement cryptographic mechanisms to protect the integrity of remote access sessions. # DISA-4r3:V-70191: The application must utilize FIPS-validated cryptographic modules when signing application components. # DISA-4r3:V-70193: The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes. # DISA-4r3:V-70195: The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection. # DISA-4r3:V-70217: The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. # DISA-4r3:V-70229: The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy. WARNING_FILTER += allow class="Weak Cryptography"