Add test for saving/loading hitlist, add Python3 fixes for it

Test the saving and loading of hitlists. This detected a Python3 problem, which was easily corrected by saving and loading in binary "b" format instead of text format. Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
2017-08-26 16:15:17 -04:00 · 2017-08-26 16:15:17 -04:00 · 339763c644
parent b2556b7348
commit 339763c644
4 changed files with 25 additions and 4 deletions
--- a/correct-results-005.txt
+++ b/correct-results-005.txt
@ -0,0 +1 @@
+test-patched.c:13:2:  [4] (buffer) strcpy:Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120).  Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). 
--- a/correct-results-006.txt
+++ b/correct-results-006.txt
@ -0,0 +1,7 @@
+test.c:32:2:  [5] (buffer) gets:Does not check for buffer overflows (CWE-120, CWE-20).  Use fgets() instead. 
+test.c:56:3:  [5] (buffer) strncat:Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120).  Consider strcat_s, strlcat, snprintf, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left.
+test.c:57:3:  [5] (buffer) _tcsncat:Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120).  Consider strcat_s, strlcat, or automatically resizing strings. Risk is high; the length parameter appears to be a constant, instead of computing the number of characters left.
+test.c:60:3:  [5] (buffer) MultiByteToWideChar:Requires maximum length in CHARACTERS, not bytes (CWE-120).  Risk is high, it appears that the size is given as bytes, but the function requires size as characters.
+test.c:62:3:  [5] (buffer) MultiByteToWideChar:Requires maximum length in CHARACTERS, not bytes (CWE-120).  Risk is high, it appears that the size is given as bytes, but the function requires size as characters.
+test.c:73:3:  [5] (misc) SetSecurityDescriptorDacl:Never create NULL ACLs; an attacker can set it to Everyone (Deny All Access), which would even forbid administrator access (CWE-732).  
+test.c:73:3:  [5] (misc) SetSecurityDescriptorDacl:Never create NULL ACLs; an attacker can set it to Everyone (Deny All Access), which would even forbid administrator access (CWE-732).  
--- a/8
+++ b/8
@ -1973,10 +1973,12 @@ def process_options():


 def process_files():
+    """Process input (files or hitlist); return True if okay."""
    global hitlist
    if loadhitlist:
-        f = open(loadhitlist)
+        f = open(loadhitlist, "rb")
        hitlist = pickle.load(f)
+        return True
    else:
        patch_infos = None
        if patch_file != "":
@ -1986,7 +1988,7 @@ def process_files():
            print("*** No input files")
            return None
        process_file_args(files, patch_infos)
-        return 1
+        return True

 def hitlist_sort_key(hit):
    """Sort key for hitlist."""
@ -2140,7 +2142,7 @@ def save_if_desired():
    if savehitlist:
        if not quiet:
            print("Saving hitlist to", savehitlist)
-        f = open(savehitlist, "w")
+        f = open(savehitlist, "wb")
        pickle.dump(hitlist, f)
        f.close()

--- a/13
+++ b/13
@ -157,10 +157,20 @@ test_005: flawfinder test-diff-0005.patch test-patched.c
 	  test-patched.c > test-results-005.txt
 	@diff -u correct-results-005.txt test-results-005.txt

+test_006: flawfinder test.c
+	@echo 'test_006 (save/load hitlist)'
+	@$(PYTHON) ./flawfinder -m 5 -S -DC --quiet \
+	  --savehitlist test-saved-hitlist-006.txt \
+	  test.c > test-junk-006.txt
+	@$(PYTHON) ./flawfinder -SQDC \
+	  --loadhitlist test-saved-hitlist-006.txt > \
+	  test-results-006.txt
+	@diff -u correct-results-006.txt test-results-006.txt
+
 # Run all tests; output shows differences from expected results.
 # If everything works as expected, it just prints test numbers.
 # Set PYTHON as needed, including to ""
-test: test_001 test_002 test_003 test_004 test_005
+test: test_001 test_002 test_003 test_004 test_005 test_006
 	@echo 'All tests pass!'

 check: test
@ -172,6 +182,7 @@ test-is-correct: test-results.txt
 	mv test-results.csv correct-results.csv
 	mv test-results-004.txt correct-results-004.txt
 	mv test-results-005.txt correct-results-005.txt
+	mv test-results-006.txt correct-results-006.txt

 profile:
 	/usr/lib/python1.5/profile.py ./flawfinder > profile-results $(SAMPLE_DIR)/*/*.[ch] > profile-results
				`@ -0,0 +1 @@`
				`test-patched.c:13:2: [4] (buffer) strcpy:Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused).`