def readExistingFlawFile(self,root):
flawMap = dict()
for file in root.iter("file"):
fileName = os.path.basename(file.get("path")).lower()
issueList = []
for issue in file.iter("issue"):
newIssue = Issue(fileName, issue.get("type"), issue.get("startLine"))
if(issue.get("endLine")!=None):
newIssue.endLine=issue.get("endLine")
newIssue.startLine=issue.get("startLine")
issueList.append(newIssue)
self.securityModel.appendExistingIssue(newIssue)
issueComparision = IssueComparison(fileName)
issueComparision.addExistingIssues(issueList)
flawMap[fileName] = issueComparision
return flawMap
def readExistingFlawFile(self,root):
flawMap = dict()
for file in root.iter("file"):
fileName = os.path.basename(file.get("path")).lower()
issueList = []
for issue in file.iter("issue"):
newIssue = Issue(fileName, issue.get("type"), issue.get("startLine"))
if(issue.get("endLine")!=None):
newIssue.endLine=issue.get("endLine")
newIssue.startLine=issue.get("startLine")
issueList.append(newIssue)
self.securityModel.appendExistingIssue(newIssue)
issueComparision = IssueComparison(fileName)
issueComparision.addExistingIssues(issueList)
flawMap[fileName] = issueComparision
return flawMap
def collectFlaws(self, filePath, samateIssueMap, categoryList):
foundCategory = []
lineNumber = 1
badFunctionFound = False
shouldSearchForIssues = False
#defining the bad functions as defined in the docu, slightly adopted
primaryBadFunction = "(CWE.*_)?bad\(.*\).*$"
if (".java" in filePath):
badFunctionPattern = "((.*bad\(.*\))|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))|((_bad.*)\(.*\))).*$"
else:
#(((CWE.*_)?bad\(\).*$)|((CWE.+_)bad_source(_[a-z])?.*$)|(
#badFunctionPattern = "(((CWE.*_)?bad\(\).*)|(bad_([a-z])*))$"
badFunctionPattern = "(((CWE.*_)?bad\(\).*)|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))).*$"
#inlineBadFunctionPattern = ".*/\*("+badFunctionPattern+")";
startLine = -1
endLine = -1
if ("_bad" in filePath):
badClassFile = True
startLine = 1
else:
badClassFile = False
cweEntry = os.path.basename(filePath).split("_")[0]
issueList = []
hasPrimaryBadFunction = False
isInComment = False
isBlank = False
fileName = os.path.basename(filePath)
#if we found an entry in the samateissuemap use this one because there we have definied line numbers
if (fileName in samateIssueMap):
samateIssue = samateIssueMap.get(fileName)
else:
samateIssue = None
samateIssueList = list()
samateGeneratedIssue = None
alreadyProcessedErrorLines = list()
#print(filePath)
for line in open(filePath):
trimedLine = line.strip()
#print("isComment="+str(line.find('/*')))
#try to find comment lines
commentStart = trimedLine.find('/*')
commentEnd = trimedLine.find('*/')
if (not badClassFile and commentStart >= 0):
isInComment = True
if (not badClassFile and commentEnd >= 0):
isInComment = False
#use search regex to find the line match
match = re.search(badFunctionPattern, trimedLine)
if (match != None and ((commentStart == -1 and commentEnd == -1)
or not (match.start() >= commentStart
and match.start() <= commentEnd))):
correctMatch = True
else:
correctMatch = False
#print("trimedLine="+trimedLine+"; isComment="+str(isInComment)+"; isBlank="+str(isBlank)+"; badClassFile="+str(badClassFile))
if (not badClassFile and correctMatch and not ";" in trimedLine
and not isInComment):
badFunctionFound = True
#print("hello"+trimedLine)
openBracketCount = 0
if (re.search(primaryBadFunction, trimedLine) != None):
hasPrimaryBadFunction = True
startLine = lineNumber
if (not isBlank):
#print("create issue")
issue = Issue(filePath, cweEntry, -1)
issue.startLine = lineNumber
if (isBlank
and (len(trimedLine) == 0 or trimedLine.startswith('/*'))):
isBlank = True
else:
isBlank = False
if (badFunctionFound):
if ('{' in trimedLine and not trimedLine.startswith('/*')
and not trimedLine.startswith('*')):
openBracketCount = openBracketCount + 1
if ('}' in trimedLine and not trimedLine.startswith('/*')
and not trimedLine.startswith('*')):
openBracketCount = openBracketCount - 1
if (openBracketCount == 0):
badFunctionFound = False
endLine = lineNumber
issue.endLine = lineNumber
issueList.append(issue)
isBlank = True
#AW20130412 for now only use the full function as possible errors
if (badFunctionFound or badClassFile):
shouldSearchForIssues = True
else:
shouldSearchForIssues = False
if (shouldSearchForIssues):
#search for FLAW-Comments in the current line and add them to the category list if found
#this category logic is deprecated and only used for some testing purpose
if any(cat in line for cat in categoryList):
startIdx = line.find('/*')
endIdx = line.find(':')
foundCategory.append(line[startIdx + 2:endIdx].strip())
#AW20130525 use documented flaw line number if possible
#sadly the files do not match 100% therefore we need to compare the error lines manually
#and check in which linenumber we are
if (samateIssue != None and len(samateIssue) > 0):
#print(filePath+"; match=")
#print("trimedLine="+trimedLine)
for sIssue in samateIssue:
sIssueLineNumber = int(sIssue.lineNumber)
#AW20130529 the errorLine should be near the defined lineNumber in the SRD-Files (use CONST_ERROR_AREA as space)
if (trimedLine == sIssue.errorLine and sIssue.errorLine
not in alreadyProcessedErrorLines
and lineNumber >=
sIssueLineNumber - self.CONST_ERROR_AREA
and lineNumber <=
sIssueLineNumber + self.CONST_ERROR_AREA):
#print("trimedLine="+trimedLine+"; "+sIssue.errorLine)
samateGeneratedIssue = Issue(
filePath, cweEntry, lineNumber)
samateIssueList.append(samateGeneratedIssue)
alreadyProcessedErrorLines.append(sIssue.errorLine)
lineNumber += 1
if (badClassFile):
endLine = lineNumber
issue = Issue(filePath, cweEntry, -1)
issue.startLine = startLine
issue.endLine = endLine
issueList.append(issue)
#if('issue' in locals() and not issue in issueList):
# issueList.append(issue)
if (len(samateIssueList) > 0):
#print("use samate Issue List "+str(len(samateIssueList)))
issueList = samateIssueList
#AW20130412 only return issues which occur in files with primary bad function
if (len(issueList) == 0
or (not badClassFile and not hasPrimaryBadFunction)):
return None
else:
if (len(foundCategory) <= 0):
print(filePath)
return issueList
def collectFlaws(self,filePath, samateIssueMap, categoryList):
foundCategory = []
lineNumber = 1
badFunctionFound = False
shouldSearchForIssues = False
#defining the bad functions as defined in the docu, slightly adopted
primaryBadFunction = "(CWE.*_)?bad\(.*\).*$"
if(".java" in filePath):
badFunctionPattern = "((.*bad\(.*\))|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))|((_bad.*)\(.*\))).*$"
else:
#(((CWE.*_)?bad\(\).*$)|((CWE.+_)bad_source(_[a-z])?.*$)|(
#badFunctionPattern = "(((CWE.*_)?bad\(\).*)|(bad_([a-z])*))$"
badFunctionPattern = "(((CWE.*_)?bad\(\).*)|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))).*$"
#inlineBadFunctionPattern = ".*/\*("+badFunctionPattern+")";
startLine = -1;
endLine = -1;
if("_bad" in filePath):
badClassFile = True
startLine = 1;
else:
badClassFile = False
cweEntry = os.path.basename(filePath).split("_")[0]
issueList = []
hasPrimaryBadFunction = False;
isInComment = False;
isBlank = False;
fileName = os.path.basename(filePath)
#if we found an entry in the samateissuemap use this one because there we have definied line numbers
if(fileName in samateIssueMap):
samateIssue = samateIssueMap.get(fileName)
else:
samateIssue = None;
samateIssueList = list()
samateGeneratedIssue = None
alreadyProcessedErrorLines = list()
#print(filePath)
for line in open(filePath):
trimedLine = line.strip()
#print("isComment="+str(line.find('/*')))
#try to find comment lines
commentStart = trimedLine.find('/*')
commentEnd = trimedLine.find('*/')
if(not badClassFile and commentStart >=0):
isInComment = True;
if(not badClassFile and commentEnd>=0):
isInComment = False
#use search regex to find the line match
match = re.search(badFunctionPattern, trimedLine)
if(match != None and ((commentStart==-1 and commentEnd==-1) or not (match.start() >=commentStart and match.start()<=commentEnd))):
correctMatch = True
else:
correctMatch = False
#print("trimedLine="+trimedLine+"; isComment="+str(isInComment)+"; isBlank="+str(isBlank)+"; badClassFile="+str(badClassFile))
if (not badClassFile and correctMatch and not ";" in trimedLine and not isInComment):
badFunctionFound = True
#print("hello"+trimedLine)
openBracketCount = 0
if(re.search(primaryBadFunction, trimedLine) !=None):
hasPrimaryBadFunction = True
startLine = lineNumber;
if(not isBlank):
#print("create issue")
issue = Issue(filePath, cweEntry, -1)
issue.startLine = lineNumber
if(isBlank and (len(trimedLine)==0 or trimedLine.startswith('/*')) ):
isBlank = True
else:
isBlank = False
if(badFunctionFound):
if('{' in trimedLine and not trimedLine.startswith('/*') and not trimedLine.startswith('*')):
openBracketCount = openBracketCount + 1
if('}' in trimedLine and not trimedLine.startswith('/*') and not trimedLine.startswith('*')):
openBracketCount = openBracketCount - 1
if(openBracketCount==0):
badFunctionFound = False
endLine = lineNumber;
issue.endLine = lineNumber
issueList.append(issue)
isBlank = True
#AW20130412 for now only use the full function as possible errors
if(badFunctionFound or badClassFile):
shouldSearchForIssues = True
else:
shouldSearchForIssues = False
if(shouldSearchForIssues):
#search for FLAW-Comments in the current line and add them to the category list if found
#this category logic is deprecated and only used for some testing purpose
if any(cat in line for cat in categoryList):
startIdx = line.find('/*')
endIdx = line.find(':')
foundCategory.append(line[startIdx+2:endIdx].strip())
#AW20130525 use documented flaw line number if possible
#sadly the files do not match 100% therefore we need to compare the error lines manually
#and check in which linenumber we are
if(samateIssue!=None and len(samateIssue)>0):
#print(filePath+"; match=")
#print("trimedLine="+trimedLine)
for sIssue in samateIssue:
sIssueLineNumber = int(sIssue.lineNumber)
#AW20130529 the errorLine should be near the defined lineNumber in the SRD-Files (use CONST_ERROR_AREA as space)
if(trimedLine == sIssue.errorLine and sIssue.errorLine not in alreadyProcessedErrorLines and lineNumber>= sIssueLineNumber-self.CONST_ERROR_AREA and lineNumber <= sIssueLineNumber+self.CONST_ERROR_AREA):
#print("trimedLine="+trimedLine+"; "+sIssue.errorLine)
samateGeneratedIssue = Issue(filePath, cweEntry, lineNumber)
samateIssueList.append(samateGeneratedIssue)
alreadyProcessedErrorLines.append(sIssue.errorLine)
lineNumber+=1
if(badClassFile):
endLine = lineNumber;
issue = Issue(filePath, cweEntry, -1)
issue.startLine=startLine
issue.endLine = endLine
issueList.append(issue)
#if('issue' in locals() and not issue in issueList):
# issueList.append(issue)
if(len(samateIssueList)>0):
#print("use samate Issue List "+str(len(samateIssueList)))
issueList = samateIssueList
#AW20130412 only return issues which occur in files with primary bad function
if(len(issueList)==0 or (not badClassFile and not hasPrimaryBadFunction)):
return None
else:
if(len(foundCategory)<=0):
print(filePath)
return issueList
