From 4c6f4f6708cb7bd82def1212ce4532b29cf6d029 Mon Sep 17 00:00:00 2001 From: Roberto Martelloni Date: Tue, 23 Aug 2016 16:48:36 +0100 Subject: [PATCH] CWE mapping of functionConst, functionStatic, initializerList, badBitmaskCheck, knownConditionTrueFalse, invalidTestForOverflow, unhandledExceptionSpecification, coutCerrMisusage, invalidPrintfArgType_int --- lib/checkclass.cpp | 16 ++++++++-------- lib/checkcondition.cpp | 13 +++++++------ lib/checkexceptionsafety.h | 3 ++- lib/checkio.cpp | 4 ++-- 4 files changed, 19 insertions(+), 17 deletions(-) diff --git a/lib/checkclass.cpp b/lib/checkclass.cpp index b51394a9b..46219d230 100644 --- a/lib/checkclass.cpp +++ b/lib/checkclass.cpp @@ -35,11 +35,11 @@ namespace { CheckClass instance; } -static const CWE CWE398(398U); -static const CWE CWE404(404U); -static const CWE CWE665(665U); -static const CWE CWE758(758U); -static const CWE CWE762(762U); +static const CWE CWE398(398U); // Indicator of Poor Code Quality +static const CWE CWE404(404U); // Improper Resource Shutdown or Release +static const CWE CWE665(665U); // Improper Initialization +static const CWE CWE758(758U); // Reliance on Undefined, Unspecified, or Implementation-Defined Behavior +static const CWE CWE762(762U); // Mismatched Memory Management Routines static const char * getFunctionTypeName(Function::Type type) { @@ -2010,7 +2010,7 @@ void CheckClass::checkConstError2(const Token *tok1, const Token *tok2, const st "function. Making this function 'const' should not cause compiler errors. " "Even though the function can be made const function technically it may not make " "sense conceptually. Think about your design and the task of the function first - is " - "it a function that must not change object internal state?", CWE(0U), true); + "it a function that must not change object internal state?", CWE398, true); else reportError(toks, Severity::performance, "functionStatic", "Technically the member function '" + classname + "::" + funcname + "' can be static.\n" @@ -2018,7 +2018,7 @@ void CheckClass::checkConstError2(const Token *tok1, const Token *tok2, const st "function. Making a function static can bring a performance benefit since no 'this' instance is " "passed to the function. This change should not cause compiler errors but it does not " "necessarily make sense conceptually. Think about your design and the task of the function first - " - "is it a function that must not access members of class instances?", CWE(0U), true); + "is it a function that must not access members of class instances?", CWE398, true); } //--------------------------------------------------------------------------- @@ -2105,7 +2105,7 @@ void CheckClass::initializerListError(const Token *tok1, const Token *tok2, cons "Members are initialized in the order they are declared, not in the " "order they are in the initializer list. Keeping the initializer list " "in the same order that the members were declared prevents order dependent " - "initialization errors.", CWE(0U), true); + "initialization errors.", CWE398, true); } diff --git a/lib/checkcondition.cpp b/lib/checkcondition.cpp index 033ec51d4..0dc2382d1 100644 --- a/lib/checkcondition.cpp +++ b/lib/checkcondition.cpp @@ -29,9 +29,9 @@ #include // CWE ids used -static const struct CWE CWE398(398U); -static const struct CWE CWE570(570U); -static const struct CWE CWE571(571U); +static const struct CWE CWE398(398U); // Indicator of Poor Code Quality +static const struct CWE CWE570(570U); // Expression is Always False +static const struct CWE CWE571(571U); // Expression is Always True //--------------------------------------------------------------------------- @@ -272,7 +272,7 @@ void CheckCondition::checkBadBitmaskCheck() void CheckCondition::badBitmaskCheckError(const Token *tok) { - reportError(tok, Severity::warning, "badBitmaskCheck", "Result of operator '|' is always true if one operand is non-zero. Did you intend to use '&'?"); + reportError(tok, Severity::warning, "badBitmaskCheck", "Result of operator '|' is always true if one operand is non-zero. Did you intend to use '&'?", CWE571, false); } void CheckCondition::comparison() @@ -1023,7 +1023,8 @@ void CheckCondition::alwaysTrueFalseError(const Token *tok, bool knownResult) reportError(tok, Severity::style, "knownConditionTrueFalse", - "Condition '" + expr + "' is always " + (knownResult ? "true" : "false")); + "Condition '" + expr + "' is always " + (knownResult ? "true" : "false"), + (knownResult ? CWE571 : CWE570), false); } void CheckCondition::checkInvalidTestForOverflow() @@ -1087,5 +1088,5 @@ void CheckCondition::invalidTestForOverflow(const Token* tok, bool result) "'. Condition is always " + std::string(result ? "true" : "false") + " unless there is overflow, and overflow is UB."; - reportError(tok, Severity::warning, "invalidTestForOverflow", errmsg); + reportError(tok, Severity::warning, "invalidTestForOverflow", errmsg, (result ? CWE571 : CWE570), false); } diff --git a/lib/checkexceptionsafety.h b/lib/checkexceptionsafety.h index cda9e2ac9..05f0929da 100644 --- a/lib/checkexceptionsafety.h +++ b/lib/checkexceptionsafety.h @@ -27,6 +27,7 @@ // CWE ID used: static const struct CWE CWE398(398U); // Indicator of Poor Code Quality +static const struct CWE CWE703(703U); // Improper Check or Handling of Exceptional Conditions /// @addtogroup Checks @@ -124,7 +125,7 @@ private: reportError(locationList, Severity::style, "unhandledExceptionSpecification", "Unhandled exception specification when calling function " + str1 + "().\n" "Unhandled exception specification when calling function " + str1 + "(). " - "Either use a try/catch around the function call, or add a exception specification for " + funcname + "() also.", CWE(0U), true); + "Either use a try/catch around the function call, or add a exception specification for " + funcname + "() also.", CWE703, true); } /** Generate all possible errors (for --errorlist) */ diff --git a/lib/checkio.cpp b/lib/checkio.cpp index 368e2277f..f0321e4e1 100644 --- a/lib/checkio.cpp +++ b/lib/checkio.cpp @@ -69,7 +69,7 @@ void CheckIO::checkCoutCerrMisusage() void CheckIO::coutCerrMisusageError(const Token* tok, const std::string& streamName) { - reportError(tok, Severity::error, "coutCerrMisusage", "Invalid usage of output stream: '<< std::" + streamName + "'."); + reportError(tok, Severity::error, "coutCerrMisusage", "Invalid usage of output stream: '<< std::" + streamName + "'.", CWE398, false); } //--------------------------------------------------------------------------- @@ -1923,7 +1923,7 @@ void CheckIO::invalidPrintfArgTypeError_int(const Token* tok, unsigned int numFo errmsg << " but the argument type is "; argumentType(errmsg, argInfo); errmsg << "."; - reportError(tok, Severity::warning, "invalidPrintfArgType_int", errmsg.str()); + reportError(tok, Severity::warning, "invalidPrintfArgType_int", errmsg.str(), CWE686, false); } void CheckIO::invalidPrintfArgTypeError_uint(const Token* tok, unsigned int numFormat, const std::string& specifier, const ArgumentInfo* argInfo) {