def scan_file_CWE_483(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: CWE-483: Incorrect Block Delimitation # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP - CatID=2002000 PropID=2002013 SubID=2002263 QRID=2002598 # CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp - CatID=2003000 PropID=2003013 SubID=2003263 QRID=2003576 # NOTE # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-483 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-483 : Starting scan_file_CWE_483 > " + str(pfile.name)) patIfNoBlk1 = "(if[ \t\n\r]*\(([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)" patIfNoBlk2 = "(else[ \t\n\r]*([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" patIfNoBlk = patIfNoBlk1 +"|" + patIfNoBlk2 #rfCall= ReferenceFinder() #rfCall.add_pattern('patIfNoBlk', before='', element = patIfNoBlk, after='') #rfCall.add_pattern('patComment', before='', element = patComment, after='') try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analize >> %s", current_line) resultIfNoBlk = re.finditer(patIfNoBlk, line) if not resultIfNoBlk is None: for p in resultIfNoBlk: if fileType == "CCPP": #logging.debug("CWE_483 : C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("CWE-483: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": #logging.debug("CWE_483 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("CWE-483: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("CWE-483 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-483 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE_483 : END CWE-483 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-483",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-483",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_OMG_RLB_9_Step1(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: OMG RLB-9: OMG RLB-9: Float Type Storable and Member Data Element Comparison with Equality Operator # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002022 SubID=2002272 QRID=2002594 # CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003022 SubID=2003272 QRID=2003594 # NOTE # scan_file_OMG_RLB_9_Step1: find all float objects definition and store it # scan_file_OMG_RLB_9_Step2: find all = comparison with float objects involved # The scope is internal to file+function or Global. Lower scopes are not considerered # global aFunctionDefinitionName global aFunctionDefinitionNPar global aFunctionCallName global aFunctionCallNPar global aFunctionCallBookmark global aFloatVariableName global aFloatClassName myIdx=0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-RLB-9-Step1 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-RLB-9-Step1 : Starting scan_file_OMG_RLB_9_Step1 > " + str(pfile.name)) patFloatDefinition = "((float)|(double)|(long double))([ \t\r\n]+)([A-Za-z0-9_\-\(\),=\. \t\r\n]+);" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" #rfCall= ReferenceFinder() #rfCall.add_pattern('patFloatDefinition', before='', element = patFloatDefinition, after='') #rfCall.add_pattern('patComment', before='', element = patComment, after='') try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) resultPatFloatDef = re.finditer(patFloatDefinition, line) if not resultPatFloatDef is None: #if reference.pattern_name=='patFloatDefinition': ps = re.compile('([A-Za-z][A-Za-z0-9_\-]*)([ \t\r\n]*)(\([A-Za-z0-9_\- \t\r\n.,\.\*]*\))') codeWithoutFunctions = ps.sub('|NullF|',line) ps = re.compile('([ \t\r\n]*)=([ \t\r\n]*)([0-9\.]+)') codeWithoutAssign = ps.sub('',codeWithoutFunctions) #logging.debug("----------------------------%s-----------------------",codeWithoutFunctions) result = re.finditer(patFloatDefinition, codeWithoutAssign) for p in result: # Bookmark(File(TestCase.cs, CAST_DotNet_CSharpFile), 28, 19, 28, 33) #local_library.cwefdaLoggerInfo("%s",reference.bookmark) bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) current_line = int(str(bk).split(",")[2]) #current_line = int(str(reference.bookmark).split(",")[2]) #local_library.cwefdaLoggerInfo("%s %s",str(current_line), nScp) tScp = pfile.find_most_specific_object(current_line, 1).get_name() tVar = p.group(6) #logging.debug("=================== Global: %s %s", tScp, tVar) if (tScp == tVar): nVar = "[Global]." + tVar else: nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar #logging.debug("=================== Var: %s ", nVar) variableIsPresent = False # Check deleted for performance reason, a little amout of duplication is better if not variableIsPresent: aFloatVariableName.append(1) myIdx = len(aFloatVariableName)-1 aFloatVariableName[myIdx] = nVar #logging.debug("----------------------------OMG_RLB_9_Step1: adding aFloatVariableName > %s ", self.aFloatVariableName[myIdx]) except FileNotFoundError: logging.error("OMG-RLB-9-Step1 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-RLB-9-Step1 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-RLB-9-Step1 : END OMG-RLB-9-Step1 %s - Found %s definitions ", str(myIdx)) #Extra log t = "OMG-RLB-9-STEP1",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation14_1_5(application, pfile, fileType): # Description: SPDBviolation14_1_5: Memory allocation with malloc should be checked with NULL skipFirstPattern = 0 skipSecontPattern = 0 nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False # SCS msecs = local_library.millis() nBytes = 0 logging.info( "14_1_5 : -------------------------------------------------------------------------" ) logging.info("14_1_5 : Starting scan_file_SPDBviolation14_1_5 > " + str(pfile.name)) # search "pthread_mutex_lock" pathSrc = "[\t*|\s*]free\s*\((.*)(?=\))" open1 = "(" close1 = ")" patNullify = "\s*=\s*NULL\s*;" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End # SCS nBytes = nBytes + len(line) if skipFirstPattern == 0: # Get the most specific object containing the line result = re.finditer(pathSrc, line) if not result is None: # print( lines ) # logging.error( lines ) for p in result: # lines=f.readlines(current_line) logging.error("Currently processing %s", line) logging.error("Freed memory %s", p.group(1)) module_line = linecache.getline( pfile.get_path(), current_line + 1) logging.error("%s", module_line) if module_line.__eq__("\n"): module_line = linecache.getline( pfile.get_path(), current_line + 2) markFreed(pfile, current_line, p, module_line) # patNullifyConstruct = open1 + p.group(1) + close1 + patNullify # resNullify = re.findall(patNullifyConstruct, module_line) # logging.error("Pattern %s, String %s", patNullifyConstruct, module_line) # # if resNullify: # print("MEMORY is freed - True %s", module_line) # else: # print("MEMORY is NOT freed - VIOLATION %s", module_line) # bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) # pfile.save_violation('SPDB_CustomMetrics_C.SPDBviolation14_1_5', bk) else: markFreed(pfile, current_line, p, module_line) # patNullifyConstruct = open1 + p.group(1) + close1 + patNullify # resNullify = re.findall(patNullifyConstruct, module_line) # logging.error("Pattern %s, String %s", patNullifyConstruct, module_line) # # if resNullify: # print("MEMORY is freed - True %s", module_line) # else: # print("MEMORY is NOT freed - VIOLATION %s", module_line) # bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) # pfile.save_violation('SPDB_CustomMetrics_C.SPDBviolation14_1_5', bk) else: nbViolation += 1 except FileNotFoundError: logging.error("SPDBviolation14_1_5 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("SPDBviolation14_1_5 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.error( "SPDBviolation14_1_5 : END scan_file_SPDBviolation14_1_5 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation14_1_5", nbViolation, nbNAViolation update_counts(tc) # Extra log t = "SPDBviolation14_1_5", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_4_2(application, pfile, fileType): # Description: : scan_file_SPDBviolation9_4_2 # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 dtType = "pointer" msecs = local_library.millis() nBytes = 0 logging.debug("pfile.name----" + str(pfile.name)) logging.info( "scan_file_SPDBviolation9_4_2 : -------------------------------------------------------------------------" ) logging.info( "scan_file_SPDBviolation9_4_2 : Starting scan_file_scan_file_SPDBviolation9_4_2 > " + str(pfile.name)) patCasting = "(\w*\s*=\s*\(\s*(int|float|char|bool)\s*\*\s*\)\s*(\w*)\s*;)|(\w*\s*=\s*\(\s*(int|float|char|bool)\s*\)\s*(\w*)\s*;)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 boolVarsInFile = list() boolExist = 0 for line in f: # Line of code current_line += 1 try: resultCom = re.finditer(patComment, line) # logging.debug("resultCom value---" + str(line)) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get cast call patterns result = re.finditer(patCasting, line) if (not result is None): for p in result: logging.info( "scan_file_scan_file_SPDBviolation9_4_2::Result is: [%s] [%s] [%s]", pfile, line, p.groups()) # bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) bk = Bookmark(pfile, current_line, 1, current_line, -1) pfile.save_violation( 'SPDB_CustomMetrics_C.SPDBviolation9_4_2', bk) except Exception as e: logging.error( "scan_file_SPDBviolation9_4_2 : Error: %s, at line ", str(e), current_line) if boolExist: for line1 in f: logging.info(line1) except FileNotFoundError: logging.error("scan_file_SPDBviolation9_4_2 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("scan_file_SPDBviolation9_4_2 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info("scan_file_SPDBviolation9_4_2 : END %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation9_4_2", nbViolation, nbNAViolation update_counts(tc) # Extra log t = "SPDBviolation9_4_2", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation10_3_3(application, pfile, fileType): # Description: scan_file_SPDBviolation10_3_3 # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 dtType = "float" msecs = local_library.millis() nBytes = 0 logging.debug("pfile.name----" + str(pfile.name)) logging.info( "scan_file_SPDBviolation10_3_3 : -------------------------------------------------------------------------" ) logging.info( "scan_file_SPDBviolation10_3_3 : Starting scan_file_scan_file_SPDBviolation10_3_3 > " + str(pfile.name)) patFunCall = "(float)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[^,\s][^\,]*[^,\s]*)\s*[;,*=)]" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[a-z]*[A-Z]*[0-9]*)\s*\s*[;,=)]" # patFunCall = "\b(?:(?:auto\s*|const\s*|unsigned\s*|signed\s*|register\s*|volatile\s*|static\s*|void\s*|short\s*|long\s*|char\s*|int\s*|float\s*|double\s*|_Bool\s*|complex\s*)+)(?:\s+\*?\*?\s*)([a-zA-Z_][a-zA-Z0-9_]*)\s*[\[;,=)]" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 boolVarsInFile = list() boolExist = 0 for line in f: # Line of code # logging.error("Current line %s", line) current_line += 1 try: resultCom = re.finditer(patComment, line) # logging.debug("resultCom value---" + str(line)) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get function call patterns result = re.finditer(patFunCall, line) # logging.info("Result is: >%s<", result) if (not result is None): for p in result: # logging.debug("result value---" + str(p)) logging.info( "scan_file_scan_file_SPDBviolation10_3_3::Result is: [%s] [%s] [%s]", pfile, line, p.group(2)) checkMultipleVars = p.group(2).split(",") for getVar in checkMultipleVars: logging.debug( "scan_file_SPDBviolation10_3_3 :: getVar value---" + str(getVar)) # logging.info("\n@@@@ "+getVar) if getVar.__contains__('='): varNames = getVar.split("=") if (not varNames is None): varName = varNames[0] logging.info( "scan_file_SPDBviolation10_3_3 :: [PASSED] Value is initialized for " + varName) boolExist = 1 scan_Utilities.unConditionalCheck( line, pfile, current_line, p, f, varName, dtType) else: logging.debug( "scan_file_SPDBviolation10_3_3 :: Violation saved for getVar value---" + str(getVar)) boolExist = 1 scan_Utilities.unConditionalCheck( line, pfile, current_line, p, f, getVar, dtType) bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) except Exception as e: logging.error( "scan_file_SPDBviolation10_3_3 : Error: %s, at line ", str(e), current_line) if boolExist: for line1 in f: logging.info(line1) except FileNotFoundError: logging.error("scan_file_SPDBviolation10_3_3 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("scan_file_SPDBviolation10_3_3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info( "scan_file_SPDBviolation10_3_3 : END %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation10_3_3", nbViolation, nbNAViolation update_counts(tc) # Extra log t = "SPDBviolation10_3_3", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation12_2_5(application, pfile, fileType): # Avoid return Pointer, because memory exists and is destroyed automatically at the end of the function body # Description: scan_file_SPDBviolation12_2_5 # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 msecs = local_library.millis() nBytes = 0 logging.info( "scan_file_SPDBviolation12_2_5 : -------------------------------------------------------------------------" ) logging.info("scan_file_SPDBviolation12_2_5 : Starting > " + str(pfile.name)) patFunCall = "(float|int|char|bool)\s*\*\s*([\w]*)(\(.*)(?=)" # patFunCall = "\b(?:(?:int\s*|float\s*|char\s*|bool)+)(?:\s+\*?\*?\s*)([a-zA-Z0-9_]*)\s*(\[.*?\])" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[^,\s][^\,]*[^,\s]*)\s*[;,*=)]" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[a-z]*[A-Z]*[0-9]*)\s*\s*[;,=)]" # patFunCall = "\b(?:(?:auto\s*|const\s*|unsigned\s*|signed\s*|register\s*|volatile\s*|static\s*|void\s*|short\s*|long\s*|char\s*|int\s*|float\s*|double\s*|_Bool\s*|complex\s*)+)(?:\s+\*?\*?\s*)([a-zA-Z_][a-zA-Z0-9_]*)\s*[\[;,=)]" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False with open_source_file(pfile.get_path()) as f: if (pfile.get_path().endswith('libtypeb.c') or pfile.get_path().endswith('win.c') or pfile.get_path().endswith('win32s.c') or pfile.get_path().endswith('servdll.c')): logging.error("Check this break point======>") # current line number current_line = 0 for line in f: # Line of code # logging.error("Current line %s", line) current_line += 1 try: resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get function call patterns result = re.finditer(patFunCall, line) if (not result is None): for p in result: logging.info( "scan_file_SPDBviolation12_2_5::Result is: %s %s", pfile, line) try: # bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) bk = Bookmark(pfile, current_line, 1, current_line, -1) pfile.save_violation( 'SPDB_CustomMetrics_C.SPDBviolation12_2_5', bk) logging.info( "scan_file_SPDBviolation12_2_5 :: [VIOLATION] Avoid return Pointer, because memory exists and is destroyed automatically at the end of the function body <===> " + line) except Exception as e: logging.error( "scan_file_SPDBviolation12_2_5 : Error: %s, at line (not allowed on this object) %s", str(e), e.message()) nbNAViolation = nbNAViolation + 1 except Exception as e: logging.error( "scan_file_SPDBviolation12_2_5 : Error: %s, at line ", str(e), current_line) except FileNotFoundError: logging.error("scan_file_SPDBviolation12_2_5 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("scan_file_SPDBviolation12_2_5 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info( "scan_file_SPDBviolation12_2_5 : END %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation12_2_5", nbViolation, nbNAViolation update_counts(tc) # Extra log t = "SPDBviolation12_2_5", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_OMG_MNT_3(application, pfile, fileType): # Author : PMB # last modification date: 10/4/2017 # Description: OMG MNT-3: OMG MNT-3: Storable and Member Data Element Initialization with Hard-Coded Literals, Float Type Storable and Member Data Element Comparison with Equality Operator # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002021 SubID=2002271 QRID=2002592 # CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003021 SubID=2003271 QRID=2003592 # NOTE # nbViolation=0 nbNAViolation = 0 nbProgramCall=0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-MNT-3 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-MNT-3 : Starting scan_file_OMG_MNT_3 > " + str(pfile.name)) patFloatDefinition = "((const)|(char)|(float)|(double)|(long double))([ \t\r\n]+)([A-Za-z0-9_\-\(\),=\. \t\r\n]+);" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analyze >> %s", current_line) resultFloat = re.finditer(patFloatDefinition, line) if not resultFloat is None: for p in resultFloat: if p.group(1) != "const": #newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([\d]+)([ \;]+)') #bpm if p.group(1) == "char": newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([.\d]+)([ \;]+)') resultNewPat = re.finditer(newPat, line) else: newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([\d]+)([ \;]+)') resultNewPat = re.finditer(newPat, line) for pp in resultNewPat: if fileType =="CCPP": bk = Bookmark(pfile,current_line,pp.start()+1,current_line,pp.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGMNT3violationCPP',bk) except: local_library.cwefdaLoggerWarning("OMG-MNT-3 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 nbProgramCall += 1 if fileType =="CSHARP": bk = Bookmark(pfile,current_line,pp.start()+1,current_line,pp.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGMNT3violationCSharp',bk) except: local_library.cwefdaLoggerWarning("OMG-MNT-3 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 nbProgramCall += 1 except FileNotFoundError: logging.error("OMG-MNT-3 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-MNT-3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-MNT-3 : END scan_file_OMG_MNT_3 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-MNT-3",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-MNT-3",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_OMG_RLB_12(application, pfile, fileType): # Author : MGE # last modification date: 29/3/2017 # Description: OMG RLB-12: OMG RLB-12: Singleton Class Instance Creation without Proper Lock Element Management # Languages : C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB12violationCPP - CatID=2002000 PropID=2002023 SubID=2002273 QRID=2002596 # CWEforFDA_CustomMetrics_CSharp.OMGRLB12ViolationCSharp - CatID=2003000 PropID=2003023 SubID=2003273 QRID=2003596 # NOTE # 1) find all classes implementing singleton (with ""new className"" inside) # 2) find all singleton classes without any lock primitive inside the method containing new # nbViolation = 0 nbNAViolation = 0 myIdx = -1 isInMultiLineComment = False isInSingleLineComment = False aClass = [] aClassIsSingleton = [] aBookmark = [] aIsViolation = [] aCastSingletonObj = [] msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-RLB-12 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-RLB-12 : Starting scan_file_OMG_RLB_12 > " + str(pfile.name)) patClassDefinition = "(class[ \t]+)([A-Za-z0-9_\-]+)" patLockUsage = "([Ll][Oo][Cc][Kk])" #patBodyStart = "\{" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 #classDefinition = False for line in f: # Line of code current_line += 1 # Comment Exclusion - Start resultCom = re.finditer(patComment, line) if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get the most specific object containing the line #if myIdx != 0: #obj = pfile.find_most_specific_object(current_line, 1) #local_library.cwefdaLoggerInfo("=====================================================") #local_library.cwefdaLoggerInfo("= Line: %s",str(current_line) ) #local_library.cwefdaLoggerInfo("= Cast Object: %s",obj ) #local_library.cwefdaLoggerInfo("= Cast Object Type: %s",obj.get_type()) #local_library.cwefdaLoggerInfo("=====================================================") r1 = re.finditer(patClassDefinition, line) if not r1 is None: for p1 in r1: #bk = Bookmark(pfile,current_line,p1.start()+1,current_line,p1.end()) aClass.append(1) aBookmark.append(1) aIsViolation.append(1) aCastSingletonObj.append(1) aClassIsSingleton.append(1) myIdx = len(aClass)-1 aClass[myIdx] = p1.group(2) aIsViolation[myIdx] = True aClassIsSingleton[myIdx] = False patSingletonDefinition = "(new[ \t]+" + p1.group(2) +")" #local_library.cwefdaLoggerInfo("=====================================================") #local_library.cwefdaLoggerInfo("= myIdx: %d",myIdx) #local_library.cwefdaLoggerInfo("= Class: %s",aClass[myIdx]) #local_library.cwefdaLoggerInfo("= Violation: %s",aIsViolation[myIdx]) #local_library.cwefdaLoggerInfo("= patSingletonDefinition: %s",patSingletonDefinition) #local_library.cwefdaLoggerInfo("=====================================================") if myIdx != -1: r2 = re.finditer(patSingletonDefinition, line) if not r2 is None: for p2 in r2: #local_library.cwefdaLoggerInfo(" in patSingletonDefinition FOUND") aCastSingletonObj[myIdx] = pfile.find_most_specific_object(current_line, p2.start()-3) aBookmark[myIdx] = Bookmark(pfile,current_line,p2.start()+1,current_line,p2.end()) aClassIsSingleton[myIdx] = True #local_library.cwefdaLoggerInfo("Tipo Obj: %s ", type(aCastSingletonObj[myIdx])) #local_library.cwefdaLoggerInfo("Is Singleton??? %d ",current_line) #local_library.cwefdaLoggerInfo("Obj: %s ", aCastSingletonObj[myIdx].get_name()) r3 = re.finditer(patLockUsage, line) if not r3 is None: aIsViolation[myIdx] = False #for p3 in r3: #local_library.cwefdaLoggerInfo(" in patLockUsage FOUND") #curObj = pfile.find_most_specific_object(current_line, 1) #local_library.cwefdaLoggerInfo(" curObj = %s", curObj.get_name()) #aIsViolation[myIdx] = False for vIdx in range(len(aClass)): #local_library.cwefdaLoggerInfo("=====================================================") #local_library.cwefdaLoggerInfo("= Class : %s",aClass[vIdx]) #local_library.cwefdaLoggerInfo("= Is Singleton: %s",aClassIsSingleton[vIdx]) #local_library.cwefdaLoggerInfo("= Bookmark: %s", aBookmark[vIdx]) #local_library.cwefdaLoggerInfo("= Violation: %s",aIsViolation[vIdx]) #local_library.cwefdaLoggerInfo("= Cast Sinlgeton Obj : %s",aCastSingletonObj[vIdx].get_name()) #local_library.cwefdaLoggerInfo("=====================================================") if aClassIsSingleton[vIdx] and aIsViolation[vIdx]: if fileType == "CCPP": try: aCastSingletonObj[vIdx].save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB12violationCPP', aBookmark[vIdx]) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-12: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 #local_library.cwefdaLoggerInfo("SAVED CCPP") if fileType == "CSHARP": try: aCastSingletonObj[vIdx].save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB12violationCSharp',aBookmark[vIdx]) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-12: Violation not allowed on class object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 #local_library.cwefdaLoggerInfo("SAVED CSHARP") except FileNotFoundError: logging.error("OMG-RLB-12 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-RLB-12 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-RLB-12 : END scan_file_OMG_RLB_12 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-RLB-12",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-RLB-12",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_120_122(application, pfile, fileType): # Author : PMB # last modification date: 28/3/2017 # Description: CWE_120_122: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP - CatID=2002000 PropID=2002001 SubID=2002251 QRID=2002552 # CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP - CatID=2002000 PropID=2002002 SubID=2002252 QRID=2002554 # CWEforFDA_CustomMetrics_CSharp.CWE120violationCSharp - CatID=2003000 PropID=2003001 SubID=2003251 QRID=2003552 # CWEforFDA_CustomMetrics_CSharp.CWE122violationCSharp - CatID=2003000 PropID=2003002 SubID=2003252 QRID=2003554 # NOTE: The program copies an input buffer to an output buffer without verifying that the size of the input buffer # is less than the size of the output buffer, leading to a buffer overflow. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-120-122 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-120-122 : Starting scan_file_CWE_120_122 > " + str(pfile.name)) # search memcpy and strcpy pathMem = "(^[ \t]+memcpy[ \([a-zA-Z0-9_\s\[\]\-\(\)]+)([ \,]+)([a-zA-Z0-9_]*)([ a-zA-Z0-9\[\]\)\;]+)" pathStr = "(^[ \t]+strcpy[ \([a-zA-Z0-9_\s\[\]\-\(\)]+)([ \,]+)([a-zA-Z0-9_]*)([ a-zA-Z0-9\[\]\)\;]+)" pathIf = "(if[ ]*)([\(]+)([a-zA-Z0-9_]+)([\s\=\>\<\!\s]+)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 VarIf = None for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) # check variable on if result = re.finditer(pathIf, line) if not result is None: for p in result: #logging.debug("Found If Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) VarIf = p.group(3) # check memcpy variable result = re.finditer(pathMem, line) if not result is None: for p in result: #logging.debug("Found memcpy Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) VarMem = p.group(3) if VarMem != VarIf: #logging.debug("CWE_120_122: saving violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) if fileType == "CCPP": try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP',bk) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 # check strcpy variable result = re.finditer(pathStr, line) if not result is None: for p in result: #logging.debug("Found strcpy Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) VarStr = p.group(3) if VarStr != VarIf: #logging.debug("CWE_120_122: saving violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) if fileType == "CCPP": try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP',bk) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE120violationCSharp',bk) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE122violationCSharp',bk) except: local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("CWE-120-122 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-120-122 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-120-122 : END scan_file_CWE_120_122 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-120-122",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-120-122",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_910(application, pfile, fileType): # Author : PMB # last modification date: 27/3/2017 # Description: CWE_910: Use of Expired File Descriptor # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE910violationCPP - CatID=2002000 PropID=2002020 SubID=2002270 QRID=2002590 # NOTE: The software uses or accesses a file descriptor after it has been closed. After a file descriptor for a particular # file or device has been released, it can be reused. The code might not write to the original file, since the reused # file descriptor might reference a different file or device.The code uses an operator for comparison when the intention # was to perform an assignment. # In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False pathMsg= "Niente" allFree = set() flagFree = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-910 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-910 : Starting scan_file_CWE_910 > " + str(pfile.name)) # search string "free" pathSrc="(^[ \t]+)(free)([(\ \(]+)([a-zA-Z0-9_]+)([(\ \)\;]+)" # All pattern included in double quotes (strings) patResource = "(^(.)*)("+pathMsg+")(.*$)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) # Search variable if found free before if flagFree: for f in allFree: pathMsg = f #pathMsg = "messageBody" #patResource = "(^(.)*)("+pathMsg+")(.*$)" patResource = "([\t\s\*]*)("+pathMsg+")([\s\t\)\,\;\-\+\*])" #result = re.finditer("(^(.)*)("+pathMsg+")(.*$)", line) result = re.finditer(patResource, line) if not result is None: for p in result: #logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("CWE_910: saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE910violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-910 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 # Search free stmt result = re.finditer(pathSrc, line) if not result is None: for p in result: #logging.debug("Found Stmt Free > %s at line %s, col. %s", p.group(), current_line, p.start()+1) allFree.add(p.group(4)) flagFree = True except FileNotFoundError: logging.error("CWE-910 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-910 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-910 : END scan_file_CWE_910 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-910",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-910",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_783(application, pfile, fileType): # Author : PMB # last modification date: 23/3/2017 # Description: CWE_783: Operator Precedence Logic Error # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE783violationCPP - CatID=2002000 PropID=2002019 SubID=2002269 QRID=2002588 # NOTE: The program uses an expression in which operator precedence causes incorrect logic to be used. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-783 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-783 : Starting scan_file_CWE_783 > " + str(pfile.name)) # search "AuthenticateUser" pathSrc="(if[ ]*)([\(]+)([a-zA-Z0-9_\s\=\s]+)(AuthenticateUser)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) result = re.finditer(pathSrc, line) if not result is None: for p in result: #logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if p.group(2) == "(": # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("CWE_783: saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE783violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-783 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 except FileNotFoundError: logging.error("CWE-783 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-783 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-783 : END scan_file_CWE_783 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-783",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-783",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_482(application, pfile, fileType): # Author : PMB # last modification date: 27/3/2017 # Description: CWE_482: Comparing instead of Assigning # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE482violationCPP - CatID=2002000 PropID=2002012 SubID=2002262 QRID=2002574 # NOTE: The code uses an operator for comparison when the intention was to perform an assignment. # In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-482 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-482 : Starting scan_file_CWE_482 > " + str(pfile.name)) # search #pathSrc="(^[ \ta-zA-Z0-9_\s\*]+)(==)([a-zA-Z0-9\s]+)" pathSrc="[^\s\t]*(\**[a-zA-Z0-9_]+(\s*\[\s*[a-zA-Z0-9_]*\s*\]\s*)?)\s*==\s*([a-zA-Z0-9\s]+)\s*(\,|\;|\.)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) result = re.finditer(pathSrc, line) if not result is None: for p in result: #logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("CWE-482 : Detected violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE482violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-482 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 except FileNotFoundError: logging.error("CWE-482 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-482 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-482 : END scan_file_CWE_482 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-482",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-482",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_480_481(application, pfile, fileType): # Author : PMB # Last modification date: 10/4/2017 # Description: CWE-481: Assigning instead of Comparing # Languages: C/C++ C# # Property : CWEforFDA_CustomMetrics_C_CPP.CWE480violationCPP - CatID=2002000 PropID=2002010 SubID=2002260 QRID=2002570 # CWEforFDA_CustomMetrics_C_CPP.CWE481violationCPP - CatID=2002000 PropID=2002011 SubID=2002261 QRID=2002571 # CWEforFDA_CustomMetrics_C_CPP.CWE480violationCSharp - CatID=2003000 PropID=2003010 SubID=2003260 QRID=2003570 # CWEforFDA_CustomMetrics_C_CPP.CWE480violationCSharp - CatID=2003000 PropID=2003011 SubID=2003261 QRID=2003571 # NOTE: The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. # nbProgramCall = 0 isInMultiLineComment = False isInSingleLineComment = False nbViolation=0 nbNAViolation = 0 allIntVars = set() #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-480-481 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-480-481 : Starting scan_file_CWE_480_481 > " +str(pfile.name)) PathIntB = "([\(]+)int ([a-zA-Z0-9_\.]+)" PathIntF = "([ \t]+)int ([a-zA-Z0-9_\.]+)" PathIf = "[ \t]+if([ \(]+)([a-zA-Z0-9_]+)" PathBitWise = "[ \t]+if([ \(]+)([a-zA-Z0-9_\!\(\)]+)( & | \| )+([a-zA-Z0-9_\!\(\)]+)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analize >> %s >> %s", current_line, line) resultIntB = re.finditer(PathIntB, line) if not resultIntB is None: for c in resultIntB: #logging.debug("CWE_480_481 : Group StmtIntB > %s ", c.group(2)) varIntB=c.group(2) allIntVars.add(varIntB) resultIntF = re.finditer(PathIntF, line) if not resultIntF is None: for c in resultIntF: #logging.debug("CWE_480_481 : Group StmtIntF > %s ", c.group(2)) varIntF=c.group(2) allIntVars.add(varIntF) resultBitWise = re.finditer(PathBitWise, line) if not resultBitWise is None: for c in resultBitWise: if fileType == "CCPP": # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,c.start()+1,current_line,c.end()) #logging.debug("sono in test cpp >> %s", bk) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE480violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 continue if fileType == "CSHARP": # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,c.start()+1,current_line,c.end()) #logging.debug("sono in test csharp >> %s", bk) try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE480violationCSharp',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 continue resultPathIf = re.finditer(PathIf, line) if not resultPathIf is None: resultPathIf = re.finditer(PathIf, line) for p in resultPathIf: varIf=p.group(2) for v in allIntVars: if v==varIf: CheckNoEq=line[line.find("!"):line.find("=")+2] CheckLtEq=line[line.find("<"):line.find("=")+2] CheckGtEq=line[line.find(">"):line.find("=")+2] if CheckNoEq or CheckLtEq or CheckGtEq: continue CheckEqEq=line[line.find("="):line.find("=")+2] if not CheckEqEq: continue if CheckEqEq != "==": if fileType == "CCPP": bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE481violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 if fileType == "CSHARP": bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE481violationCSharp',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 except FileNotFoundError: logging.error("CWE-480-481 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-480-481 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-480-481 : END scan_file_CWE_480_481 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-480-481",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-480-481",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_OMG_RLB_9_Step2(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: OMG RLB-9: OMG RLB-9: Float Type Storable and Member Data Element Comparison with Equality Operator # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002022 SubID=2002272 QRID=2002594 # CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003022 SubID=2003272 QRID=2003594 # NOTE # scan_file_OMG_RLB_9_Step1: find all float objects definition and store it # scan_file_OMG_RLB_9_Step2: find all = comparison with float objects involved # The scope is internal to file+function or Global. Lower scopes are not considerered # global aFunctionDefinitionName global aFunctionDefinitionNPar global aFunctionCallName global aFunctionCallNPar global aFunctionCallBookmark global aFloatVariableName global aFloatClassName myIdx = 0 nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : Starting scan_file_OMG_RLB_9_Step2 > " + str(pfile.name)) patFloatName = "[A-Za-z0-9_\-\.]*" patFloatCompLeft = "("+ patFloatName +")" + "([A-Za-z0-9_ \(\)\t\r\n\*\+\-\/]*[\=][\=])" patFloatCompRight = "(==[A-Za-z0-9_ \(\)\t\r\n\*\+\-\/]*)" + "("+ patFloatName +")" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analize >> %s", current_line) try: resultpatFloatRigh = re.finditer(patFloatCompRight, line) except: resultpatFloatRigh = None #local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Cannot apply pattern %s to line %s", patFloatCompRight, current_line) # --- Scan for pattern on the right # ------------------------------------------------------------------------------------ if not resultpatFloatRigh is None: for p in resultpatFloatRigh: for myIdx in range(len(aFloatVariableName)): bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) current_line = int(str(bk).split(",")[2]) tVar = p.group(2) tScp = pfile.find_most_specific_object(current_line, 1).get_name() if (tScp == tVar): nVar = "[Global]." + tVar else: nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar if (nVar == aFloatVariableName[myIdx]): if fileType == "CCPP": #logging.debug("RLB-9: C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": #logging.debug("RLB-9 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 try: resultpatFloatLeft = re.finditer(patFloatCompLeft, line) except: resultpatFloatLeft = None #local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Cannot apply pattern %s to line %s", patFloatCompLeft, current_line) # --- Scan for pattern on the left # ------------------------------------------------------------------------------------ if not resultpatFloatLeft is None: for p in resultpatFloatLeft: for myIdx in range(len(aFloatVariableName)): bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) current_line = int(str(bk).split(",")[2]) tVar = p.group(1) tScp = pfile.find_most_specific_object(current_line, 1).get_name() if (tScp == tVar): nVar = "[Global]." + tVar else: nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar if (nVar == aFloatVariableName[myIdx]): if fileType == "CCPP": #logging.debug("RLB-9: C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": #logging.debug("RLB-9 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("OMG-RLB-9-Step2 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-RLB-9-Step2 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : END RLB-9-Step2 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-RLB-9-STEP2",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-RLB-9-STEP2",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_1_3(application, pfile, fileType): # Description: CWE-252 : Unchecked Return Value # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.CWE252violationCPP - CatID=2002000 PropID=2002004 SubID=2002254 QRID=2002558 # CWEforFDA_CustomMetrics_CSharp.CWE252violationCPP - CatID=2003000 PropID=2003004 SubID=2003254 QRID=2003558 # Scope & Property : Scope by fn 100010 (n. of function calls) # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 msecs = local_library.millis() nBytes = 0 logging.debug("pfile.name----" + str(pfile.name)) logging.info( "SPDBviolation9_1_3 : -------------------------------------------------------------------------" ) logging.info( "SPDBviolation9_1_3 : Starting scan_file_SPDBviolation9_1_3 > " + str(pfile.name)) patFunCall = "(float|int|char|bool)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 for line in f: # Line of code # logging.error("Current line %s", line) current_line += 1 try: resultCom = re.finditer(patComment, line) # logging.debug("resultCom value---" + str(line)) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get function call patterns result = re.finditer(patFunCall, line) # logging.info("Result is: >%s<", result) if (not result is None): for p in result: logging.debug( "scan_file_SPDBviolation9_1_3 :: result value---" + str(p)) # logging.info("scan_file_SPDBviolation9_1_3::Result is: [%s] [%s] [%s] [%s] ", pfile, line, p.group(2), p.group(7)) checkMultipleVars = p.group(2).split(",") for getVar in checkMultipleVars: logging.debug( "scan_file_SPDBviolation9_1_3 :: getVar value---" + str(getVar)) # logging.info("\n@@@@ "+getVar) if getVar.__contains__('='): logging.info( "SPDBviolation9_1_3 :: [PASSED] Value is initialized for " + getVar) else: logging.debug( "Violation saved for getVar value---" + str(getVar)) bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) pfile.save_violation( 'SPDB_CustomMetrics_C.SPDBviolation9_1_3', bk) # Set a bookmark for violation # obj = pfile # obj = pfile.find_most_specific_object(current_line, 1) # bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) # try: # logging.error("SPDBviolation9_1_3 :: [VIOLATION] Value is NOT initialized for " + getVar) # obj.save_violation('SPDB_CustomMetrics_C.SPDBviolation9_1_3', bk) # except Exception as e: # logging.error("SPDBviolation9_1_3: Violation not allowed on this object, next version %s", str(e.message())) # nbNAViolation = nbNAViolation + 1 # else: # nbViolation += 1 # except Exception as e: logging.error("SPDBviolation9_1_3 : Error: %s, at line ", str(e), current_line) except FileNotFoundError: logging.error("SPDBviolation9_1_3 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("SPDBviolation9_1_3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info( "SPDBviolation9_1_3 : END scan_file_CWE_252 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation9_1_3", nbViolation, nbNAViolation # update_counts(tc) # Extra log t = "SPDBviolation9_1_3", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_OMG_RLB_18(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: OMG-ASCCRM-RLB-18: Storable and Member Data Element Initialization with Hard-Coded Network Resource Configuration Data # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB18violationCPP - CatID=2002000 PropID=2002024 SubID=2002274 QRID=2002598 # CWEforFDA_CustomMetrics_CSharp.OMGRLB18violationCSharp - CatID=2003000 PropID=2003024 SubID=2003274 QRID=2003598 # NOTE # # # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-RLB-18 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-RLB-18 : Starting scan_file_OMG_RLB_18 > " + str(pfile.name)) patNetResource1 = "([12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9])" patNetResource2 = "(http[s]?://)|(ftp://)|(mailto://)|(file://)|(data://)|(irc://)" patNetResource3 = "(www\.)|(ftp\.)" patNetResource4 = "([\?\&][ \t]*[a-z0-9\-\_]+[ \t]*\=[ \t]*[a-z0-9\-\_]+)" # All pattern included in double quotes (strings) patNetResource = "[^=]=[ \t]*\".*("+patNetResource1+"|"+patNetResource2+"|"+patNetResource3+"|"+patNetResource4+").*\"" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 # Comment Exclusion - Start resultCom = re.finditer(patComment, line) if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) result = re.finditer(patNetResource, line) isFirstViolation = True if not result is None: for p in result: # Set a bookmark for violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("scan_file_OMG_RLB_18 : Found violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if fileType == "CCPP": #logging.debug("saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if isFirstViolation: try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB18violationCPP',bk) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-18: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 isFirstViolation = False #local_library.cwefdaLoggerInfo("SAVED CCPP") if fileType == "CSHARP": #logging.debug("saving violation forCSHARP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if isFirstViolation: try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB18violationCSharp',bk) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-18: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 isFirstViolation = False #local_library.cwefdaLoggerInfo("CSHARP") except FileNotFoundError: logging.error("OMG-RLB-18 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-RLB-18 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-RLB-18 : END scan_file_OMG_RLB_18 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-RLB-18",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-RLB-18",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_1_3(application, pfile, fileType): # Description: scan_file_SPDBviolation9_1_3 # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 msecs = local_library.millis() nBytes = 0 logging.debug("pfile.name----" + str(pfile.name)) logging.info( "SPDBviolation9_1_3 : -------------------------------------------------------------------------" ) logging.info( "SPDBviolation9_1_3 : Starting scan_file_SPDBviolation9_1_3 > " + str(pfile.name)) patFunCall = "(float|int|char|bool)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 for line in f: # Line of code # logging.error("Current line %s", line) current_line += 1 try: resultCom = re.finditer(patComment, line) # logging.debug("resultCom value---" + str(line)) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get function call patterns result = re.finditer(patFunCall, line) # logging.info("Result is: >%s<", result) if (not result is None): for p in result: logging.debug( "scan_file_SPDBviolation9_1_3 :: result value---" + str(p)) # logging.info("scan_file_SPDBviolation9_1_3::Result is: [%s] [%s] [%s] [%s] ", pfile, line, p.group(2), p.group(7)) checkMultipleVars = p.group(2).split(",") for getVar in checkMultipleVars: logging.debug( "scan_file_SPDBviolation9_1_3 :: getVar value---" + str(getVar)) # logging.info("\n@@@@ "+getVar) if getVar.__contains__('='): logging.info( "SPDBviolation9_1_3 :: [PASSED] Value is initialized for " + getVar) else: logging.debug( "Violation saved for getVar value---" + str(getVar)) # Set a bookmark bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) pfile.save_violation( 'SPDB_CustomMetrics_C.SPDBviolation9_1_3', bk) except Exception as e: logging.error("SPDBviolation9_1_3 : Error: %s, at line ", str(e), current_line) except FileNotFoundError: logging.error("SPDBviolation9_1_3 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("SPDBviolation9_1_3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info("SPDBviolation9_1_3 : END %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation9_1_3", nbViolation, nbNAViolation # update_counts(tc) # Extra log t = "SPDBviolation9_1_3", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_CWE(application, pfile, fileType): # Languages : C # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 patIfNoBlk1 = "(if[ \t\n\r]*\(([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)" patIfNoBlk2 = "(else[ \t\n\r]*([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" patIfNoBlk = patIfNoBlk1 + "|" + patIfNoBlk2 #rfCall= ReferenceFinder() #rfCall.add_pattern('patIfNoBlk', before='', element = patIfNoBlk, after='') #rfCall.add_pattern('patComment', before='', element = patComment, after='') try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analize >> %s", current_line) resultIfNoBlk = re.finditer(patIfNoBlk, line) if not resultIfNoBlk is None: for p in resultIfNoBlk: if fileType == "CCPP": #logging.debug("Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) # obj.save_violation('',bk) except Exception as e: logging.warning( "Violation not allowed on this kind of object, next version" ) nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error(" : File not found > " + str(pfile.get_path())) except Exception as e: logging.error(" : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info(" : END %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "", nbViolation, nbNAViolation update_counts(tc) #Extra log t = "", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation10_5_3(application, pfile, fileType): # Description: scan_file_SPDBviolation10_5_3 # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 msecs = local_library.millis() nBytes = 0 logging.debug("pfile.name----" + str(pfile.name)) logging.info( "SPDBviolation10_5_3 : -------------------------------------------------------------------------" ) logging.info( "SPDBviolation10_5_3 : Starting scan_file_SPDBviolation10_5_3 > " + str(pfile.name)) # patswitch = "switch\s*\((.*)(?=)\)" patcase = "(switch|case|default)\s*(.*)(?=)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False switchcheck = 0 matchedcasedefault = 0 matchedswitch = 0 with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 for line in f: # Line of code # logging.error("Current line %s", line) current_line += 1 try: resultCom = re.finditer(patComment, line) # logging.debug("resultCom value---" + str(line)) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # switchcheck=0 # Get function call patterns # isswitch = re.findall(patswitch, line) # if switchcheck == 0: # if isswitch: # logging.info("Current line %s", line) # switchcheck=1 # if switchcheck == 1: if matchedswitch == 1: if matchedcasedefault == 1: nextline = line if nextline.__eq__("\n") or nextline.__contains__( "{"): logging.info( "Empty line - Check in next line %s", nextline) nextline = linecache.getline( pfile.get_path(), current_line + 1) # else: # logging.info("CASE found - Next line %s", nextline ) # logging.debug("Processing next line %s", nextline ) resultCom = re.findall(patComment, nextline) if resultCom: logging.info( "Proper COMMENTES are found in CASE %s", nextline) else: logging.info( "SPDBviolation10_5_3 :: VIOLATION - Each case branch of the switch statement should have comments %s - Line %s", nextline, line) # logging.info("Current line %s type %s", line, p.group(1)) bk = Bookmark(pfile, current_line, 1, current_line, -1) pfile.save_violation( 'SPDB_CustomMetrics_C.SPDBviolation10_5_3', bk) matchedcasedefault = 0 isswitchcase = re.finditer(patcase, line) if not isswitchcase is None: for p in isswitchcase: # logging.info("Current line %s", line) if p.group(1) == "switch": logging.info("SWITCH found - Current line %s", line) # logging.info("SWITCH found - Current line %s type %s", line, p.group(1)) matchedswitch = 1 if p.group(1) == "case" or p.group(1) == "default": logging.info("CASE found - Current line %s", line) # logging.info("CASE found - Current line %s type %s", line, p.group(1)) matchedcasedefault = 1 if p.group(1) == "default": logging.info( "DEFAULT found - Current line %s", line) # logging.info("DEFAULT found - Current line %s type %s", line, p.group(1)) matchedcasedefault = 1 except Exception as e: logging.error("SPDBviolation10_5_3 : Error: %s, at line ", str(e), current_line) except FileNotFoundError: logging.error("SPDBviolation10_5_3 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("SPDBviolation10_5_3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info("SPDBviolation10_5_3 : END %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation10_5_3", nbViolation, nbNAViolation # update_counts(tc) # Extra log t = "SPDBviolation10_5_3", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation14_1_3(application, pfile, fileType): # Description: scan_file_SPDBviolation14_1_3 # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 msecs = local_library.millis() nBytes = 0 logging.info( "scan_file_SPDBviolation14_1_3 : -------------------------------------------------------------------------" ) logging.info( "scan_file_SPDBviolation14_1_3 : Starting scan_file_SPDBviolation14_1_3 > " + str(pfile.name)) patFunCall = "(float|int|char|bool|float\*|int\*|char\*|bool\*)[ \t\r\n]+([a-zA-Z0-9_]*)(\[([^\[\]]+)\]|\[[]])" # patFunCall = "\b(?:(?:int\s*|float\s*|char\s*|bool)+)(?:\s+\*?\*?\s*)([a-zA-Z0-9_]*)\s*(\[.*?\])" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[^,\s][^\,]*[^,\s]*)\s*[;,*=)]" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[a-z]*[A-Z]*[0-9]*)\s*\s*[;,=)]" # patFunCall = "\b(?:(?:auto\s*|const\s*|unsigned\s*|signed\s*|register\s*|volatile\s*|static\s*|void\s*|short\s*|long\s*|char\s*|int\s*|float\s*|double\s*|_Bool\s*|complex\s*)+)(?:\s+\*?\*?\s*)([a-zA-Z_][a-zA-Z0-9_]*)\s*[\[;,=)]" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 for line in f: # Line of code # logging.error("Current line %s", line) current_line += 1 try: resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get function call patterns result = re.finditer(patFunCall, line) if (not result is None): for p in result: logging.info( "scan_file_SPDBviolation14_1_3::Result is: %s %s %s ", pfile, line, p.group(1)) # , p.group(7)) getArraySize = 0 if p.group(3) != "[]": getArraySize = p.group(4) logging.info("Value of %s is = %s", p.group(0), getArraySize) else: logging.info("Value of %s is = %s", p.group(0), line) if line.__contains__(','): getArrVales = re.finditer( "{([^}]+)\}|\"([^}]+)\"", line) logging("$$$$$$$$$$$: %s", getArrVales) if (not getArrVales is None): for arrVal in getArrVales: logging("############%s", arrVal) getArraySize = len( arrVal.split(",")) logging("@@@@@@@@@@@@%s", arrVal) logging.info("Value of %s is = %s", p.group(0), getArraySize) else: getArrVales = 0 #------------------------------------------------- else: #--------------- logging.error("NO match for array") except Exception as e: logging.error( "scan_file_SPDBviolation14_1_3 : Error: %s, at line ", str(e), current_line) except FileNotFoundError: logging.error("scan_file_SPDBviolation14_1_3 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("scan_file_SPDBviolation14_1_3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info( "scan_file_SPDBviolation14_1_3 : END scan_file %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "scan_file_SPDBviolation14_1_3", nbViolation, nbNAViolation update_counts(tc) # Extra log t = "scan_file_SPDBviolation14_1_3", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_CWE_685_Step1(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: CWE-685: Function Call With Incorrect Number of Arguments # Languages : C # Property : CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP - CatID=2002000 PropID=2002016 SubID=2002266 QRID=2003582 # # NOTE # scan_file_CWE_685_Step1: find all function definition and store it with number of parameters defined # scan_file_CWE_685_Step2: find all function call by means of function name found in step1, and compare it with parameters stored # global aFunctionDefinitionName global aFunctionDefinitionNPar global aFunctionCallName global aFunctionCallNPar global aFunctionCallBookmark global aFloatVariableName global aFloatClassName myIdx=0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-685-Step1 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-685-Step1 : Starting scan_file_CWE_685_Step1 > " + str(pfile.name)) #pattern: return_type function_name ( parameter_list ) { body of the function } patFunctionDefinition = "([A-Za-z][A-Za-z0-9_\-]*[ \t]+)([A-Za-z][A-Za-z0-9_\-]*)([ \t\r\n]*)(\([A-Za-z0-9_\- \t\r\n.,\.\*]*\))([ \t\r\n]*){" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" #rfCall= ReferenceFinder() #rfCall.add_pattern('patFunctionDefinition', before='', element = patFunctionDefinition, after='') #rfCall.add_pattern('patComment', before='', element = patComment, after='') try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) resultFuncDef = re.finditer(patFunctionDefinition, line) if not resultFuncDef is None: for p in resultFuncDef: if not (local_library.is_a_keyword(p.group(2)) == 1): nFun = p.group(2) nPar = len(p.group(4).split(',')) functionIsPresent = False for f in aFunctionDefinitionName: if (f == nFun): functionIsPresent = True if not functionIsPresent: aFunctionDefinitionName.append(1) aFunctionDefinitionNPar.append(1) myIdx = len(aFunctionDefinitionName)-1 #local_library.cwefdaLoggerInfo("----------------------------CWE-685: adding FunctionDefinition > %s %s", nFun, nPar) aFunctionDefinitionName[myIdx] = nFun aFunctionDefinitionNPar[myIdx] = nPar except FileNotFoundError: logging.error("CWE-685-Step1 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-685-Step1 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-685-Step1 : END CWE-685 %s - Found %s definitions ", str(myIdx)) #Extra log t = "CWE-685-STEP1",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation14_1_1(application, pfile, fileType): # Description: SPDBviolation14_1_1: Memory allocation with malloc should be checked with NULL skipFirstPattern = 0 skipSecontPattern = 0 nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False # SCS msecs = local_library.millis() nBytes = 0 logging.info( "14_1_1 : -------------------------------------------------------------------------" ) logging.info("14_1_1 : Starting scan_file_SPDBviolation14_1_1 > " + str(pfile.name)) # search "pthread_mutex_lock" pathSrc = "([a-zA-Z0-9_\.]*)\s*=\s*(\(\s*[a-zA-Z0-9_\.]+\s*\**\s*\))?\s*malloc\s*\(" patNullCheck = "if\s*\((.*)(?=\))" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End # SCS nBytes = nBytes + len(line) if skipFirstPattern == 0: # Get the most specific object containing the line result = re.finditer(pathSrc, line) if not result is None: for p in result: logging.error("MALLOC %s, %s", p.group(1), line) nxtLine = 0 # nextLine = lines[0]+" "+lines[1] # nullRes = re.finditer(patNullCheck, nextLine) module_line = linecache.getline( pfile.get_path(), current_line + 1) logging.error("Attempt to process %s", module_line) if module_line.__eq__("\n"): module_line = linecache.getline( pfile.get_path(), current_line + 2) logging.error("Attempt to process %s", module_line) isValidatedWithIF(module_line, pfile, current_line, p) else: isValidatedWithIF(module_line, pfile, current_line, p) except FileNotFoundError: logging.error("SPDBviolation14_1_1 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("SPDBviolation14_1_1 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.error( "SPDBviolation14_1_1 : END scan_file_SPDBviolation14_1_1 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation14_1_1", nbViolation, nbNAViolation update_counts(tc) # Extra log t = "SPDBviolation14_1_1", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file_CWE_685_Step2(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: CWE-685: Function Call With Incorrect Number of Arguments # Languages : C # Property : CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP - CatID=2002000 PropID=2002016 SubID=2002266 QRID=2003582 # # NOTE # scan_file_CWE_685_Step1: find all function definition and store it with number of parameters defined # scan_file_CWE_685_Step2: find all function call by means of function name found in step1, and compare it with parameters stored # global aFunctionDefinitionName global aFunctionDefinitionNPar global aFunctionCallName global aFunctionCallNPar global aFunctionCallBookmark global aFloatVariableName global aFloatClassName myIdx = 0 nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-685-Step2 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-685-Step2 : Starting scan_file_CWE_685_Step2 > " + str(pfile.name)) patFuncName = "[A-Za-z][A-Za-z0-9_\-]*" patFunctionCall = "("+ patFuncName +")"+"([ \t\r\n]*)(\([A-Za-z0-9_\- \t\r\n.,\.\*]*\))" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) try: resultFuncCall = re.finditer(patFunctionCall, line) except: resultFuncCall = None #local_library.cwefdaLoggerWarning("CWE-685-Step2: Cannot apply pattern %s to line %s", patFunctionCall, current_line) if not resultFuncCall is None: for p in resultFuncCall: for f in aFunctionDefinitionName: myIdx = aFunctionDefinitionName.index(f) nFun = p.group(1) nPar = len(p.group(3).split(',')) if (nFun == aFunctionDefinitionName[myIdx] and nPar != aFunctionDefinitionNPar[myIdx]): #local_library.cwefdaLoggerInfo("------------------------------------> Found different parameter!!! %s %s <<-->> %s %s", nFun, str(nPar), self.aFunctionDefinitionName[myIdx], str(self.aFunctionDefinitionNPar[myIdx])) #logging.debug("CWE_685_Step2 : C!!!! Found statement %s ==> %s ", str(reference.value), str(reference.bookmark)) try: bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("CWE-685-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("CWE-685-Step2 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-685-Step2 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-685-Step2 : END CWE-685 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-685-STEP2",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-685-STEP2",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_1_3(application, pfile, fileType): # Description: scan_file_SPDBviolation9_1_3 # NOTE # As the rule is widely general and largely semantic, it is tailored only on specific patterns. # It simply finds all function calls which are not assigned to vars. # nbViolation = 0 nbNAViolation = 0 msecs = local_library.millis() nBytes = 0 logging.debug("pfile.name----" + str(pfile.name)) logging.info( "SPDBviolation9_1_3 : -------------------------------------------------------------------------" ) logging.info( "SPDBviolation9_1_3 : Starting scan_file_SPDBviolation9_1_3 > " + str(pfile.name)) patFunCall = "(float|int|char|bool)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[^,\s][^\,]*[^,\s]*)\s*[;,*=)]" # patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[a-z]*[A-Z]*[0-9]*)\s*\s*[;,=)]" # patFunCall = "\b(?:(?:auto\s*|const\s*|unsigned\s*|signed\s*|register\s*|volatile\s*|static\s*|void\s*|short\s*|long\s*|char\s*|int\s*|float\s*|double\s*|_Bool\s*|complex\s*)+)(?:\s+\*?\*?\s*)([a-zA-Z_][a-zA-Z0-9_]*)\s*[\[;,=)]" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: isInSingleLineComment = False isInMultiLineComment = False with open_source_file(pfile.get_path()) as f: # current line number current_line = 0 for line in f: # Line of code # logging.error("Current line %s", line) current_line += 1 try: resultCom = re.finditer(patComment, line) # logging.debug("resultCom value---" + str(line)) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get function call patterns result = re.finditer(patFunCall, line) # logging.info("Result is: >%s<", result) if (not result is None): for p in result: logging.debug("result value---" + str(p)) # logging.info("scan_file_SPDBviolation9_1_3::Result is: [%s] [%s] [%s] [%s] ", pfile, line, p.group(2), p.group(7)) checkMultipleVars = p.group(2).split(",") for getVar in checkMultipleVars: logging.debug("getVar value---" + str(getVar)) # logging.info("\n@@@@ "+getVar) if getVar.__contains__('='): logging.info( "SPDBviolation9_1_3 :: [PASSED] Value is initialized for " + getVar) else: logging.debug( "Violation saved for getVar value---" + str(getVar)) # bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) bk = Bookmark(pfile, current_line, 1, current_line, -1) pfile.save_violation( 'SPDB_CustomMetrics_C.SPDBviolation9_1_3', bk) # Set a bookmark for violation # obj = pfile # obj = pfile.find_most_specific_object(current_line, 1) # bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) # try: # logging.error("SPDBviolation9_1_3 :: [VIOLATION] Value is NOT initialized for " + getVar) # obj.save_violation('SPDB_CustomMetrics_C.SPDBviolation9_1_3', bk) # except Exception as e: # logging.error("SPDBviolation9_1_3: Violation not allowed on this object, next version %s", str(e.message())) # nbNAViolation = nbNAViolation + 1 # else: # nbViolation += 1 # except Exception as e: logging.error("SPDBviolation9_1_3 : Error: %s, at line ", str(e), current_line) except FileNotFoundError: logging.error("SPDBviolation9_1_3 : File not found > " + str(pfile.get_path())) except Exception as e: logging.error("SPDBviolation9_1_3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info("SPDBviolation9_1_3 : END %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "SPDBviolation9_1_3", nbViolation, nbNAViolation update_counts(tc) # Extra log t = "SPDBviolation9_1_3", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)
def scan_file(application, pfile, fileType): # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 logging.info( " : -------------------------------------------------------------------------" ) # search #pathSrc="(^[ \ta-zA-Z0-9_\s\*]+)(==)([a-zA-Z0-9\s]+)" pathSrc = "[^\s\t]*(\**[a-zA-Z0-9_]+(\s*\[\s*[a-zA-Z0-9_]*\s*\]\s*)?)\s*==\s*([a-zA-Z0-9\s]+)\s*(\,|\;|\.)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) result = re.finditer(pathSrc, line) if not result is None: for p in result: #logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) # Set a bookmark for violation and save violation bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end()) #logging.debug(" : Detected violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) try: obj.save_violation('', bk) except: logging.warning( " : Violation not allowed on this object, next version" ) nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error(" : File not found > " + str(pfile.get_path())) except Exception as e: logging.error(" : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 logging.info(" : END scan_file %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "", nbViolation, nbNAViolation update_counts(tc) #Extra log t = "", int(nBytes / msecs), nBytes, msecs local_library.extraLogWrite(t)