def readExistingFlawFile(self,root): flawMap = dict() for file in root.iter("file"): fileName = os.path.basename(file.get("path")).lower() issueList = [] for issue in file.iter("issue"): newIssue = Issue(fileName, issue.get("type"), issue.get("startLine")) if(issue.get("endLine")!=None): newIssue.endLine=issue.get("endLine") newIssue.startLine=issue.get("startLine") issueList.append(newIssue) self.securityModel.appendExistingIssue(newIssue) issueComparision = IssueComparison(fileName) issueComparision.addExistingIssues(issueList) flawMap[fileName] = issueComparision return flawMap
def readExistingFlawFile(self,root): flawMap = dict() for file in root.iter("file"): fileName = os.path.basename(file.get("path")).lower() issueList = [] for issue in file.iter("issue"): newIssue = Issue(fileName, issue.get("type"), issue.get("startLine")) if(issue.get("endLine")!=None): newIssue.endLine=issue.get("endLine") newIssue.startLine=issue.get("startLine") issueList.append(newIssue) self.securityModel.appendExistingIssue(newIssue) issueComparision = IssueComparison(fileName) issueComparision.addExistingIssues(issueList) flawMap[fileName] = issueComparision return flawMap
def collectFlaws(self, filePath, samateIssueMap, categoryList): foundCategory = [] lineNumber = 1 badFunctionFound = False shouldSearchForIssues = False #defining the bad functions as defined in the docu, slightly adopted primaryBadFunction = "(CWE.*_)?bad\(.*\).*$" if (".java" in filePath): badFunctionPattern = "((.*bad\(.*\))|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))|((_bad.*)\(.*\))).*$" else: #(((CWE.*_)?bad\(\).*$)|((CWE.+_)bad_source(_[a-z])?.*$)|( #badFunctionPattern = "(((CWE.*_)?bad\(\).*)|(bad_([a-z])*))$" badFunctionPattern = "(((CWE.*_)?bad\(\).*)|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))).*$" #inlineBadFunctionPattern = ".*/\*("+badFunctionPattern+")"; startLine = -1 endLine = -1 if ("_bad" in filePath): badClassFile = True startLine = 1 else: badClassFile = False cweEntry = os.path.basename(filePath).split("_")[0] issueList = [] hasPrimaryBadFunction = False isInComment = False isBlank = False fileName = os.path.basename(filePath) #if we found an entry in the samateissuemap use this one because there we have definied line numbers if (fileName in samateIssueMap): samateIssue = samateIssueMap.get(fileName) else: samateIssue = None samateIssueList = list() samateGeneratedIssue = None alreadyProcessedErrorLines = list() #print(filePath) for line in open(filePath): trimedLine = line.strip() #print("isComment="+str(line.find('/*'))) #try to find comment lines commentStart = trimedLine.find('/*') commentEnd = trimedLine.find('*/') if (not badClassFile and commentStart >= 0): isInComment = True if (not badClassFile and commentEnd >= 0): isInComment = False #use search regex to find the line match match = re.search(badFunctionPattern, trimedLine) if (match != None and ((commentStart == -1 and commentEnd == -1) or not (match.start() >= commentStart and match.start() <= commentEnd))): correctMatch = True else: correctMatch = False #print("trimedLine="+trimedLine+"; isComment="+str(isInComment)+"; isBlank="+str(isBlank)+"; badClassFile="+str(badClassFile)) if (not badClassFile and correctMatch and not ";" in trimedLine and not isInComment): badFunctionFound = True #print("hello"+trimedLine) openBracketCount = 0 if (re.search(primaryBadFunction, trimedLine) != None): hasPrimaryBadFunction = True startLine = lineNumber if (not isBlank): #print("create issue") issue = Issue(filePath, cweEntry, -1) issue.startLine = lineNumber if (isBlank and (len(trimedLine) == 0 or trimedLine.startswith('/*'))): isBlank = True else: isBlank = False if (badFunctionFound): if ('{' in trimedLine and not trimedLine.startswith('/*') and not trimedLine.startswith('*')): openBracketCount = openBracketCount + 1 if ('}' in trimedLine and not trimedLine.startswith('/*') and not trimedLine.startswith('*')): openBracketCount = openBracketCount - 1 if (openBracketCount == 0): badFunctionFound = False endLine = lineNumber issue.endLine = lineNumber issueList.append(issue) isBlank = True #AW20130412 for now only use the full function as possible errors if (badFunctionFound or badClassFile): shouldSearchForIssues = True else: shouldSearchForIssues = False if (shouldSearchForIssues): #search for FLAW-Comments in the current line and add them to the category list if found #this category logic is deprecated and only used for some testing purpose if any(cat in line for cat in categoryList): startIdx = line.find('/*') endIdx = line.find(':') foundCategory.append(line[startIdx + 2:endIdx].strip()) #AW20130525 use documented flaw line number if possible #sadly the files do not match 100% therefore we need to compare the error lines manually #and check in which linenumber we are if (samateIssue != None and len(samateIssue) > 0): #print(filePath+"; match=") #print("trimedLine="+trimedLine) for sIssue in samateIssue: sIssueLineNumber = int(sIssue.lineNumber) #AW20130529 the errorLine should be near the defined lineNumber in the SRD-Files (use CONST_ERROR_AREA as space) if (trimedLine == sIssue.errorLine and sIssue.errorLine not in alreadyProcessedErrorLines and lineNumber >= sIssueLineNumber - self.CONST_ERROR_AREA and lineNumber <= sIssueLineNumber + self.CONST_ERROR_AREA): #print("trimedLine="+trimedLine+"; "+sIssue.errorLine) samateGeneratedIssue = Issue( filePath, cweEntry, lineNumber) samateIssueList.append(samateGeneratedIssue) alreadyProcessedErrorLines.append(sIssue.errorLine) lineNumber += 1 if (badClassFile): endLine = lineNumber issue = Issue(filePath, cweEntry, -1) issue.startLine = startLine issue.endLine = endLine issueList.append(issue) #if('issue' in locals() and not issue in issueList): # issueList.append(issue) if (len(samateIssueList) > 0): #print("use samate Issue List "+str(len(samateIssueList))) issueList = samateIssueList #AW20130412 only return issues which occur in files with primary bad function if (len(issueList) == 0 or (not badClassFile and not hasPrimaryBadFunction)): return None else: if (len(foundCategory) <= 0): print(filePath) return issueList
def collectFlaws(self,filePath, samateIssueMap, categoryList): foundCategory = [] lineNumber = 1 badFunctionFound = False shouldSearchForIssues = False #defining the bad functions as defined in the docu, slightly adopted primaryBadFunction = "(CWE.*_)?bad\(.*\).*$" if(".java" in filePath): badFunctionPattern = "((.*bad\(.*\))|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))|((_bad.*)\(.*\))).*$" else: #(((CWE.*_)?bad\(\).*$)|((CWE.+_)bad_source(_[a-z])?.*$)|( #badFunctionPattern = "(((CWE.*_)?bad\(\).*)|(bad_([a-z])*))$" badFunctionPattern = "(((CWE.*_)?bad\(\).*)|((bad_.*)\(.*\))|((helper_bad.*)\(.*\))).*$" #inlineBadFunctionPattern = ".*/\*("+badFunctionPattern+")"; startLine = -1; endLine = -1; if("_bad" in filePath): badClassFile = True startLine = 1; else: badClassFile = False cweEntry = os.path.basename(filePath).split("_")[0] issueList = [] hasPrimaryBadFunction = False; isInComment = False; isBlank = False; fileName = os.path.basename(filePath) #if we found an entry in the samateissuemap use this one because there we have definied line numbers if(fileName in samateIssueMap): samateIssue = samateIssueMap.get(fileName) else: samateIssue = None; samateIssueList = list() samateGeneratedIssue = None alreadyProcessedErrorLines = list() #print(filePath) for line in open(filePath): trimedLine = line.strip() #print("isComment="+str(line.find('/*'))) #try to find comment lines commentStart = trimedLine.find('/*') commentEnd = trimedLine.find('*/') if(not badClassFile and commentStart >=0): isInComment = True; if(not badClassFile and commentEnd>=0): isInComment = False #use search regex to find the line match match = re.search(badFunctionPattern, trimedLine) if(match != None and ((commentStart==-1 and commentEnd==-1) or not (match.start() >=commentStart and match.start()<=commentEnd))): correctMatch = True else: correctMatch = False #print("trimedLine="+trimedLine+"; isComment="+str(isInComment)+"; isBlank="+str(isBlank)+"; badClassFile="+str(badClassFile)) if (not badClassFile and correctMatch and not ";" in trimedLine and not isInComment): badFunctionFound = True #print("hello"+trimedLine) openBracketCount = 0 if(re.search(primaryBadFunction, trimedLine) !=None): hasPrimaryBadFunction = True startLine = lineNumber; if(not isBlank): #print("create issue") issue = Issue(filePath, cweEntry, -1) issue.startLine = lineNumber if(isBlank and (len(trimedLine)==0 or trimedLine.startswith('/*')) ): isBlank = True else: isBlank = False if(badFunctionFound): if('{' in trimedLine and not trimedLine.startswith('/*') and not trimedLine.startswith('*')): openBracketCount = openBracketCount + 1 if('}' in trimedLine and not trimedLine.startswith('/*') and not trimedLine.startswith('*')): openBracketCount = openBracketCount - 1 if(openBracketCount==0): badFunctionFound = False endLine = lineNumber; issue.endLine = lineNumber issueList.append(issue) isBlank = True #AW20130412 for now only use the full function as possible errors if(badFunctionFound or badClassFile): shouldSearchForIssues = True else: shouldSearchForIssues = False if(shouldSearchForIssues): #search for FLAW-Comments in the current line and add them to the category list if found #this category logic is deprecated and only used for some testing purpose if any(cat in line for cat in categoryList): startIdx = line.find('/*') endIdx = line.find(':') foundCategory.append(line[startIdx+2:endIdx].strip()) #AW20130525 use documented flaw line number if possible #sadly the files do not match 100% therefore we need to compare the error lines manually #and check in which linenumber we are if(samateIssue!=None and len(samateIssue)>0): #print(filePath+"; match=") #print("trimedLine="+trimedLine) for sIssue in samateIssue: sIssueLineNumber = int(sIssue.lineNumber) #AW20130529 the errorLine should be near the defined lineNumber in the SRD-Files (use CONST_ERROR_AREA as space) if(trimedLine == sIssue.errorLine and sIssue.errorLine not in alreadyProcessedErrorLines and lineNumber>= sIssueLineNumber-self.CONST_ERROR_AREA and lineNumber <= sIssueLineNumber+self.CONST_ERROR_AREA): #print("trimedLine="+trimedLine+"; "+sIssue.errorLine) samateGeneratedIssue = Issue(filePath, cweEntry, lineNumber) samateIssueList.append(samateGeneratedIssue) alreadyProcessedErrorLines.append(sIssue.errorLine) lineNumber+=1 if(badClassFile): endLine = lineNumber; issue = Issue(filePath, cweEntry, -1) issue.startLine=startLine issue.endLine = endLine issueList.append(issue) #if('issue' in locals() and not issue in issueList): # issueList.append(issue) if(len(samateIssueList)>0): #print("use samate Issue List "+str(len(samateIssueList))) issueList = samateIssueList #AW20130412 only return issues which occur in files with primary bad function if(len(issueList)==0 or (not badClassFile and not hasPrimaryBadFunction)): return None else: if(len(foundCategory)<=0): print(filePath) return issueList