def isValidatedWithIF(line, pfile, current_line, p):
patNullCheck = "if\s*\((.*)(?=\))"
logging.error("%s", line)
nullRes2 = re.findall(patNullCheck, line)
logging.error("IF condition present")
if nullRes2:
memCheck = re.findall("(NULL)", line)
logging.error("Search String %s", line)
if memCheck:
# if p.group(1).find("NULL") != -1:
logging.error(
"NO-VIOLATION MALLOC is validated with NULL - lines[1] %s",
line)
else:
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1, current_line, -1)
pfile.save_violation('SPDB_CustomMetrics_C.SPDBviolation14_1_1',
bk)
logging.error(
"SPDBviolation14_1_1 :: VIOLATION: MALLOC is NOT validated with NULL - %s",
line)
else:
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1, current_line, -1)
pfile.save_violation('SPDB_CustomMetrics_C.SPDBviolation14_1_1', bk)
logging.error(
"SPDBviolation14_1_1 :: VIOLATION: MALLOC is NOT validated with NULL - %s",
line)
def markFreed(pfile, current_line, p, module_line):
open1 = "("
close1 = ")"
patNullify = "\s*=\s*NULL\s*;"
# module_line = linecache.getline(pfile.get_path(), current_line + 2)
patNullifyConstruct = open1 + p.group(1) + close1 + patNullify
resNullify = re.findall(patNullifyConstruct, module_line)
logging.error("Pattern %s, String %s", patNullifyConstruct, module_line)
if resNullify:
logging.error("MEMORY is freed - True %s", module_line)
else:
logging.error("MEMORY is NOT freed - VIOLATION %s", module_line)
bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
pfile.save_violation('SPDB_CustomMetrics_C.SPDBviolation14_1_5', bk)
def end_application3(self, application):
variables = application.objects().has_type(
"CAST_DotNet_MethodCSharp") #get all the variables
for link in application.links().has_callee(variables).load_positions():
# print(link.get_caller().get_name())
try:
code = link.get_code(3) #get the multiline code
# #print("test11")
# print(link.get_caller().get_name())
# print(code)
# print()
sql, b = testifsql(code)
# print(sql)
if (sql == "nothing"):
continue
try:
c, a = b.split(
"=") # if there is an equal, take everything before it
b = c
except:
pass
# print("test1 = ",b)
print("b = " + b)
objet = re.split("[^\w]+", b) #split at \"
for obj in objet:
# print("objet = "+ obj)
if (obj != ""):
for f in application.objects():
# #print("name =" + f.get_name() + "<=>" + objet[t] + "!")
try:
if (f.get_name() == obj
and f.get_type() == "SQLScriptTable"):
# print(f.get_name()+ " " +f.get_type())
try:
# #print("getting positions")
positions = str(
link.get_caller().get_positions())
#print(positions)
pos = ""
for i in range(len(positions) - 2):
pos += positions[i + 1]
#print("testa")
arr = pos.split(",")
file = arr[0].split("(")
#print("testb")
line = int(arr[2]) + 2
for ds in application.objects():
if (ds.get_name() == file[2]):
#print("file found")
asd = ds
hg = 0
tes = 0
if (sql == "select"):
code = code.split("{")[1]
# print("done")
for lo in range(len(code)):
# try:
# print(str(hg)+" "+obj[hg]+" "+str(lo)+" "+code[lo])
# except:
# print("fail:", sys.exc_info()[0])
if (hg < len(obj)):
if (code[lo] == obj[hg]):
hg += 1
continue
else:
hg = 0
else:
tes = 1
column = lo - len(obj)
break
except:
print("Unexpected error:",
sys.exc_info()[0])
#print("test1")
print("creating a link from " +
link.get_caller().get_name() +
" to " + f.get_name())
bookmark = Bookmark(
asd, line, column, line,
column + len(obj))
#print("test1")
print("type : ", end="")
print(sql)
if (sql == "insert"):
create_link("useInsertLink",
link.get_caller(), f,
bookmark)
if (sql == "insert into"):
create_link("useInsertLink",
link.get_caller(), f,
bookmark)
if (sql == "select"):
create_link("useSelectLink",
link.get_caller(), f,
bookmark)
if (sql == "update"):
create_link("useUpdateLink",
link.get_caller(), f,
bookmark)
if (sql == "select count"):
create_link("useSelectLink",
link.get_caller(), f,
bookmark)
qwe = 1
except:
print("error get_name")
pass
except:
print("Unexpected error 2:", sys.exc_info()[0])
def scan_file(self, application, _file):
#logging.debug("INIT scan_file : file > " +str(_file))
#initialization
isInViolationForSQL = False
isInViolationForXSS = False
isInViolationForAvoidFile = False
isInViolationForAvoidOSCommand = False
isInViolationForLogForging = False
input_lines = []
lineNb = 0
with my_open_source_file(_file.get_path()) as src_file:
for line in src_file:
lineNb +=1
# TODO : find input + find target + no sani == violation
# TEMP : direct violation on SQL target
if is_not_commented_out(line):
for pattern in self.sql_patterns:
if (pattern in line):
if ('|' in line) & quote_is_missing(line):
isInViolationForSQL = True
# find the object behind this line of code... see MRO email 'functions' on ven. 12/05/2017 17:00 ...
obj = _file.find_most_specific_object(lineNb, 1) # internal API used under the hood by ReferenceFinder API.
SQLTargetBookmark = Bookmark(_file, lineNb, 1, lineNb, -1)
# TODO : do I need to check if same object will have multiple violations ?
# answer : no, the property is declared as sum, so it should work fine.
obj.save_violation('Psft_Security_CustomMetrics.Pcode_SQL_Injection', SQLTargetBookmark)
#Detect input patterns and store the lineNb in the input_lines array
for pattern in self.input_patterns:
if pattern in line:
input_lines.append(lineNb)
break
#Detect output patterns
for pattern in self.output_patterns:
if pattern in line:
output_object = _file.find_most_specific_object(lineNb, 1)
output_bookmark = Bookmark(_file, lineNb, 1, lineNb, -1)
#TODO Add Property for LWI in all cases
#if object also has input patterns detected then it's a potential XSS
foundOne = False
for lNb in input_lines:
input_object = _file.find_most_specific_object(lNb, 1)
if input_object == output_object:
if not foundOne:
foundOne = True
isInViolationForXSS = True
output_object.save_violation('Psft_Security_CustomMetrics.Pcode_XSS_Injection', output_bookmark)
input_bookmark = Bookmark(_file, lNb, 1, lNb, -1)
input_object.save_violation('Psft_Security_CustomMetrics.Pcode_XSS_Injection', input_bookmark)
for pattern in self.file_patterns:
if (pattern in line):
isInViolationForAvoidFile = True
# find the object behind this line of code... see MRO email 'functions' on ven. 12/05/2017 17:00 ...
obj = _file.find_most_specific_object(lineNb, 1) # internal API used under the hood by ReferenceFinder API.
AvoidFileTargetBookmark = Bookmark(_file, lineNb, 1, lineNb, -1)
obj.save_violation('Psft_Security_CustomMetrics.Pcode_CWE73violation', AvoidFileTargetBookmark )
for pattern in self.oscmdpatterns:
if (pattern in line):
isInViolationForAvoidOSCommand = True
# find the object behind this line of code... see MRO email 'functions' on ven. 12/05/2017 17:00 ...
obj = _file.find_most_specific_object(lineNb, 1) # internal API used under the hood by ReferenceFinder API.
AvoidOSCommandTargetBookmark = Bookmark(_file, lineNb, 1, lineNb, -1)
obj.save_violation('Psft_Security_CustomMetrics.Pcode_CWE78violation', AvoidOSCommandTargetBookmark )
for pattern in self.logforgingpatterns:
if (pattern in line):
isInViolationForLogForging = True
# find the object behind this line of code... see MRO email 'functions' on ven. 12/05/2017 17:00 ...
obj = _file.find_most_specific_object(lineNb, 1) # internal API used under the hood by ReferenceFinder API.
LogForgingTargetBookmark = Bookmark(_file, lineNb, 1, lineNb, -1)
obj.save_violation('Psft_Security_CustomMetrics.Pcode_CWE117violation', LogForgingTargetBookmark )
# reporting the violations for statistics / logging purpose - outside of the loop
if isInViolationForSQL == True:
self.nbObjectInViolationForSQLExec += 1
if isInViolationForXSS == True:
self.nbObjectInViolationForXSS += 1
if isInViolationForAvoidFile == True:
self.nbObjectInViolationAvoidFile += 1
if isInViolationForAvoidOSCommand == True:
self.nbObjectInViolationAvoidOSCommand += 1
if isInViolationForLogForging == True:
self.nbObjectInViolationLogForging += 1
def scan_file_SPDBviolation10_3_3(application, pfile, fileType):
# Description: scan_file_SPDBviolation10_3_3
# NOTE
# As the rule is widely general and largely semantic, it is tailored only on specific patterns.
# It simply finds all function calls which are not assigned to vars.
#
nbViolation = 0
nbNAViolation = 0
dtType = "float"
msecs = local_library.millis()
nBytes = 0
logging.debug("pfile.name----" + str(pfile.name))
logging.info(
"scan_file_SPDBviolation10_3_3 : -------------------------------------------------------------------------"
)
logging.info(
"scan_file_SPDBviolation10_3_3 : Starting scan_file_scan_file_SPDBviolation10_3_3 > "
+ str(pfile.name))
patFunCall = "(float)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);"
# patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[^,\s][^\,]*[^,\s]*)\s*[;,*=)]"
# patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[a-z]*[A-Z]*[0-9]*)\s*\s*[;,=)]"
# patFunCall = "\b(?:(?:auto\s*|const\s*|unsigned\s*|signed\s*|register\s*|volatile\s*|static\s*|void\s*|short\s*|long\s*|char\s*|int\s*|float\s*|double\s*|_Bool\s*|complex\s*)+)(?:\s+\*?\*?\s*)([a-zA-Z_][a-zA-Z0-9_]*)\s*[\[;,=)]"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
isInSingleLineComment = False
isInMultiLineComment = False
with open_source_file(pfile.get_path()) as f:
# current line number
current_line = 0
boolVarsInFile = list()
boolExist = 0
for line in f:
# Line of code
# logging.error("Current line %s", line)
current_line += 1
try:
resultCom = re.finditer(patComment, line)
# logging.debug("resultCom value---" + str(line))
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get function call patterns
result = re.finditer(patFunCall, line)
# logging.info("Result is: >%s<", result)
if (not result is None):
for p in result:
# logging.debug("result value---" + str(p))
logging.info(
"scan_file_scan_file_SPDBviolation10_3_3::Result is: [%s] [%s] [%s]",
pfile, line, p.group(2))
checkMultipleVars = p.group(2).split(",")
for getVar in checkMultipleVars:
logging.debug(
"scan_file_SPDBviolation10_3_3 :: getVar value---"
+ str(getVar))
# logging.info("\n@@@@ "+getVar)
if getVar.__contains__('='):
varNames = getVar.split("=")
if (not varNames is None):
varName = varNames[0]
logging.info(
"scan_file_SPDBviolation10_3_3 :: [PASSED] Value is initialized for "
+ varName)
boolExist = 1
scan_Utilities.unConditionalCheck(
line, pfile, current_line, p, f,
varName, dtType)
else:
logging.debug(
"scan_file_SPDBviolation10_3_3 :: Violation saved for getVar value---"
+ str(getVar))
boolExist = 1
scan_Utilities.unConditionalCheck(
line, pfile, current_line, p, f,
getVar, dtType)
bk = Bookmark(pfile, current_line,
p.start() + 1, current_line,
p.end())
except Exception as e:
logging.error(
"scan_file_SPDBviolation10_3_3 : Error: %s, at line ",
str(e), current_line)
if boolExist:
for line1 in f:
logging.info(line1)
except FileNotFoundError:
logging.error("scan_file_SPDBviolation10_3_3 : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("scan_file_SPDBviolation10_3_3 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info(
"scan_file_SPDBviolation10_3_3 : END %s - Found %s violation ",
str(pfile.name), str(nbViolation))
tc = "SPDBviolation10_3_3", nbViolation, nbNAViolation
update_counts(tc)
# Extra log
t = "SPDBviolation10_3_3", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)
def scan_file_OMG_RLB_9_Step1(application, pfile, fileType):
# Author : MGE
# last modification date: 24/3/2017
# Description: OMG RLB-9: OMG RLB-9: Float Type Storable and Member Data Element Comparison with Equality Operator
# Languages : C/C++/C#
# Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002022 SubID=2002272 QRID=2002594
# CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003022 SubID=2003272 QRID=2003594
# NOTE
# scan_file_OMG_RLB_9_Step1: find all float objects definition and store it
# scan_file_OMG_RLB_9_Step2: find all = comparison with float objects involved
# The scope is internal to file+function or Global. Lower scopes are not considerered
#
global aFunctionDefinitionName
global aFunctionDefinitionNPar
global aFunctionCallName
global aFunctionCallNPar
global aFunctionCallBookmark
global aFloatVariableName
global aFloatClassName
myIdx=0
isInMultiLineComment = False
isInSingleLineComment = False
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("OMG-RLB-9-Step1 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("OMG-RLB-9-Step1 : Starting scan_file_OMG_RLB_9_Step1 > " + str(pfile.name))
patFloatDefinition = "((float)|(double)|(long double))([ \t\r\n]+)([A-Za-z0-9_\-\(\),=\. \t\r\n]+);"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
#rfCall= ReferenceFinder()
#rfCall.add_pattern('patFloatDefinition', before='', element = patFloatDefinition, after='')
#rfCall.add_pattern('patComment', before='', element = patComment, after='')
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
resultPatFloatDef = re.finditer(patFloatDefinition, line)
if not resultPatFloatDef is None:
#if reference.pattern_name=='patFloatDefinition':
ps = re.compile('([A-Za-z][A-Za-z0-9_\-]*)([ \t\r\n]*)(\([A-Za-z0-9_\- \t\r\n.,\.\*]*\))')
codeWithoutFunctions = ps.sub('|NullF|',line)
ps = re.compile('([ \t\r\n]*)=([ \t\r\n]*)([0-9\.]+)')
codeWithoutAssign = ps.sub('',codeWithoutFunctions)
#logging.debug("----------------------------%s-----------------------",codeWithoutFunctions)
result = re.finditer(patFloatDefinition, codeWithoutAssign)
for p in result:
# Bookmark(File(TestCase.cs, CAST_DotNet_CSharpFile), 28, 19, 28, 33)
#local_library.cwefdaLoggerInfo("%s",reference.bookmark)
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
current_line = int(str(bk).split(",")[2])
#current_line = int(str(reference.bookmark).split(",")[2])
#local_library.cwefdaLoggerInfo("%s %s",str(current_line), nScp)
tScp = pfile.find_most_specific_object(current_line, 1).get_name()
tVar = p.group(6)
#logging.debug("=================== Global: %s %s", tScp, tVar)
if (tScp == tVar):
nVar = "[Global]." + tVar
else:
nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar
#logging.debug("=================== Var: %s ", nVar)
variableIsPresent = False
# Check deleted for performance reason, a little amout of duplication is better
if not variableIsPresent:
aFloatVariableName.append(1)
myIdx = len(aFloatVariableName)-1
aFloatVariableName[myIdx] = nVar
#logging.debug("----------------------------OMG_RLB_9_Step1: adding aFloatVariableName > %s ", self.aFloatVariableName[myIdx])
except FileNotFoundError:
logging.error("OMG-RLB-9-Step1 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("OMG-RLB-9-Step1 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("OMG-RLB-9-Step1 : END OMG-RLB-9-Step1 %s - Found %s definitions ", str(myIdx))
#Extra log
t = "OMG-RLB-9-STEP1",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_OMG_RLB_18(application, pfile, fileType):
# Author : MGE
# last modification date: 24/3/2017
# Description: OMG-ASCCRM-RLB-18: Storable and Member Data Element Initialization with Hard-Coded Network Resource Configuration Data
# Languages : C/C++/C#
# Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB18violationCPP - CatID=2002000 PropID=2002024 SubID=2002274 QRID=2002598
# CWEforFDA_CustomMetrics_CSharp.OMGRLB18violationCSharp - CatID=2003000 PropID=2003024 SubID=2003274 QRID=2003598
# NOTE
#
#
#
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("OMG-RLB-18 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("OMG-RLB-18 : Starting scan_file_OMG_RLB_18 > " + str(pfile.name))
patNetResource1 = "([12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9])"
patNetResource2 = "(http[s]?://)|(ftp://)|(mailto://)|(file://)|(data://)|(irc://)"
patNetResource3 = "(www\.)|(ftp\.)"
patNetResource4 = "([\?\&][ \t]*[a-z0-9\-\_]+[ \t]*\=[ \t]*[a-z0-9\-\_]+)"
# All pattern included in double quotes (strings)
patNetResource = "[^=]=[ \t]*\".*("+patNetResource1+"|"+patNetResource2+"|"+patNetResource3+"|"+patNetResource4+").*\""
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
# Comment Exclusion - Start
resultCom = re.finditer(patComment, line)
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get the most specific object containing the line
obj = pfile.find_most_specific_object(current_line, 1)
result = re.finditer(patNetResource, line)
isFirstViolation = True
if not result is None:
for p in result:
# Set a bookmark for violation
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
#logging.debug("scan_file_OMG_RLB_18 : Found violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
if fileType == "CCPP":
#logging.debug("saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
if isFirstViolation:
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB18violationCPP',bk)
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-18: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
isFirstViolation = False
#local_library.cwefdaLoggerInfo("SAVED CCPP")
if fileType == "CSHARP":
#logging.debug("saving violation forCSHARP > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
if isFirstViolation:
try:
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB18violationCSharp',bk)
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-18: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
isFirstViolation = False
#local_library.cwefdaLoggerInfo("CSHARP")
except FileNotFoundError:
logging.error("OMG-RLB-18 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("OMG-RLB-18 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("OMG-RLB-18 : END scan_file_OMG_RLB_18 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "OMG-RLB-18",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "OMG-RLB-18",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_CWE_910(application, pfile, fileType):
# Author : PMB
# last modification date: 27/3/2017
# Description: CWE_910: Use of Expired File Descriptor
# Languages : C/C++
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE910violationCPP - CatID=2002000 PropID=2002020 SubID=2002270 QRID=2002590
# NOTE: The software uses or accesses a file descriptor after it has been closed. After a file descriptor for a particular
# file or device has been released, it can be reused. The code might not write to the original file, since the reused
# file descriptor might reference a different file or device.The code uses an operator for comparison when the intention
# was to perform an assignment.
# In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.
#
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
pathMsg= "Niente"
allFree = set()
flagFree = False
#SCS
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("CWE-910 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("CWE-910 : Starting scan_file_CWE_910 > " + str(pfile.name))
# search string "free"
pathSrc="(^[ \t]+)(free)([(\ \(]+)([a-zA-Z0-9_]+)([(\ \)\;]+)"
# All pattern included in double quotes (strings)
patResource = "(^(.)*)("+pathMsg+")(.*$)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
#SCS
nBytes = nBytes + len(line)
# Get the most specific object containing the line
obj = pfile.find_most_specific_object(current_line, 1)
# Search variable if found free before
if flagFree:
for f in allFree:
pathMsg = f
#pathMsg = "messageBody"
#patResource = "(^(.)*)("+pathMsg+")(.*$)"
patResource = "([\t\s\*]*)("+pathMsg+")([\s\t\)\,\;\-\+\*])"
#result = re.finditer("(^(.)*)("+pathMsg+")(.*$)", line)
result = re.finditer(patResource, line)
if not result is None:
for p in result:
#logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
# Set a bookmark for violation and save violation
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
#logging.debug("CWE_910: saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE910violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("CWE-910 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
# Search free stmt
result = re.finditer(pathSrc, line)
if not result is None:
for p in result:
#logging.debug("Found Stmt Free > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
allFree.add(p.group(4))
flagFree = True
except FileNotFoundError:
logging.error("CWE-910 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("CWE-910 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("CWE-910 : END scan_file_CWE_910 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "CWE-910",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "CWE-910",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_OMG_MNT_3(application, pfile, fileType):
# Author : PMB
# last modification date: 10/4/2017
# Description: OMG MNT-3: OMG MNT-3: Storable and Member Data Element Initialization with Hard-Coded Literals, Float Type Storable and Member Data Element Comparison with Equality Operator
# Languages : C/C++/C#
# Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002021 SubID=2002271 QRID=2002592
# CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003021 SubID=2003271 QRID=2003592
# NOTE
#
nbViolation=0
nbNAViolation = 0
nbProgramCall=0
isInMultiLineComment = False
isInSingleLineComment = False
#SCS
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("OMG-MNT-3 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("OMG-MNT-3 : Starting scan_file_OMG_MNT_3 > " + str(pfile.name))
patFloatDefinition = "((const)|(char)|(float)|(double)|(long double))([ \t\r\n]+)([A-Za-z0-9_\-\(\),=\. \t\r\n]+);"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
#SCS
nBytes = nBytes + len(line)
obj = pfile.find_most_specific_object(current_line, 1)
#logging.debug("Statement to analyze >> %s", current_line)
resultFloat = re.finditer(patFloatDefinition, line)
if not resultFloat is None:
for p in resultFloat:
if p.group(1) != "const":
#newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([\d]+)([ \;]+)') #bpm
if p.group(1) == "char":
newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([.\d]+)([ \;]+)')
resultNewPat = re.finditer(newPat, line)
else:
newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([\d]+)([ \;]+)')
resultNewPat = re.finditer(newPat, line)
for pp in resultNewPat:
if fileType =="CCPP":
bk = Bookmark(pfile,current_line,pp.start()+1,current_line,pp.end())
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGMNT3violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("OMG-MNT-3 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
nbProgramCall += 1
if fileType =="CSHARP":
bk = Bookmark(pfile,current_line,pp.start()+1,current_line,pp.end())
try:
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGMNT3violationCSharp',bk)
except:
local_library.cwefdaLoggerWarning("OMG-MNT-3 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
nbProgramCall += 1
except FileNotFoundError:
logging.error("OMG-MNT-3 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("OMG-MNT-3 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("OMG-MNT-3 : END scan_file_OMG_MNT_3 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "OMG-MNT-3",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "OMG-MNT-3",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_CWE_783(application, pfile, fileType):
# Author : PMB
# last modification date: 23/3/2017
# Description: CWE_783: Operator Precedence Logic Error
# Languages : C/C++
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE783violationCPP - CatID=2002000 PropID=2002019 SubID=2002269 QRID=2002588
# NOTE: The program uses an expression in which operator precedence causes incorrect logic to be used.
#
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
#SCS
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("CWE-783 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("CWE-783 : Starting scan_file_CWE_783 > " + str(pfile.name))
# search "AuthenticateUser"
pathSrc="(if[ ]*)([\(]+)([a-zA-Z0-9_\s\=\s]+)(AuthenticateUser)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
#SCS
nBytes = nBytes + len(line)
# Get the most specific object containing the line
obj = pfile.find_most_specific_object(current_line, 1)
result = re.finditer(pathSrc, line)
if not result is None:
for p in result:
#logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
if p.group(2) == "(":
# Set a bookmark for violation and save violation
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
#logging.debug("CWE_783: saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE783violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("CWE-783 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation +=1
except FileNotFoundError:
logging.error("CWE-783 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("CWE-783 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("CWE-783 : END scan_file_CWE_783 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "CWE-783",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "CWE-783",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_CWE_120_122(application, pfile, fileType):
# Author : PMB
# last modification date: 28/3/2017
# Description: CWE_120_122: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
# Languages : C/C++
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP - CatID=2002000 PropID=2002001 SubID=2002251 QRID=2002552
# CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP - CatID=2002000 PropID=2002002 SubID=2002252 QRID=2002554
# CWEforFDA_CustomMetrics_CSharp.CWE120violationCSharp - CatID=2003000 PropID=2003001 SubID=2003251 QRID=2003552
# CWEforFDA_CustomMetrics_CSharp.CWE122violationCSharp - CatID=2003000 PropID=2003002 SubID=2003252 QRID=2003554
# NOTE: The program copies an input buffer to an output buffer without verifying that the size of the input buffer
# is less than the size of the output buffer, leading to a buffer overflow.
#
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
#SCS
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("CWE-120-122 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("CWE-120-122 : Starting scan_file_CWE_120_122 > " + str(pfile.name))
# search memcpy and strcpy
pathMem = "(^[ \t]+memcpy[ \([a-zA-Z0-9_\s\[\]\-\(\)]+)([ \,]+)([a-zA-Z0-9_]*)([ a-zA-Z0-9\[\]\)\;]+)"
pathStr = "(^[ \t]+strcpy[ \([a-zA-Z0-9_\s\[\]\-\(\)]+)([ \,]+)([a-zA-Z0-9_]*)([ a-zA-Z0-9\[\]\)\;]+)"
pathIf = "(if[ ]*)([\(]+)([a-zA-Z0-9_]+)([\s\=\>\<\!\s]+)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
VarIf = None
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
#SCS
nBytes = nBytes + len(line)
# Get the most specific object containing the line
obj = pfile.find_most_specific_object(current_line, 1)
# check variable on if
result = re.finditer(pathIf, line)
if not result is None:
for p in result:
#logging.debug("Found If Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
VarIf = p.group(3)
# check memcpy variable
result = re.finditer(pathMem, line)
if not result is None:
for p in result:
#logging.debug("Found memcpy Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
VarMem = p.group(3)
if VarMem != VarIf:
#logging.debug("CWE_120_122: saving violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
if fileType == "CCPP":
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP',bk)
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
# check strcpy variable
result = re.finditer(pathStr, line)
if not result is None:
for p in result:
#logging.debug("Found strcpy Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
VarStr = p.group(3)
if VarStr != VarIf:
#logging.debug("CWE_120_122: saving violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
if fileType == "CCPP":
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP',bk)
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
if fileType == "CSHARP":
try:
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE120violationCSharp',bk)
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE122violationCSharp',bk)
except:
local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
except FileNotFoundError:
logging.error("CWE-120-122 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("CWE-120-122 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("CWE-120-122 : END scan_file_CWE_120_122 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "CWE-120-122",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "CWE-120-122",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_CWE_482(application, pfile, fileType):
# Author : PMB
# last modification date: 27/3/2017
# Description: CWE_482: Comparing instead of Assigning
# Languages : C/C++
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE482violationCPP - CatID=2002000 PropID=2002012 SubID=2002262 QRID=2002574
# NOTE: The code uses an operator for comparison when the intention was to perform an assignment.
# In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused.
#
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
#SCS
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("CWE-482 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("CWE-482 : Starting scan_file_CWE_482 > " + str(pfile.name))
# search
#pathSrc="(^[ \ta-zA-Z0-9_\s\*]+)(==)([a-zA-Z0-9\s]+)"
pathSrc="[^\s\t]*(\**[a-zA-Z0-9_]+(\s*\[\s*[a-zA-Z0-9_]*\s*\]\s*)?)\s*==\s*([a-zA-Z0-9\s]+)\s*(\,|\;|\.)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
#SCS
nBytes = nBytes + len(line)
# Get the most specific object containing the line
obj = pfile.find_most_specific_object(current_line, 1)
result = re.finditer(pathSrc, line)
if not result is None:
for p in result:
#logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
# Set a bookmark for violation and save violation
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
#logging.debug("CWE-482 : Detected violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1)
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE482violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("CWE-482 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation +=1
except FileNotFoundError:
logging.error("CWE-482 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("CWE-482 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("CWE-482 : END scan_file_CWE_482 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "CWE-482",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "CWE-482",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_CWE_480_481(application, pfile, fileType):
# Author : PMB
# Last modification date: 10/4/2017
# Description: CWE-481: Assigning instead of Comparing
# Languages: C/C++ C#
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE480violationCPP - CatID=2002000 PropID=2002010 SubID=2002260 QRID=2002570
# CWEforFDA_CustomMetrics_C_CPP.CWE481violationCPP - CatID=2002000 PropID=2002011 SubID=2002261 QRID=2002571
# CWEforFDA_CustomMetrics_C_CPP.CWE480violationCSharp - CatID=2003000 PropID=2003010 SubID=2003260 QRID=2003570
# CWEforFDA_CustomMetrics_C_CPP.CWE480violationCSharp - CatID=2003000 PropID=2003011 SubID=2003261 QRID=2003571
# NOTE: The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways.
#
nbProgramCall = 0
isInMultiLineComment = False
isInSingleLineComment = False
nbViolation=0
nbNAViolation = 0
allIntVars = set()
#SCS
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("CWE-480-481 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("CWE-480-481 : Starting scan_file_CWE_480_481 > " +str(pfile.name))
PathIntB = "([\(]+)int ([a-zA-Z0-9_\.]+)"
PathIntF = "([ \t]+)int ([a-zA-Z0-9_\.]+)"
PathIf = "[ \t]+if([ \(]+)([a-zA-Z0-9_]+)"
PathBitWise = "[ \t]+if([ \(]+)([a-zA-Z0-9_\!\(\)]+)( & | \| )+([a-zA-Z0-9_\!\(\)]+)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
#SCS
nBytes = nBytes + len(line)
obj = pfile.find_most_specific_object(current_line, 1)
#logging.debug("Statement to analize >> %s >> %s", current_line, line)
resultIntB = re.finditer(PathIntB, line)
if not resultIntB is None:
for c in resultIntB:
#logging.debug("CWE_480_481 : Group StmtIntB > %s ", c.group(2))
varIntB=c.group(2)
allIntVars.add(varIntB)
resultIntF = re.finditer(PathIntF, line)
if not resultIntF is None:
for c in resultIntF:
#logging.debug("CWE_480_481 : Group StmtIntF > %s ", c.group(2))
varIntF=c.group(2)
allIntVars.add(varIntF)
resultBitWise = re.finditer(PathBitWise, line)
if not resultBitWise is None:
for c in resultBitWise:
if fileType == "CCPP":
# Set a bookmark for violation and save violation
bk = Bookmark(pfile,current_line,c.start()+1,current_line,c.end())
#logging.debug("sono in test cpp >> %s", bk)
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE480violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation +=1
nbProgramCall += 1
continue
if fileType == "CSHARP":
# Set a bookmark for violation and save violation
bk = Bookmark(pfile,current_line,c.start()+1,current_line,c.end())
#logging.debug("sono in test csharp >> %s", bk)
try:
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE480violationCSharp',bk)
except:
local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation +=1
nbProgramCall += 1
continue
resultPathIf = re.finditer(PathIf, line)
if not resultPathIf is None:
resultPathIf = re.finditer(PathIf, line)
for p in resultPathIf:
varIf=p.group(2)
for v in allIntVars:
if v==varIf:
CheckNoEq=line[line.find("!"):line.find("=")+2]
CheckLtEq=line[line.find("<"):line.find("=")+2]
CheckGtEq=line[line.find(">"):line.find("=")+2]
if CheckNoEq or CheckLtEq or CheckGtEq:
continue
CheckEqEq=line[line.find("="):line.find("=")+2]
if not CheckEqEq:
continue
if CheckEqEq != "==":
if fileType == "CCPP":
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
try:
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE481violationCPP',bk)
except:
local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation +=1
nbProgramCall += 1
if fileType == "CSHARP":
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
try:
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE481violationCSharp',bk)
except:
local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation +=1
nbProgramCall += 1
except FileNotFoundError:
logging.error("CWE-480-481 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("CWE-480-481 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("CWE-480-481 : END scan_file_CWE_480_481 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "CWE-480-481",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "CWE-480-481",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def end_application(self, application):
#print('Yo')
qwe = 0
variables = application.objects().has_type(
"CAST_DotNet_MethodCSharp") #get all the variables
#
#
#
t = 0
for link in application.links().has_callee(variables).load_positions():
# print(link.get_caller().get_name())
try:
code = link.get_code(3)
# #print("test11")
# print(link.get_caller().get_name())
# print(code)
# print()
sql, b = testifsql(code)
# print(sql)
if (sql == "nothing"):
continue
try:
c, a = b.split("=")
b = c
except:
pass
# print("test1 = ",b)
objettemp = b.split("\\\"") #split at /"
# #print(link.get_caller().get_name()+ " : type SELECT")
objet = [""] * len(objettemp)
t = 0
motsinterdits = {
" FROM ", ".", ", ", "\");", "\");\n", " ", " WHERE ",
" ORDER BY ", "(", ") FROM ", ""
}
for x in range(len(objettemp)):
# #print("objettemp[x] =" + objettemp[x] , end = " ")
h = 0
for y in motsinterdits:
if (objettemp[x] == y):
h = 1
if (h == 0):
#
objet[t] = objettemp[x]
t += 1
# print(objet)
for obj in objet:
for f in application.objects():
# #print("name =" + f.get_name() + "<=>" + objet[t] + "!")
if (f.get_name() == obj
and f.get_type() == "SQLScriptTable"):
# print(f.get_name()+ " " +f.get_type())
try:
# #print("getting positions")
positions = str(
link.get_caller().get_positions())
#print(positions)
pos = ""
for i in range(len(positions) - 2):
pos += positions[i + 1]
#print("testa")
arr = pos.split(",")
file = arr[0].split("(")
#print("testb")
line = int(arr[2]) + 2
for ds in application.objects():
if (ds.get_name() == file[2]):
#print("file found")
asd = ds
hg = 0
tes = 0
if (sql == "select"):
code = code.split("{")[1]
# print("done")
for lo in range(len(code)):
# try:
# print(str(hg)+" "+obj[hg]+" "+str(lo)+" "+code[lo])
# except:
# print("fail:", sys.exc_info()[0])
if (hg < len(obj)):
if (code[lo] == obj[hg]):
hg += 1
continue
else:
hg = 0
else:
tes = 1
column = lo - len(obj)
break
except:
print("Unexpected error:", sys.exc_info()[0])
#print("test1")
print("creating a link from" +
link.get_caller().get_name() + " to " +
f.get_name())
bookmark = Bookmark(asd, line, column, line,
column + len(obj))
#print("test1")
print("type : ", end="")
if (sql == "insert"):
create_link("useInsertLink", link.get_caller(),
f, bookmark)
print("insert")
if (sql == "insert into"):
create_link("useInsertLink", link.get_caller(),
f, bookmark)
print("insert into") #print("test2")
if (sql == "select"):
create_link("useSelectLink", link.get_caller(),
f, bookmark)
print("select")
if (sql == "update"):
create_link("useUpdateLink", link.get_caller(),
f, bookmark)
print("update") #print("test3")
if (sql == "select count"):
create_link("useSelectLink", link.get_caller(),
f, bookmark)
print("select")
qwe = 1
if (qwe == 1):
qwe = 0
break
except:
print("Unexpected error 2:", sys.exc_info()[0])
t += 1
def scan_file_CWE_685_Step2(application, pfile, fileType):
# Author : MGE
# last modification date: 24/3/2017
# Description: CWE-685: Function Call With Incorrect Number of Arguments
# Languages : C
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP - CatID=2002000 PropID=2002016 SubID=2002266 QRID=2003582
#
# NOTE
# scan_file_CWE_685_Step1: find all function definition and store it with number of parameters defined
# scan_file_CWE_685_Step2: find all function call by means of function name found in step1, and compare it with parameters stored
#
global aFunctionDefinitionName
global aFunctionDefinitionNPar
global aFunctionCallName
global aFunctionCallNPar
global aFunctionCallBookmark
global aFloatVariableName
global aFloatClassName
myIdx = 0
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("CWE-685-Step2 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("CWE-685-Step2 : Starting scan_file_CWE_685_Step2 > " + str(pfile.name))
patFuncName = "[A-Za-z][A-Za-z0-9_\-]*"
patFunctionCall = "("+ patFuncName +")"+"([ \t\r\n]*)(\([A-Za-z0-9_\- \t\r\n.,\.\*]*\))"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
obj = pfile.find_most_specific_object(current_line, 1)
try:
resultFuncCall = re.finditer(patFunctionCall, line)
except:
resultFuncCall = None
#local_library.cwefdaLoggerWarning("CWE-685-Step2: Cannot apply pattern %s to line %s", patFunctionCall, current_line)
if not resultFuncCall is None:
for p in resultFuncCall:
for f in aFunctionDefinitionName:
myIdx = aFunctionDefinitionName.index(f)
nFun = p.group(1)
nPar = len(p.group(3).split(','))
if (nFun == aFunctionDefinitionName[myIdx] and nPar != aFunctionDefinitionNPar[myIdx]):
#local_library.cwefdaLoggerInfo("------------------------------------> Found different parameter!!! %s %s <<-->> %s %s", nFun, str(nPar), self.aFunctionDefinitionName[myIdx], str(self.aFunctionDefinitionNPar[myIdx]))
#logging.debug("CWE_685_Step2 : C!!!! Found statement %s ==> %s ", str(reference.value), str(reference.bookmark))
try:
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP',bk)
#reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP', reference.bookmark)
except Exception as e:
local_library.cwefdaLoggerWarning("CWE-685-Step2: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
except FileNotFoundError:
logging.error("CWE-685-Step2 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("CWE-685-Step2 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("CWE-685-Step2 : END CWE-685 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "CWE-685-STEP2",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "CWE-685-STEP2",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_1_3(application, pfile, fileType):
# Description: CWE-252 : Unchecked Return Value
# Languages : C/C++/C#
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE252violationCPP - CatID=2002000 PropID=2002004 SubID=2002254 QRID=2002558
# CWEforFDA_CustomMetrics_CSharp.CWE252violationCPP - CatID=2003000 PropID=2003004 SubID=2003254 QRID=2003558
# Scope & Property : Scope by fn 100010 (n. of function calls)
# NOTE
# As the rule is widely general and largely semantic, it is tailored only on specific patterns.
# It simply finds all function calls which are not assigned to vars.
#
nbViolation = 0
nbNAViolation = 0
msecs = local_library.millis()
nBytes = 0
logging.debug("pfile.name----" + str(pfile.name))
logging.info(
"SPDBviolation9_1_3 : -------------------------------------------------------------------------"
)
logging.info(
"SPDBviolation9_1_3 : Starting scan_file_SPDBviolation9_1_3 > " +
str(pfile.name))
patFunCall = "(float|int|char|bool)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
isInSingleLineComment = False
isInMultiLineComment = False
with open_source_file(pfile.get_path()) as f:
# current line number
current_line = 0
for line in f:
# Line of code
# logging.error("Current line %s", line)
current_line += 1
try:
resultCom = re.finditer(patComment, line)
# logging.debug("resultCom value---" + str(line))
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get function call patterns
result = re.finditer(patFunCall, line)
# logging.info("Result is: >%s<", result)
if (not result is None):
for p in result:
logging.debug(
"scan_file_SPDBviolation9_1_3 :: result value---"
+ str(p))
# logging.info("scan_file_SPDBviolation9_1_3::Result is: [%s] [%s] [%s] [%s] ", pfile, line, p.group(2), p.group(7))
checkMultipleVars = p.group(2).split(",")
for getVar in checkMultipleVars:
logging.debug(
"scan_file_SPDBviolation9_1_3 :: getVar value---"
+ str(getVar))
# logging.info("\n@@@@ "+getVar)
if getVar.__contains__('='):
logging.info(
"SPDBviolation9_1_3 :: [PASSED] Value is initialized for "
+ getVar)
else:
logging.debug(
"Violation saved for getVar value---" +
str(getVar))
bk = Bookmark(pfile, current_line,
p.start() + 1, current_line,
p.end())
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation9_1_3',
bk)
# Set a bookmark for violation
# obj = pfile
# obj = pfile.find_most_specific_object(current_line, 1)
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
# try:
# logging.error("SPDBviolation9_1_3 :: [VIOLATION] Value is NOT initialized for " + getVar)
# obj.save_violation('SPDB_CustomMetrics_C.SPDBviolation9_1_3', bk)
# except Exception as e:
# logging.error("SPDBviolation9_1_3: Violation not allowed on this object, next version %s", str(e.message()))
# nbNAViolation = nbNAViolation + 1
# else:
# nbViolation += 1
#
except Exception as e:
logging.error("SPDBviolation9_1_3 : Error: %s, at line ",
str(e), current_line)
except FileNotFoundError:
logging.error("SPDBviolation9_1_3 : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("SPDBviolation9_1_3 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info(
"SPDBviolation9_1_3 : END scan_file_CWE_252 %s - Found %s violation ",
str(pfile.name), str(nbViolation))
tc = "SPDBviolation9_1_3", nbViolation, nbNAViolation
# update_counts(tc)
# Extra log
t = "SPDBviolation9_1_3", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)
def scan_file_CWE_483(application, pfile, fileType):
# Author : MGE
# last modification date: 24/3/2017
# Description: CWE-483: Incorrect Block Delimitation
# Languages : C/C++/C#
# Property : CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP - CatID=2002000 PropID=2002013 SubID=2002263 QRID=2002598
# CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp - CatID=2003000 PropID=2003013 SubID=2003263 QRID=2003576
# NOTE
#
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("CWE-483 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("CWE-483 : Starting scan_file_CWE_483 > " + str(pfile.name))
patIfNoBlk1 = "(if[ \t\n\r]*\(([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)"
patIfNoBlk2 = "(else[ \t\n\r]*([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
patIfNoBlk = patIfNoBlk1 +"|" + patIfNoBlk2
#rfCall= ReferenceFinder()
#rfCall.add_pattern('patIfNoBlk', before='', element = patIfNoBlk, after='')
#rfCall.add_pattern('patComment', before='', element = patComment, after='')
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
obj = pfile.find_most_specific_object(current_line, 1)
#logging.debug("Statement to analize >> %s", current_line)
resultIfNoBlk = re.finditer(patIfNoBlk, line)
if not resultIfNoBlk is None:
for p in resultIfNoBlk:
if fileType == "CCPP":
#logging.debug("CWE_483 : C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark))
try:
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP',bk)
#reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP', reference.bookmark)
except Exception as e:
local_library.cwefdaLoggerWarning("CWE-483: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
if fileType == "CSHARP":
#logging.debug("CWE_483 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark))
try:
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp',bk)
#reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp', reference.bookmark)
except Exception as e:
local_library.cwefdaLoggerWarning("CWE-483: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
except FileNotFoundError:
logging.error("CWE-483 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("CWE-483 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("CWE_483 : END CWE-483 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "CWE-483",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "CWE-483",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def unConditionalCheck(line, pfile, identified_line, p, file_path, vari,
dtType):
with open_source_file(pfile.get_path()) as f:
# current line number
current_line = 1
# boolVarsInFile = list()
# boolExist = 0
logging.info("Identified Variable and Line: %s %s", vari,
identified_line)
try:
for line in f:
# Line of code
# logging.error("Current line %s", line)
# logging.info("Current line: %s", current_line)
if current_line > identified_line:
# logging.info("STARTED READING LINES: %s", line)
patNullCheck = "if\s*\((.*)(?=\))"
# logging.error("%s", line)
nullRes2 = re.findall(patNullCheck, line)
# logging.info("unConditionalCheck :: IF condition present")
if nullRes2:
# for rs in nullRes2:
# ress = rs.group(1)
# print(ress)
open1 = "("
close1 = ")"
patBoolInside = open1 + vari + close1
varExist = re.findall(patBoolInside, line)
if varExist:
if dtType == "bool":
boolValidtrs = re.finditer(
"(true|false|TRUE|FALSE|0|1)", line)
if (not boolValidtrs is None):
for p in boolValidtrs:
logging.error(
"unConditionalCheck :: VIOLATION : SPDBviolation10_3_1 : Boolean variable is directly compared to 'true', 'false', or 1, 0 => %s %s",
vari, line)
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1,
current_line, -1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation10_3_1',
bk)
break
if dtType == "int":
intValidtrs = re.finditer(
"\(\s*([\w]*)\s*(?=[\)])", line)
if (not intValidtrs is None):
for p in intValidtrs:
logging.error(
"unConditionalCheck :: VIOLATION : SPDBviolation10_3_2 : The integer variable should use '==' or '!=' directly compared to 0 %s %s",
vari, line)
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1,
current_line, -1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation10_3_2',
bk)
break
if dtType == "float":
floatValidtrs = re.finditer(
"\(\s*([\w*|0-9.0-9]*)\s*(!=|==)\s*([\w*|0-9.0-9]*)\s*(?=[\)])",
line)
if (not floatValidtrs is None):
for p in floatValidtrs:
logging.error(
"unConditionalCheck :: VIOLATION : SPDBviolation10_3_3 : Can not compare a floating point variable to any number with an '=='or '!=' => %s %s",
vari, line)
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1,
current_line, -1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation10_3_3',
bk)
break
if dtType == "pointer":
pointerValidtrs = re.finditer(
"\((\s*\w*\s*[^==|!=]\s*\w*\s*)(?=\))",
line)
if (not pointerValidtrs is None):
for p in pointerValidtrs:
logging.error(
"unConditionalCheck :: VIOLATION : SPDBviolation10_3_4 : Pointer variables should use '==' or '! =' compared with NULL => %s %s",
vari, line)
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1,
current_line, -1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation10_3_4',
bk)
break
current_line += 1
except FileNotFoundError:
logging.error("unConditionalCheck : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("unConditionalCheck : Error: %s", str(e))
def scan_file_OMG_RLB_9_Step2(application, pfile, fileType):
# Author : MGE
# last modification date: 24/3/2017
# Description: OMG RLB-9: OMG RLB-9: Float Type Storable and Member Data Element Comparison with Equality Operator
# Languages : C/C++/C#
# Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002022 SubID=2002272 QRID=2002594
# CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003022 SubID=2003272 QRID=2003594
# NOTE
# scan_file_OMG_RLB_9_Step1: find all float objects definition and store it
# scan_file_OMG_RLB_9_Step2: find all = comparison with float objects involved
# The scope is internal to file+function or Global. Lower scopes are not considerered
#
global aFunctionDefinitionName
global aFunctionDefinitionNPar
global aFunctionCallName
global aFunctionCallNPar
global aFunctionCallBookmark
global aFloatVariableName
global aFloatClassName
myIdx = 0
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : Starting scan_file_OMG_RLB_9_Step2 > " + str(pfile.name))
patFloatName = "[A-Za-z0-9_\-\.]*"
patFloatCompLeft = "("+ patFloatName +")" + "([A-Za-z0-9_ \(\)\t\r\n\*\+\-\/]*[\=][\=])"
patFloatCompRight = "(==[A-Za-z0-9_ \(\)\t\r\n\*\+\-\/]*)" + "("+ patFloatName +")"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
obj = pfile.find_most_specific_object(current_line, 1)
#logging.debug("Statement to analize >> %s", current_line)
try:
resultpatFloatRigh = re.finditer(patFloatCompRight, line)
except:
resultpatFloatRigh = None
#local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Cannot apply pattern %s to line %s", patFloatCompRight, current_line)
# --- Scan for pattern on the right
# ------------------------------------------------------------------------------------
if not resultpatFloatRigh is None:
for p in resultpatFloatRigh:
for myIdx in range(len(aFloatVariableName)):
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
current_line = int(str(bk).split(",")[2])
tVar = p.group(2)
tScp = pfile.find_most_specific_object(current_line, 1).get_name()
if (tScp == tVar):
nVar = "[Global]." + tVar
else:
nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar
if (nVar == aFloatVariableName[myIdx]):
if fileType == "CCPP":
#logging.debug("RLB-9: C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark))
try:
#bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP',bk)
#reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP', reference.bookmark)
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
if fileType == "CSHARP":
#logging.debug("RLB-9 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark))
try:
#bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp',bk)
#reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp', reference.bookmark)
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
try:
resultpatFloatLeft = re.finditer(patFloatCompLeft, line)
except:
resultpatFloatLeft = None
#local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Cannot apply pattern %s to line %s", patFloatCompLeft, current_line)
# --- Scan for pattern on the left
# ------------------------------------------------------------------------------------
if not resultpatFloatLeft is None:
for p in resultpatFloatLeft:
for myIdx in range(len(aFloatVariableName)):
bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
current_line = int(str(bk).split(",")[2])
tVar = p.group(1)
tScp = pfile.find_most_specific_object(current_line, 1).get_name()
if (tScp == tVar):
nVar = "[Global]." + tVar
else:
nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar
if (nVar == aFloatVariableName[myIdx]):
if fileType == "CCPP":
#logging.debug("RLB-9: C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark))
try:
#bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP',bk)
#reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP', reference.bookmark)
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
if fileType == "CSHARP":
#logging.debug("RLB-9 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark))
try:
#bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end())
obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp',bk)
#reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp', reference.bookmark)
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
except FileNotFoundError:
logging.error("OMG-RLB-9-Step2 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("OMG-RLB-9-Step2 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : END RLB-9-Step2 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "OMG-RLB-9-STEP2",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "OMG-RLB-9-STEP2",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def end_application(self, application):
logging.info("Filtering violations")
# All Cobol properties corresponding to bookmarked quality rules
properties = get_properties(application)
# 1. register each property as handled by this plugin : we wil rewrite them
for prop in properties:
application.declare_property_ownership(prop,
'CAST_COBOL_SavedProgram')
number_of_programs = 0
number_of_telon_programs = 0
number_of_violations = 0
number_of_kept_violations = 0
telon_LOC = 0
total_LOC = 0
for program in application.objects().has_type(
'CAST_COBOL_SavedProgram').load_violations(properties):
# 1. get the violations for that program
# a Cobol violation can be in a copybook, we group violations per file
violations_per_file = {}
number_of_programs += 1
is_telon = False
for prop in properties:
for violation in program.get_violations(prop):
_file = violation[1].file
if _file not in violations_per_file:
violations_per_file[_file] = []
violations_per_file[_file].append(violation)
# 2. filter the violations that are in user code
user_code_violations = []
for _file, violations in violations_per_file.items():
# open the file, get the 'user code bookmarks'
# those are the 'bookmarks' that represent the user code
bookmarks = []
with open_source_file(_file.get_path()) as f:
begin_line = 0
current_line = 0
number_of_telon_LOC_in_current_program = 0
for line in f:
current_line += 1
if is_begin(line):
# store current portion begin
begin_line = current_line
elif is_end(line):
# add a user code bookmark
end_line = current_line
bookmark = Bookmark(_file, begin_line, 1,
current_line, -1)
bookmarks.append(bookmark)
is_telon = True
number_of_telon_LOC_in_current_program += (
end_line - begin_line + 1)
# filter the violations that reside in at least one 'user code bookmark'
for violation in violations:
number_of_violations += 1
for bookmark in bookmarks:
# use of contains operator
if bookmark.contains(violation[1]):
user_code_violations.append(violation)
break
if not bookmarks:
# case where we do not have any marker : keep all violations : maybe we are not in TELON environment
user_code_violations.append(violation)
if is_telon:
number_of_telon_programs += 1
logging.info(
'Number of TELON LOC in current program [%s]: %s on a total of %s LOC'
% (_file.get_path(),
number_of_telon_LOC_in_current_program, current_line))
total_LOC += current_line
telon_LOC += number_of_telon_LOC_in_current_program
else:
logging.info('File [%s] does not contain any Telon code' %
(_file.get_path()))
# 3. save back user_code_violations
for violation in user_code_violations:
number_of_kept_violations += 1
# violation 'format' is almost directly usable as parameter
program.save_violation(violation[0], violation[1],
violation[2])
# et hop !
logging.info('Found %s TELON programs out of %s programs' %
(number_of_telon_programs, number_of_programs))
logging.info('Kept %s violation bookmarks out of %s' %
(number_of_kept_violations, number_of_violations))
logging.info(
'Number of TELON LOC : %s on a total of %s LOC, which means %s percent of generated LOC'
% (telon_LOC, total_LOC, round(telon_LOC * 100 / total_LOC, 2)))
logging.info("Done filtering violations")
def scan_file_OMG_RLB_12(application, pfile, fileType):
# Author : MGE
# last modification date: 29/3/2017
# Description: OMG RLB-12: OMG RLB-12: Singleton Class Instance Creation without Proper Lock Element Management
# Languages : C++/C#
# Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB12violationCPP - CatID=2002000 PropID=2002023 SubID=2002273 QRID=2002596
# CWEforFDA_CustomMetrics_CSharp.OMGRLB12ViolationCSharp - CatID=2003000 PropID=2003023 SubID=2003273 QRID=2003596
# NOTE
# 1) find all classes implementing singleton (with ""new className"" inside)
# 2) find all singleton classes without any lock primitive inside the method containing new
#
nbViolation = 0
nbNAViolation = 0
myIdx = -1
isInMultiLineComment = False
isInSingleLineComment = False
aClass = []
aClassIsSingleton = []
aBookmark = []
aIsViolation = []
aCastSingletonObj = []
msecs = local_library.millis()
nBytes = 0
local_library.cwefdaLoggerInfo("OMG-RLB-12 : -------------------------------------------------------------------------")
local_library.cwefdaLoggerInfo("OMG-RLB-12 : Starting scan_file_OMG_RLB_12 > " + str(pfile.name))
patClassDefinition = "(class[ \t]+)([A-Za-z0-9_\-]+)"
patLockUsage = "([Ll][Oo][Cc][Kk])"
#patBodyStart = "\{"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
#classDefinition = False
for line in f:
# Line of code
current_line += 1
# Comment Exclusion - Start
resultCom = re.finditer(patComment, line)
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get the most specific object containing the line
#if myIdx != 0:
#obj = pfile.find_most_specific_object(current_line, 1)
#local_library.cwefdaLoggerInfo("=====================================================")
#local_library.cwefdaLoggerInfo("= Line: %s",str(current_line) )
#local_library.cwefdaLoggerInfo("= Cast Object: %s",obj )
#local_library.cwefdaLoggerInfo("= Cast Object Type: %s",obj.get_type())
#local_library.cwefdaLoggerInfo("=====================================================")
r1 = re.finditer(patClassDefinition, line)
if not r1 is None:
for p1 in r1:
#bk = Bookmark(pfile,current_line,p1.start()+1,current_line,p1.end())
aClass.append(1)
aBookmark.append(1)
aIsViolation.append(1)
aCastSingletonObj.append(1)
aClassIsSingleton.append(1)
myIdx = len(aClass)-1
aClass[myIdx] = p1.group(2)
aIsViolation[myIdx] = True
aClassIsSingleton[myIdx] = False
patSingletonDefinition = "(new[ \t]+" + p1.group(2) +")"
#local_library.cwefdaLoggerInfo("=====================================================")
#local_library.cwefdaLoggerInfo("= myIdx: %d",myIdx)
#local_library.cwefdaLoggerInfo("= Class: %s",aClass[myIdx])
#local_library.cwefdaLoggerInfo("= Violation: %s",aIsViolation[myIdx])
#local_library.cwefdaLoggerInfo("= patSingletonDefinition: %s",patSingletonDefinition)
#local_library.cwefdaLoggerInfo("=====================================================")
if myIdx != -1:
r2 = re.finditer(patSingletonDefinition, line)
if not r2 is None:
for p2 in r2:
#local_library.cwefdaLoggerInfo(" in patSingletonDefinition FOUND")
aCastSingletonObj[myIdx] = pfile.find_most_specific_object(current_line, p2.start()-3)
aBookmark[myIdx] = Bookmark(pfile,current_line,p2.start()+1,current_line,p2.end())
aClassIsSingleton[myIdx] = True
#local_library.cwefdaLoggerInfo("Tipo Obj: %s ", type(aCastSingletonObj[myIdx]))
#local_library.cwefdaLoggerInfo("Is Singleton??? %d ",current_line)
#local_library.cwefdaLoggerInfo("Obj: %s ", aCastSingletonObj[myIdx].get_name())
r3 = re.finditer(patLockUsage, line)
if not r3 is None:
aIsViolation[myIdx] = False
#for p3 in r3:
#local_library.cwefdaLoggerInfo(" in patLockUsage FOUND")
#curObj = pfile.find_most_specific_object(current_line, 1)
#local_library.cwefdaLoggerInfo(" curObj = %s", curObj.get_name())
#aIsViolation[myIdx] = False
for vIdx in range(len(aClass)):
#local_library.cwefdaLoggerInfo("=====================================================")
#local_library.cwefdaLoggerInfo("= Class : %s",aClass[vIdx])
#local_library.cwefdaLoggerInfo("= Is Singleton: %s",aClassIsSingleton[vIdx])
#local_library.cwefdaLoggerInfo("= Bookmark: %s", aBookmark[vIdx])
#local_library.cwefdaLoggerInfo("= Violation: %s",aIsViolation[vIdx])
#local_library.cwefdaLoggerInfo("= Cast Sinlgeton Obj : %s",aCastSingletonObj[vIdx].get_name())
#local_library.cwefdaLoggerInfo("=====================================================")
if aClassIsSingleton[vIdx] and aIsViolation[vIdx]:
if fileType == "CCPP":
try:
aCastSingletonObj[vIdx].save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB12violationCPP', aBookmark[vIdx])
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-12: Violation not allowed on this kind of object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
#local_library.cwefdaLoggerInfo("SAVED CCPP")
if fileType == "CSHARP":
try:
aCastSingletonObj[vIdx].save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB12violationCSharp',aBookmark[vIdx])
except Exception as e:
local_library.cwefdaLoggerWarning("OMG-RLB-12: Violation not allowed on class object, next version")
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
#local_library.cwefdaLoggerInfo("SAVED CSHARP")
except FileNotFoundError:
logging.error("OMG-RLB-12 : File not found > " + str(pfile.get_path()) )
except Exception as e:
logging.error("OMG-RLB-12 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
local_library.cwefdaLoggerInfo("OMG-RLB-12 : END scan_file_OMG_RLB_12 %s - Found %s violation ", str(pfile.name), str(nbViolation))
tc = "OMG-RLB-12",nbViolation,nbNAViolation
update_counts(tc)
#Extra log
t = "OMG-RLB-12",int(nBytes/msecs),nBytes,msecs
local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_1_3(application, pfile, fileType):
# Description: scan_file_SPDBviolation9_1_3
# NOTE
# As the rule is widely general and largely semantic, it is tailored only on specific patterns.
# It simply finds all function calls which are not assigned to vars.
#
nbViolation = 0
nbNAViolation = 0
msecs = local_library.millis()
nBytes = 0
logging.debug("pfile.name----" + str(pfile.name))
logging.info(
"SPDBviolation9_1_3 : -------------------------------------------------------------------------"
)
logging.info(
"SPDBviolation9_1_3 : Starting scan_file_SPDBviolation9_1_3 > " +
str(pfile.name))
patFunCall = "(float|int|char|bool)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
isInSingleLineComment = False
isInMultiLineComment = False
with open_source_file(pfile.get_path()) as f:
# current line number
current_line = 0
for line in f:
# Line of code
# logging.error("Current line %s", line)
current_line += 1
try:
resultCom = re.finditer(patComment, line)
# logging.debug("resultCom value---" + str(line))
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get function call patterns
result = re.finditer(patFunCall, line)
# logging.info("Result is: >%s<", result)
if (not result is None):
for p in result:
logging.debug(
"scan_file_SPDBviolation9_1_3 :: result value---"
+ str(p))
# logging.info("scan_file_SPDBviolation9_1_3::Result is: [%s] [%s] [%s] [%s] ", pfile, line, p.group(2), p.group(7))
checkMultipleVars = p.group(2).split(",")
for getVar in checkMultipleVars:
logging.debug(
"scan_file_SPDBviolation9_1_3 :: getVar value---"
+ str(getVar))
# logging.info("\n@@@@ "+getVar)
if getVar.__contains__('='):
logging.info(
"SPDBviolation9_1_3 :: [PASSED] Value is initialized for "
+ getVar)
else:
logging.debug(
"Violation saved for getVar value---" +
str(getVar))
# Set a bookmark
bk = Bookmark(pfile, current_line,
p.start() + 1, current_line,
p.end())
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation9_1_3',
bk)
except Exception as e:
logging.error("SPDBviolation9_1_3 : Error: %s, at line ",
str(e), current_line)
except FileNotFoundError:
logging.error("SPDBviolation9_1_3 : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("SPDBviolation9_1_3 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info("SPDBviolation9_1_3 : END %s - Found %s violation ",
str(pfile.name), str(nbViolation))
tc = "SPDBviolation9_1_3", nbViolation, nbNAViolation
# update_counts(tc)
# Extra log
t = "SPDBviolation9_1_3", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)
def scan_file_CWE(application, pfile, fileType):
# Languages : C
#
nbViolation = 0
nbNAViolation = 0
isInMultiLineComment = False
isInSingleLineComment = False
msecs = local_library.millis()
nBytes = 0
patIfNoBlk1 = "(if[ \t\n\r]*\(([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)"
patIfNoBlk2 = "(else[ \t\n\r]*([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
patIfNoBlk = patIfNoBlk1 + "|" + patIfNoBlk2
#rfCall= ReferenceFinder()
#rfCall.add_pattern('patIfNoBlk', before='', element = patIfNoBlk, after='')
#rfCall.add_pattern('patComment', before='', element = patComment, after='')
try:
with open_source_file(pfile.get_path()) as f:
#current line number
current_line = 0
for line in f:
# Line of code
current_line += 1
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
obj = pfile.find_most_specific_object(current_line, 1)
#logging.debug("Statement to analize >> %s", current_line)
resultIfNoBlk = re.finditer(patIfNoBlk, line)
if not resultIfNoBlk is None:
for p in resultIfNoBlk:
if fileType == "CCPP":
#logging.debug("Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark))
try:
bk = Bookmark(pfile, current_line,
p.start() + 1, current_line,
p.end())
# obj.save_violation('',bk)
except Exception as e:
logging.warning(
"Violation not allowed on this kind of object, next version"
)
nbNAViolation = nbNAViolation + 1
else:
nbViolation += 1
except FileNotFoundError:
logging.error(" : File not found > " + str(pfile.get_path()))
except Exception as e:
logging.error(" : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info(" : END %s - Found %s violation ", str(pfile.name),
str(nbViolation))
tc = "", nbViolation, nbNAViolation
update_counts(tc)
#Extra log
t = "", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)
def end_application(self, application):
logging.info("Filtering violations")
# All Cobol properties corresponding to bookmarked quality rules
properties = get_properties(application)
# 1. register each property as handled by this plugin : we will rewrite them
for prop in properties:
application.declare_property_ownership(prop,
'CAST_COBOL_SavedProgram')
number_of_programs = 0
number_of_cobol_programs = 0
number_of_cobol_copybooks = 0
number_of_hra_programs = 0
number_of_violations = 0
number_of_kept_violations = 0
hra_LOC = 0
total_LOC = 0
for program in application.objects().has_type(
'CAST_COBOL_SavedProgram').load_violations(properties):
# 1. get the violations for that program
# a Cobol violation can be in a copybook, we group violations per file
violations_per_file = {}
number_of_programs += 1
is_hra = False
for prop in properties:
for violation in program.get_violations(prop):
_file = violation[1].file
if _file not in violations_per_file:
violations_per_file[_file] = []
violations_per_file[_file].append(violation)
# 2. filter the violations that are in user code
user_code_violations = []
for _file, violations in violations_per_file.items():
if program != _file:
#CobolFileType = 'CopyBook' # we are in a Copybook
number_of_cobol_copybooks += 1
else:
#CobolFileType = 'Program' # we are not in the program not a Copybook
number_of_cobol_programs += 1
# open the file, get the 'user code bookmarks'
# those are the 'bookmarks' that represent the user code
bookmarks = []
with open_source_file(_file.get_path()) as f:
#logging.info('current file (%s) =[ %s ] ' % (CobolFileType, _file.get_path()))
begin_line = 0
current_line = 0
number_of_hra_LOC_in_current_file = 0
for line in f:
current_line += 1
if is_begin(line):
# store current portion begin
#logging.info('begin_line =[ %s ] ' % (line))
begin_line = current_line
elif is_end(line):
# add a user code bookmark
end_line = current_line
bookmark = Bookmark(_file, begin_line, 1,
current_line, -1)
#logging.info('end_line =[ %s ] ' % (line))
#logging.info('bookmark file =[ %s ], begin_line = %s end_line = %s ' % (_file, begin_line, end_line))
bookmarks.append(bookmark)
is_hra = True
number_of_hra_LOC_in_current_file += (end_line -
begin_line +
1)
# filter the violations that reside in at least one 'user code bookmark'
for violation in violations:
number_of_violations += 1
for bookmark in bookmarks:
# use of contains operator
if bookmark.contains(violation[1]):
user_code_violations.append(violation)
break
if not bookmarks:
# case where we do not have any marker : keep all violations : maybe we are not in HR Access environment
user_code_violations.append(violation)
if (number_of_hra_LOC_in_current_file != 0):
logging.info(
'Number of customer code LOC in current file [%s]: %s on a total of %s LOC'
% (_file.get_path(), number_of_hra_LOC_in_current_file,
current_line))
total_LOC += current_line
hra_LOC += number_of_hra_LOC_in_current_file
else:
logging.info(
'File [%s] does not contain any customer code, file LOC = %s'
% (_file.get_path(), current_line))
total_LOC += current_line
if is_hra:
number_of_hra_programs += 1
# 3. save back user_code_violations
for violation in user_code_violations:
number_of_kept_violations += 1
# violation 'format' is almost directly usable as parameter
program.save_violation(violation[0], violation[1],
violation[2])
# et hop !
if (total_LOC > 0):
logging.info(
'Found %s HR Access programs out of %s programs and %s copybooks'
% (number_of_hra_programs, number_of_programs,
number_of_cobol_copybooks))
logging.info('Kept %s violation bookmarks out of %s' %
(number_of_kept_violations, number_of_violations))
logging.info(
'Number of HR Access LOC : %s on a total of %s LOC, which means %s percent of generated LOC'
% (hra_LOC, total_LOC, round(hra_LOC * 100 / total_LOC, 2)))
logging.info("Done filtering violations")
else:
logging.info(
'*** No Cobol files analyzed, so no HR Access code to filter')
def takecode(self, fi, a, b, c, d): #get the code of the bookmark
book = Bookmark(fi, a, b, c, d)
return book.get_code()
def end_application(self, application):
logging.info('Creating links for Informix 4GL...')
previousFileName = ""
with self.get_intermediate_file("Informix4GL_linksFile.txt") as f:
for line in f:
fileName, programName, linkType, callerShortName, callerFullName, calledShortName, lineNbr, colStart, colEnd = line.split('|')
#logging.info("%s to %s" % (linkType, callerFullName))
#Get Caller Program
if previousFileName != fileName:
for fo in application.get_files(): #TODO Need to filter better here but languages did not work
if fo.get_fullname() == fileName:
fileObj = fo
callerProgramObj = None
for o in application.get_objects_by_name(name=programName):
if o.get_fullname().startswith(fileName):
callerProgramObj = o
callerProgramObj.load_children()
#logging.info(" -p %s" % callerProgramObj.get_fullname())
#Get Caller Object
callerObj = None
for o in application.get_objects_by_name(name=callerShortName):
if o.get_fullname() == callerFullName:
callerObj = o
#logging.info(" -r %s" % callerObj.get_fullname())
#Get Called Object
calledObj = None
if linkType == "callLink":
calledObjList = application.get_objects_by_name(name=calledShortName)
for o in calledObjList:
if o.get_fullname().startswith(fileName):
calledObj = o
#logging.info(" -d %s" % calledObj.get_fullname())
if calledObj is None:
for o in calledObjList:
for o in callerProgramObj.get_children():
if o.get_type() == "INFORMIX4GLGlobals" and o.get_fullname().contains(o.get_name()):
calledObj = o
#logging.info(" -D %s" % (calledObj.get_name()))
if linkType == "screenLink":
for o in application.search_objects(name=calledShortName, category="INFORMIX4GLScreen"):
calledObj = o
#logging.info(" -d %s" % calledObj.get_fullname())
if callerObj is None:
logging.warning("%s could not be found in the KB!" % callerFullName)
else:
if calledObj is None:
#The regex catches lots of things that are not functions to begin with...
#no need for it to be a warning
logging.debug("%s could not be found in the KB!" % calledShortName)
else:
logging.debug("create link from %s to %s" % (callerObj.get_fullname(), calledObj.get_fullname()))
link = create_link('callLink', callerObj, calledObj, Bookmark(fileObj, lineNbr, colStart, lineNbr, colEnd))
link.mark_as_not_sure()
previousFileName = fileName
def scan_file_SPDBviolation12_2_5(application, pfile, fileType):
# Avoid return Pointer, because memory exists and is destroyed automatically at the end of the function body
# Description: scan_file_SPDBviolation12_2_5
# NOTE
# As the rule is widely general and largely semantic, it is tailored only on specific patterns.
# It simply finds all function calls which are not assigned to vars.
#
nbViolation = 0
nbNAViolation = 0
msecs = local_library.millis()
nBytes = 0
logging.info(
"scan_file_SPDBviolation12_2_5 : -------------------------------------------------------------------------"
)
logging.info("scan_file_SPDBviolation12_2_5 : Starting > " +
str(pfile.name))
patFunCall = "(float|int|char|bool)\s*\*\s*([\w]*)(\(.*)(?=)"
# patFunCall = "\b(?:(?:int\s*|float\s*|char\s*|bool)+)(?:\s+\*?\*?\s*)([a-zA-Z0-9_]*)\s*(\[.*?\])"
# patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[^,\s][^\,]*[^,\s]*)\s*[;,*=)]"
# patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[a-z]*[A-Z]*[0-9]*)\s*\s*[;,=)]"
# patFunCall = "\b(?:(?:auto\s*|const\s*|unsigned\s*|signed\s*|register\s*|volatile\s*|static\s*|void\s*|short\s*|long\s*|char\s*|int\s*|float\s*|double\s*|_Bool\s*|complex\s*)+)(?:\s+\*?\*?\s*)([a-zA-Z_][a-zA-Z0-9_]*)\s*[\[;,=)]"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
isInSingleLineComment = False
isInMultiLineComment = False
with open_source_file(pfile.get_path()) as f:
if (pfile.get_path().endswith('libtypeb.c')
or pfile.get_path().endswith('win.c')
or pfile.get_path().endswith('win32s.c')
or pfile.get_path().endswith('servdll.c')):
logging.error("Check this break point======>")
# current line number
current_line = 0
for line in f:
# Line of code
# logging.error("Current line %s", line)
current_line += 1
try:
resultCom = re.finditer(patComment, line)
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get function call patterns
result = re.finditer(patFunCall, line)
if (not result is None):
for p in result:
logging.info(
"scan_file_SPDBviolation12_2_5::Result is: %s %s",
pfile, line)
try:
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1,
current_line, -1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation12_2_5',
bk)
logging.info(
"scan_file_SPDBviolation12_2_5 :: [VIOLATION] Avoid return Pointer, because memory exists and is destroyed automatically at the end of the function body <===> "
+ line)
except Exception as e:
logging.error(
"scan_file_SPDBviolation12_2_5 : Error: %s, at line (not allowed on this object) %s",
str(e), e.message())
nbNAViolation = nbNAViolation + 1
except Exception as e:
logging.error(
"scan_file_SPDBviolation12_2_5 : Error: %s, at line ",
str(e), current_line)
except FileNotFoundError:
logging.error("scan_file_SPDBviolation12_2_5 : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("scan_file_SPDBviolation12_2_5 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info(
"scan_file_SPDBviolation12_2_5 : END %s - Found %s violation ",
str(pfile.name), str(nbViolation))
tc = "SPDBviolation12_2_5", nbViolation, nbNAViolation
update_counts(tc)
# Extra log
t = "SPDBviolation12_2_5", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)
def scan_file_SPDBviolation10_5_3(application, pfile, fileType):
# Description: scan_file_SPDBviolation10_5_3
# NOTE
# As the rule is widely general and largely semantic, it is tailored only on specific patterns.
# It simply finds all function calls which are not assigned to vars.
#
nbViolation = 0
nbNAViolation = 0
msecs = local_library.millis()
nBytes = 0
logging.debug("pfile.name----" + str(pfile.name))
logging.info(
"SPDBviolation10_5_3 : -------------------------------------------------------------------------"
)
logging.info(
"SPDBviolation10_5_3 : Starting scan_file_SPDBviolation10_5_3 > " +
str(pfile.name))
# patswitch = "switch\s*\((.*)(?=)\)"
patcase = "(switch|case|default)\s*(.*)(?=)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
isInSingleLineComment = False
isInMultiLineComment = False
switchcheck = 0
matchedcasedefault = 0
matchedswitch = 0
with open_source_file(pfile.get_path()) as f:
# current line number
current_line = 0
for line in f:
# Line of code
# logging.error("Current line %s", line)
current_line += 1
try:
resultCom = re.finditer(patComment, line)
# logging.debug("resultCom value---" + str(line))
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# switchcheck=0
# Get function call patterns
# isswitch = re.findall(patswitch, line)
# if switchcheck == 0:
# if isswitch:
# logging.info("Current line %s", line)
# switchcheck=1
# if switchcheck == 1:
if matchedswitch == 1:
if matchedcasedefault == 1:
nextline = line
if nextline.__eq__("\n") or nextline.__contains__(
"{"):
logging.info(
"Empty line - Check in next line %s",
nextline)
nextline = linecache.getline(
pfile.get_path(), current_line + 1)
# else:
# logging.info("CASE found - Next line %s", nextline )
# logging.debug("Processing next line %s", nextline )
resultCom = re.findall(patComment, nextline)
if resultCom:
logging.info(
"Proper COMMENTES are found in CASE %s",
nextline)
else:
logging.info(
"SPDBviolation10_5_3 :: VIOLATION - Each case branch of the switch statement should have comments %s - Line %s",
nextline, line)
# logging.info("Current line %s type %s", line, p.group(1))
bk = Bookmark(pfile, current_line, 1,
current_line, -1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation10_5_3',
bk)
matchedcasedefault = 0
isswitchcase = re.finditer(patcase, line)
if not isswitchcase is None:
for p in isswitchcase:
# logging.info("Current line %s", line)
if p.group(1) == "switch":
logging.info("SWITCH found - Current line %s",
line)
# logging.info("SWITCH found - Current line %s type %s", line, p.group(1))
matchedswitch = 1
if p.group(1) == "case" or p.group(1) == "default":
logging.info("CASE found - Current line %s",
line)
# logging.info("CASE found - Current line %s type %s", line, p.group(1))
matchedcasedefault = 1
if p.group(1) == "default":
logging.info(
"DEFAULT found - Current line %s", line)
# logging.info("DEFAULT found - Current line %s type %s", line, p.group(1))
matchedcasedefault = 1
except Exception as e:
logging.error("SPDBviolation10_5_3 : Error: %s, at line ",
str(e), current_line)
except FileNotFoundError:
logging.error("SPDBviolation10_5_3 : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("SPDBviolation10_5_3 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info("SPDBviolation10_5_3 : END %s - Found %s violation ",
str(pfile.name), str(nbViolation))
tc = "SPDBviolation10_5_3", nbViolation, nbNAViolation
# update_counts(tc)
# Extra log
t = "SPDBviolation10_5_3", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_1_3(application, pfile, fileType):
# Description: scan_file_SPDBviolation9_1_3
# NOTE
# As the rule is widely general and largely semantic, it is tailored only on specific patterns.
# It simply finds all function calls which are not assigned to vars.
#
nbViolation = 0
nbNAViolation = 0
msecs = local_library.millis()
nBytes = 0
logging.debug("pfile.name----" + str(pfile.name))
logging.info(
"SPDBviolation9_1_3 : -------------------------------------------------------------------------"
)
logging.info(
"SPDBviolation9_1_3 : Starting scan_file_SPDBviolation9_1_3 > " +
str(pfile.name))
patFunCall = "(float|int|char|bool)[ \t\r\n]+([A-Za-z0-9_\-\(\),=\. \t\r\n]+);"
# patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[^,\s][^\,]*[^,\s]*)\s*[;,*=)]"
# patFunCall = "((?:int\s*|float\s*|char\s*|bool\s*)+)(?:\s+\*?\*?\s*)(\s*[a-z]*[A-Z]*[0-9]*)\s*\s*[;,=)]"
# patFunCall = "\b(?:(?:auto\s*|const\s*|unsigned\s*|signed\s*|register\s*|volatile\s*|static\s*|void\s*|short\s*|long\s*|char\s*|int\s*|float\s*|double\s*|_Bool\s*|complex\s*)+)(?:\s+\*?\*?\s*)([a-zA-Z_][a-zA-Z0-9_]*)\s*[\[;,=)]"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
isInSingleLineComment = False
isInMultiLineComment = False
with open_source_file(pfile.get_path()) as f:
# current line number
current_line = 0
for line in f:
# Line of code
# logging.error("Current line %s", line)
current_line += 1
try:
resultCom = re.finditer(patComment, line)
# logging.debug("resultCom value---" + str(line))
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get function call patterns
result = re.finditer(patFunCall, line)
# logging.info("Result is: >%s<", result)
if (not result is None):
for p in result:
logging.debug("result value---" + str(p))
# logging.info("scan_file_SPDBviolation9_1_3::Result is: [%s] [%s] [%s] [%s] ", pfile, line, p.group(2), p.group(7))
checkMultipleVars = p.group(2).split(",")
for getVar in checkMultipleVars:
logging.debug("getVar value---" + str(getVar))
# logging.info("\n@@@@ "+getVar)
if getVar.__contains__('='):
logging.info(
"SPDBviolation9_1_3 :: [PASSED] Value is initialized for "
+ getVar)
else:
logging.debug(
"Violation saved for getVar value---" +
str(getVar))
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1,
current_line, -1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation9_1_3',
bk)
# Set a bookmark for violation
# obj = pfile
# obj = pfile.find_most_specific_object(current_line, 1)
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
# try:
# logging.error("SPDBviolation9_1_3 :: [VIOLATION] Value is NOT initialized for " + getVar)
# obj.save_violation('SPDB_CustomMetrics_C.SPDBviolation9_1_3', bk)
# except Exception as e:
# logging.error("SPDBviolation9_1_3: Violation not allowed on this object, next version %s", str(e.message()))
# nbNAViolation = nbNAViolation + 1
# else:
# nbViolation += 1
#
except Exception as e:
logging.error("SPDBviolation9_1_3 : Error: %s, at line ",
str(e), current_line)
except FileNotFoundError:
logging.error("SPDBviolation9_1_3 : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("SPDBviolation9_1_3 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info("SPDBviolation9_1_3 : END %s - Found %s violation ",
str(pfile.name), str(nbViolation))
tc = "SPDBviolation9_1_3", nbViolation, nbNAViolation
update_counts(tc)
# Extra log
t = "SPDBviolation9_1_3", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)
def scan_file_SPDBviolation9_4_2(application, pfile, fileType):
# Description: : scan_file_SPDBviolation9_4_2
# NOTE
# As the rule is widely general and largely semantic, it is tailored only on specific patterns.
# It simply finds all function calls which are not assigned to vars.
#
nbViolation = 0
nbNAViolation = 0
dtType = "pointer"
msecs = local_library.millis()
nBytes = 0
logging.debug("pfile.name----" + str(pfile.name))
logging.info(
"scan_file_SPDBviolation9_4_2 : -------------------------------------------------------------------------"
)
logging.info(
"scan_file_SPDBviolation9_4_2 : Starting scan_file_scan_file_SPDBviolation9_4_2 > "
+ str(pfile.name))
patCasting = "(\w*\s*=\s*\(\s*(int|float|char|bool)\s*\*\s*\)\s*(\w*)\s*;)|(\w*\s*=\s*\(\s*(int|float|char|bool)\s*\)\s*(\w*)\s*;)"
patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])"
try:
isInSingleLineComment = False
isInMultiLineComment = False
with open_source_file(pfile.get_path()) as f:
# current line number
current_line = 0
boolVarsInFile = list()
boolExist = 0
for line in f:
# Line of code
current_line += 1
try:
resultCom = re.finditer(patComment, line)
# logging.debug("resultCom value---" + str(line))
# Comment Exclusion - Start
if not resultCom is None:
for c in resultCom:
if c.group(1):
isInSingleLineComment = True
if c.group(2):
isInMultiLineComment = True
if c.group(3):
isInMultiLineComment = False
if isInMultiLineComment:
continue
if isInSingleLineComment:
isInSingleLineComment = False
continue
# Comment Exclusion - End
nBytes = nBytes + len(line)
# Get cast call patterns
result = re.finditer(patCasting, line)
if (not result is None):
for p in result:
logging.info(
"scan_file_scan_file_SPDBviolation9_4_2::Result is: [%s] [%s] [%s]",
pfile, line, p.groups())
# bk = Bookmark(pfile, current_line, p.start() + 1, current_line, p.end())
bk = Bookmark(pfile, current_line, 1, current_line,
-1)
pfile.save_violation(
'SPDB_CustomMetrics_C.SPDBviolation9_4_2', bk)
except Exception as e:
logging.error(
"scan_file_SPDBviolation9_4_2 : Error: %s, at line ",
str(e), current_line)
if boolExist:
for line1 in f:
logging.info(line1)
except FileNotFoundError:
logging.error("scan_file_SPDBviolation9_4_2 : File not found > " +
str(pfile.get_path()))
except Exception as e:
logging.error("scan_file_SPDBviolation9_4_2 : Error: %s", str(e))
msecs = local_library.millis() - msecs
if msecs == 0:
msecs = 1
logging.info("scan_file_SPDBviolation9_4_2 : END %s - Found %s violation ",
str(pfile.name), str(nbViolation))
tc = "SPDBviolation9_4_2", nbViolation, nbNAViolation
update_counts(tc)
# Extra log
t = "SPDBviolation9_4_2", int(nBytes / msecs), nBytes, msecs
local_library.extraLogWrite(t)