Ignore "system::" to reduce false positives

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
This commit is contained in:
David A. Wheeler 2021-01-03 14:13:27 -05:00
parent f32f11f092
commit 48ebb4023e
3 changed files with 26 additions and 3 deletions

View File

@ -579,7 +579,6 @@ def extract_c_parameters(text, pos=0):
text[pos:pos + 200]) text[pos:pos + 200])
return [] # Treat unterminated list as an empty list return [] # Treat unterminated list as an empty list
# These patterns match gettext() and _() for internationalization. # These patterns match gettext() and _() for internationalization.
# This is compiled here, to avoid constant recomputation. # This is compiled here, to avoid constant recomputation.
# FIXME: assumes simple function call if it ends with ")", # FIXME: assumes simple function call if it ends with ")",
@ -851,6 +850,13 @@ def cpp_unsafe_stl(hit):
def normal(hit): def normal(hit):
add_warning(hit) add_warning(hit)
# Ignore "system" if it's "system::" (that is, a C++ namespace such as
# boost::system::...), because that produces too many false positives.
# We ignore spaces before "::"
def found_system(hit):
follow_text = hit.lookahead[len(hit.name):].lstrip()
if not follow_text.startswith('::'):
normal(hit)
# "c_ruleset": the rules for identifying "hits" in C (potential warnings). # "c_ruleset": the rules for identifying "hits" in C (potential warnings).
# It's a dictionary, where the key is the function name causing the hit, # It's a dictionary, where the key is the function name causing the hit,
@ -1150,13 +1156,21 @@ c_ruleset = {
"tmpfile", "avoid-race", {}), "tmpfile", "avoid-race", {}),
# TODO: Need to detect varying levels of danger. # TODO: Need to detect varying levels of danger.
"execl|execlp|execle|execv|execvp|system|popen|WinExec|ShellExecute": "execl|execlp|execle|execv|execvp|popen|WinExec|ShellExecute":
(normal, 4, (normal, 4,
"This causes a new program to execute and is difficult to use safely (CWE-78)", "This causes a new program to execute and is difficult to use safely (CWE-78)",
"try using a library call that implements the same functionality " "try using a library call that implements the same functionality "
"if available", "if available",
"shell", "", {}), "shell", "", {}),
# TODO: Need to detect varying levels of danger.
"system":
(found_system, 4,
"This causes a new program to execute and is difficult to use safely (CWE-78)",
"try using a library call that implements the same functionality "
"if available",
"shell", "", {'extract_lookahead': 1}),
# TODO: Be more specific. The biggest problem involves "first" param NULL, # TODO: Be more specific. The biggest problem involves "first" param NULL,
# second param with embedded space. Windows. # second param with embedded space. Windows.
"CreateProcessAsUser|CreateProcessWithLogon": "CreateProcessAsUser|CreateProcessWithLogon":

View File

@ -75,12 +75,17 @@ test_009: $(FLAWFINDER) test-cpp-digit-separator.cpp
| grep 'File ended while in string.' \ | grep 'File ended while in string.' \
> /dev/null > /dev/null
test_010: $(FLAWFINDER) test-boost-system.hpp
@echo 'test_010 (system:: ignored)'
@$(PYTHON) $(FLAWFINDER) --error-level 2 test-boost-system.hpp \
> /dev/null
# Run all tests on *one* version of Python; # Run all tests on *one* version of Python;
# output shows differences from expected results. # output shows differences from expected results.
# If everything works as expected, it just prints test numbers. # If everything works as expected, it just prints test numbers.
# Set PYTHON as needed, including to "" # Set PYTHON as needed, including to ""
test: test_001 test_002 test_003 test_004 test_005 test_006 test_007 test_008 \ test: test_001 test_002 test_003 test_004 test_005 test_006 test_007 test_008 \
test_009 test_009 test_010
@echo 'All tests pass!' @echo 'All tests pass!'
# Usual check routine. Run all tests using *both* python2 and python3. # Usual check routine. Run all tests using *both* python2 and python3.

View File

@ -0,0 +1,4 @@
// Ensure reference to boost::system is ignored
void HandleWrite(const boost::system::error_code &error);