def scan_file_OMG_RLB_18(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: OMG-ASCCRM-RLB-18: Storable and Member Data Element Initialization with Hard-Coded Network Resource Configuration Data # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB18violationCPP - CatID=2002000 PropID=2002024 SubID=2002274 QRID=2002598 # CWEforFDA_CustomMetrics_CSharp.OMGRLB18violationCSharp - CatID=2003000 PropID=2003024 SubID=2003274 QRID=2003598 # NOTE # # # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-RLB-18 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-RLB-18 : Starting scan_file_OMG_RLB_18 > " + str(pfile.name)) patNetResource1 = "([12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9]\.[12]?[0-5]?[0-9])" patNetResource2 = "(http[s]?://)|(ftp://)|(mailto://)|(file://)|(data://)|(irc://)" patNetResource3 = "(www\.)|(ftp\.)" patNetResource4 = "([\?\&][ \t]*[a-z0-9\-\_]+[ \t]*\=[ \t]*[a-z0-9\-\_]+)" # All pattern included in double quotes (strings) patNetResource = "[^=]=[ \t]*\".*("+patNetResource1+"|"+patNetResource2+"|"+patNetResource3+"|"+patNetResource4+").*\"" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 # Comment Exclusion - Start resultCom = re.finditer(patComment, line) if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) result = re.finditer(patNetResource, line) isFirstViolation = True if not result is None: for p in result: # Set a bookmark for violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("scan_file_OMG_RLB_18 : Found violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if fileType == "CCPP": #logging.debug("saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if isFirstViolation: try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB18violationCPP',bk) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-18: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 isFirstViolation = False #local_library.cwefdaLoggerInfo("SAVED CCPP") if fileType == "CSHARP": #logging.debug("saving violation forCSHARP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if isFirstViolation: try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB18violationCSharp',bk) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-18: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 isFirstViolation = False #local_library.cwefdaLoggerInfo("CSHARP") except FileNotFoundError: logging.error("OMG-RLB-18 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-RLB-18 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-RLB-18 : END scan_file_OMG_RLB_18 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-RLB-18",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-RLB-18",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_OMG_RLB_12(application, pfile, fileType): # Author : MGE # last modification date: 29/3/2017 # Description: OMG RLB-12: OMG RLB-12: Singleton Class Instance Creation without Proper Lock Element Management # Languages : C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB12violationCPP - CatID=2002000 PropID=2002023 SubID=2002273 QRID=2002596 # CWEforFDA_CustomMetrics_CSharp.OMGRLB12ViolationCSharp - CatID=2003000 PropID=2003023 SubID=2003273 QRID=2003596 # NOTE # 1) find all classes implementing singleton (with ""new className"" inside) # 2) find all singleton classes without any lock primitive inside the method containing new # nbViolation = 0 nbNAViolation = 0 myIdx = -1 isInMultiLineComment = False isInSingleLineComment = False aClass = [] aClassIsSingleton = [] aBookmark = [] aIsViolation = [] aCastSingletonObj = [] msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-RLB-12 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-RLB-12 : Starting scan_file_OMG_RLB_12 > " + str(pfile.name)) patClassDefinition = "(class[ \t]+)([A-Za-z0-9_\-]+)" patLockUsage = "([Ll][Oo][Cc][Kk])" #patBodyStart = "\{" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 #classDefinition = False for line in f: # Line of code current_line += 1 # Comment Exclusion - Start resultCom = re.finditer(patComment, line) if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) # Get the most specific object containing the line #if myIdx != 0: #obj = pfile.find_most_specific_object(current_line, 1) #local_library.cwefdaLoggerInfo("=====================================================") #local_library.cwefdaLoggerInfo("= Line: %s",str(current_line) ) #local_library.cwefdaLoggerInfo("= Cast Object: %s",obj ) #local_library.cwefdaLoggerInfo("= Cast Object Type: %s",obj.get_type()) #local_library.cwefdaLoggerInfo("=====================================================") r1 = re.finditer(patClassDefinition, line) if not r1 is None: for p1 in r1: #bk = Bookmark(pfile,current_line,p1.start()+1,current_line,p1.end()) aClass.append(1) aBookmark.append(1) aIsViolation.append(1) aCastSingletonObj.append(1) aClassIsSingleton.append(1) myIdx = len(aClass)-1 aClass[myIdx] = p1.group(2) aIsViolation[myIdx] = True aClassIsSingleton[myIdx] = False patSingletonDefinition = "(new[ \t]+" + p1.group(2) +")" #local_library.cwefdaLoggerInfo("=====================================================") #local_library.cwefdaLoggerInfo("= myIdx: %d",myIdx) #local_library.cwefdaLoggerInfo("= Class: %s",aClass[myIdx]) #local_library.cwefdaLoggerInfo("= Violation: %s",aIsViolation[myIdx]) #local_library.cwefdaLoggerInfo("= patSingletonDefinition: %s",patSingletonDefinition) #local_library.cwefdaLoggerInfo("=====================================================") if myIdx != -1: r2 = re.finditer(patSingletonDefinition, line) if not r2 is None: for p2 in r2: #local_library.cwefdaLoggerInfo(" in patSingletonDefinition FOUND") aCastSingletonObj[myIdx] = pfile.find_most_specific_object(current_line, p2.start()-3) aBookmark[myIdx] = Bookmark(pfile,current_line,p2.start()+1,current_line,p2.end()) aClassIsSingleton[myIdx] = True #local_library.cwefdaLoggerInfo("Tipo Obj: %s ", type(aCastSingletonObj[myIdx])) #local_library.cwefdaLoggerInfo("Is Singleton??? %d ",current_line) #local_library.cwefdaLoggerInfo("Obj: %s ", aCastSingletonObj[myIdx].get_name()) r3 = re.finditer(patLockUsage, line) if not r3 is None: aIsViolation[myIdx] = False #for p3 in r3: #local_library.cwefdaLoggerInfo(" in patLockUsage FOUND") #curObj = pfile.find_most_specific_object(current_line, 1) #local_library.cwefdaLoggerInfo(" curObj = %s", curObj.get_name()) #aIsViolation[myIdx] = False for vIdx in range(len(aClass)): #local_library.cwefdaLoggerInfo("=====================================================") #local_library.cwefdaLoggerInfo("= Class : %s",aClass[vIdx]) #local_library.cwefdaLoggerInfo("= Is Singleton: %s",aClassIsSingleton[vIdx]) #local_library.cwefdaLoggerInfo("= Bookmark: %s", aBookmark[vIdx]) #local_library.cwefdaLoggerInfo("= Violation: %s",aIsViolation[vIdx]) #local_library.cwefdaLoggerInfo("= Cast Sinlgeton Obj : %s",aCastSingletonObj[vIdx].get_name()) #local_library.cwefdaLoggerInfo("=====================================================") if aClassIsSingleton[vIdx] and aIsViolation[vIdx]: if fileType == "CCPP": try: aCastSingletonObj[vIdx].save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB12violationCPP', aBookmark[vIdx]) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-12: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 #local_library.cwefdaLoggerInfo("SAVED CCPP") if fileType == "CSHARP": try: aCastSingletonObj[vIdx].save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB12violationCSharp',aBookmark[vIdx]) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-12: Violation not allowed on class object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 #local_library.cwefdaLoggerInfo("SAVED CSHARP") except FileNotFoundError: logging.error("OMG-RLB-12 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-RLB-12 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-RLB-12 : END scan_file_OMG_RLB_12 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-RLB-12",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-RLB-12",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_483(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: CWE-483: Incorrect Block Delimitation # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP - CatID=2002000 PropID=2002013 SubID=2002263 QRID=2002598 # CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp - CatID=2003000 PropID=2003013 SubID=2003263 QRID=2003576 # NOTE # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-483 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-483 : Starting scan_file_CWE_483 > " + str(pfile.name)) patIfNoBlk1 = "(if[ \t\n\r]*\(([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)" patIfNoBlk2 = "(else[ \t\n\r]*([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+)(?!{)([A-Za-z0-9_\(\)\.\,:\?\=\/\+\-\* \t\n\r]+);)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" patIfNoBlk = patIfNoBlk1 +"|" + patIfNoBlk2 #rfCall= ReferenceFinder() #rfCall.add_pattern('patIfNoBlk', before='', element = patIfNoBlk, after='') #rfCall.add_pattern('patComment', before='', element = patComment, after='') try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analize >> %s", current_line) resultIfNoBlk = re.finditer(patIfNoBlk, line) if not resultIfNoBlk is None: for p in resultIfNoBlk: if fileType == "CCPP": #logging.debug("CWE_483 : C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE483violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("CWE-483: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": #logging.debug("CWE_483 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE483violationCSharp', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("CWE-483: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("CWE-483 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-483 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE_483 : END CWE-483 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-483",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-483",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_OMG_RLB_9_Step2(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: OMG RLB-9: OMG RLB-9: Float Type Storable and Member Data Element Comparison with Equality Operator # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002022 SubID=2002272 QRID=2002594 # CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003022 SubID=2003272 QRID=2003594 # NOTE # scan_file_OMG_RLB_9_Step1: find all float objects definition and store it # scan_file_OMG_RLB_9_Step2: find all = comparison with float objects involved # The scope is internal to file+function or Global. Lower scopes are not considerered # global aFunctionDefinitionName global aFunctionDefinitionNPar global aFunctionCallName global aFunctionCallNPar global aFunctionCallBookmark global aFloatVariableName global aFloatClassName myIdx = 0 nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : Starting scan_file_OMG_RLB_9_Step2 > " + str(pfile.name)) patFloatName = "[A-Za-z0-9_\-\.]*" patFloatCompLeft = "("+ patFloatName +")" + "([A-Za-z0-9_ \(\)\t\r\n\*\+\-\/]*[\=][\=])" patFloatCompRight = "(==[A-Za-z0-9_ \(\)\t\r\n\*\+\-\/]*)" + "("+ patFloatName +")" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analize >> %s", current_line) try: resultpatFloatRigh = re.finditer(patFloatCompRight, line) except: resultpatFloatRigh = None #local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Cannot apply pattern %s to line %s", patFloatCompRight, current_line) # --- Scan for pattern on the right # ------------------------------------------------------------------------------------ if not resultpatFloatRigh is None: for p in resultpatFloatRigh: for myIdx in range(len(aFloatVariableName)): bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) current_line = int(str(bk).split(",")[2]) tVar = p.group(2) tScp = pfile.find_most_specific_object(current_line, 1).get_name() if (tScp == tVar): nVar = "[Global]." + tVar else: nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar if (nVar == aFloatVariableName[myIdx]): if fileType == "CCPP": #logging.debug("RLB-9: C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": #logging.debug("RLB-9 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 try: resultpatFloatLeft = re.finditer(patFloatCompLeft, line) except: resultpatFloatLeft = None #local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Cannot apply pattern %s to line %s", patFloatCompLeft, current_line) # --- Scan for pattern on the left # ------------------------------------------------------------------------------------ if not resultpatFloatLeft is None: for p in resultpatFloatLeft: for myIdx in range(len(aFloatVariableName)): bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) current_line = int(str(bk).split(",")[2]) tVar = p.group(1) tScp = pfile.find_most_specific_object(current_line, 1).get_name() if (tScp == tVar): nVar = "[Global]." + tVar else: nVar = "[" + pfile.get_path()+"]." + tScp + "." + tVar if (nVar == aFloatVariableName[myIdx]): if fileType == "CCPP": #logging.debug("RLB-9: C/C++! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": #logging.debug("RLB-9 : CSHARP! Found Test statement %s ==> %s", str(reference.value), str(reference.bookmark)) try: #bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("OMG-RLB-9-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("OMG-RLB-9-Step2 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-RLB-9-Step2 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-RLB-9-Step2 : END RLB-9-Step2 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-RLB-9-STEP2",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-RLB-9-STEP2",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_OMG_MNT_3(application, pfile, fileType): # Author : PMB # last modification date: 10/4/2017 # Description: OMG MNT-3: OMG MNT-3: Storable and Member Data Element Initialization with Hard-Coded Literals, Float Type Storable and Member Data Element Comparison with Equality Operator # Languages : C/C++/C# # Property : CWEforFDA_CustomMetrics_C_CPP.OMGRLB9violationCPP - CatID=2002000 PropID=2002021 SubID=2002271 QRID=2002592 # CWEforFDA_CustomMetrics_CSharp.OMGRLB9violationCSharp - CatID=2003000 PropID=2003021 SubID=2003271 QRID=2003592 # NOTE # nbViolation=0 nbNAViolation = 0 nbProgramCall=0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("OMG-MNT-3 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("OMG-MNT-3 : Starting scan_file_OMG_MNT_3 > " + str(pfile.name)) patFloatDefinition = "((const)|(char)|(float)|(double)|(long double))([ \t\r\n]+)([A-Za-z0-9_\-\(\),=\. \t\r\n]+);" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analyze >> %s", current_line) resultFloat = re.finditer(patFloatDefinition, line) if not resultFloat is None: for p in resultFloat: if p.group(1) != "const": #newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([\d]+)([ \;]+)') #bpm if p.group(1) == "char": newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([.\d]+)([ \;]+)') resultNewPat = re.finditer(newPat, line) else: newPat=re.compile('([ \t\r\n]+)([A-Za-z0-9_\-\(\)\. \t\r\n]+)([\= ]+)([\d]+)([ \;]+)') resultNewPat = re.finditer(newPat, line) for pp in resultNewPat: if fileType =="CCPP": bk = Bookmark(pfile,current_line,pp.start()+1,current_line,pp.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.OMGMNT3violationCPP',bk) except: local_library.cwefdaLoggerWarning("OMG-MNT-3 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 nbProgramCall += 1 if fileType =="CSHARP": bk = Bookmark(pfile,current_line,pp.start()+1,current_line,pp.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.OMGMNT3violationCSharp',bk) except: local_library.cwefdaLoggerWarning("OMG-MNT-3 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 nbProgramCall += 1 except FileNotFoundError: logging.error("OMG-MNT-3 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("OMG-MNT-3 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("OMG-MNT-3 : END scan_file_OMG_MNT_3 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "OMG-MNT-3",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "OMG-MNT-3",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_685_Step2(application, pfile, fileType): # Author : MGE # last modification date: 24/3/2017 # Description: CWE-685: Function Call With Incorrect Number of Arguments # Languages : C # Property : CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP - CatID=2002000 PropID=2002016 SubID=2002266 QRID=2003582 # # NOTE # scan_file_CWE_685_Step1: find all function definition and store it with number of parameters defined # scan_file_CWE_685_Step2: find all function call by means of function name found in step1, and compare it with parameters stored # global aFunctionDefinitionName global aFunctionDefinitionNPar global aFunctionCallName global aFunctionCallNPar global aFunctionCallBookmark global aFloatVariableName global aFloatClassName myIdx = 0 nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-685-Step2 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-685-Step2 : Starting scan_file_CWE_685_Step2 > " + str(pfile.name)) patFuncName = "[A-Za-z][A-Za-z0-9_\-]*" patFunctionCall = "("+ patFuncName +")"+"([ \t\r\n]*)(\([A-Za-z0-9_\- \t\r\n.,\.\*]*\))" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) try: resultFuncCall = re.finditer(patFunctionCall, line) except: resultFuncCall = None #local_library.cwefdaLoggerWarning("CWE-685-Step2: Cannot apply pattern %s to line %s", patFunctionCall, current_line) if not resultFuncCall is None: for p in resultFuncCall: for f in aFunctionDefinitionName: myIdx = aFunctionDefinitionName.index(f) nFun = p.group(1) nPar = len(p.group(3).split(',')) if (nFun == aFunctionDefinitionName[myIdx] and nPar != aFunctionDefinitionNPar[myIdx]): #local_library.cwefdaLoggerInfo("------------------------------------> Found different parameter!!! %s %s <<-->> %s %s", nFun, str(nPar), self.aFunctionDefinitionName[myIdx], str(self.aFunctionDefinitionNPar[myIdx])) #logging.debug("CWE_685_Step2 : C!!!! Found statement %s ==> %s ", str(reference.value), str(reference.bookmark)) try: bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP',bk) #reference.object.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE685violationCPP', reference.bookmark) except Exception as e: local_library.cwefdaLoggerWarning("CWE-685-Step2: Violation not allowed on this kind of object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("CWE-685-Step2 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-685-Step2 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-685-Step2 : END CWE-685 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-685-STEP2",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-685-STEP2",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_910(application, pfile, fileType): # Author : PMB # last modification date: 27/3/2017 # Description: CWE_910: Use of Expired File Descriptor # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE910violationCPP - CatID=2002000 PropID=2002020 SubID=2002270 QRID=2002590 # NOTE: The software uses or accesses a file descriptor after it has been closed. After a file descriptor for a particular # file or device has been released, it can be reused. The code might not write to the original file, since the reused # file descriptor might reference a different file or device.The code uses an operator for comparison when the intention # was to perform an assignment. # In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False pathMsg= "Niente" allFree = set() flagFree = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-910 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-910 : Starting scan_file_CWE_910 > " + str(pfile.name)) # search string "free" pathSrc="(^[ \t]+)(free)([(\ \(]+)([a-zA-Z0-9_]+)([(\ \)\;]+)" # All pattern included in double quotes (strings) patResource = "(^(.)*)("+pathMsg+")(.*$)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) # Search variable if found free before if flagFree: for f in allFree: pathMsg = f #pathMsg = "messageBody" #patResource = "(^(.)*)("+pathMsg+")(.*$)" patResource = "([\t\s\*]*)("+pathMsg+")([\s\t\)\,\;\-\+\*])" #result = re.finditer("(^(.)*)("+pathMsg+")(.*$)", line) result = re.finditer(patResource, line) if not result is None: for p in result: #logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("CWE_910: saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE910violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-910 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 # Search free stmt result = re.finditer(pathSrc, line) if not result is None: for p in result: #logging.debug("Found Stmt Free > %s at line %s, col. %s", p.group(), current_line, p.start()+1) allFree.add(p.group(4)) flagFree = True except FileNotFoundError: logging.error("CWE-910 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-910 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-910 : END scan_file_CWE_910 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-910",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-910",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_120_122(application, pfile, fileType): # Author : PMB # last modification date: 28/3/2017 # Description: CWE_120_122: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP - CatID=2002000 PropID=2002001 SubID=2002251 QRID=2002552 # CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP - CatID=2002000 PropID=2002002 SubID=2002252 QRID=2002554 # CWEforFDA_CustomMetrics_CSharp.CWE120violationCSharp - CatID=2003000 PropID=2003001 SubID=2003251 QRID=2003552 # CWEforFDA_CustomMetrics_CSharp.CWE122violationCSharp - CatID=2003000 PropID=2003002 SubID=2003252 QRID=2003554 # NOTE: The program copies an input buffer to an output buffer without verifying that the size of the input buffer # is less than the size of the output buffer, leading to a buffer overflow. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-120-122 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-120-122 : Starting scan_file_CWE_120_122 > " + str(pfile.name)) # search memcpy and strcpy pathMem = "(^[ \t]+memcpy[ \([a-zA-Z0-9_\s\[\]\-\(\)]+)([ \,]+)([a-zA-Z0-9_]*)([ a-zA-Z0-9\[\]\)\;]+)" pathStr = "(^[ \t]+strcpy[ \([a-zA-Z0-9_\s\[\]\-\(\)]+)([ \,]+)([a-zA-Z0-9_]*)([ a-zA-Z0-9\[\]\)\;]+)" pathIf = "(if[ ]*)([\(]+)([a-zA-Z0-9_]+)([\s\=\>\<\!\s]+)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 VarIf = None for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) # check variable on if result = re.finditer(pathIf, line) if not result is None: for p in result: #logging.debug("Found If Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) VarIf = p.group(3) # check memcpy variable result = re.finditer(pathMem, line) if not result is None: for p in result: #logging.debug("Found memcpy Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) VarMem = p.group(3) if VarMem != VarIf: #logging.debug("CWE_120_122: saving violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) if fileType == "CCPP": try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP',bk) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 # check strcpy variable result = re.finditer(pathStr, line) if not result is None: for p in result: #logging.debug("Found strcpy Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) VarStr = p.group(3) if VarStr != VarIf: #logging.debug("CWE_120_122: saving violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) if fileType == "CCPP": try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE120violationCPP',bk) obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE122violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 if fileType == "CSHARP": try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE120violationCSharp',bk) obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE122violationCSharp',bk) except: local_library.cwefdaLoggerWarning("CWE-120-122 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation += 1 except FileNotFoundError: logging.error("CWE-120-122 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-120-122 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-120-122 : END scan_file_CWE_120_122 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-120-122",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-120-122",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_783(application, pfile, fileType): # Author : PMB # last modification date: 23/3/2017 # Description: CWE_783: Operator Precedence Logic Error # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE783violationCPP - CatID=2002000 PropID=2002019 SubID=2002269 QRID=2002588 # NOTE: The program uses an expression in which operator precedence causes incorrect logic to be used. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-783 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-783 : Starting scan_file_CWE_783 > " + str(pfile.name)) # search "AuthenticateUser" pathSrc="(if[ ]*)([\(]+)([a-zA-Z0-9_\s\=\s]+)(AuthenticateUser)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) result = re.finditer(pathSrc, line) if not result is None: for p in result: #logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) if p.group(2) == "(": # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("CWE_783: saving violation for CCPP > %s at line %s, col. %s", p.group(), current_line, p.start()+1) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE783violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-783 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 except FileNotFoundError: logging.error("CWE-783 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-783 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-783 : END scan_file_CWE_783 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-783",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-783",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_482(application, pfile, fileType): # Author : PMB # last modification date: 27/3/2017 # Description: CWE_482: Comparing instead of Assigning # Languages : C/C++ # Property : CWEforFDA_CustomMetrics_C_CPP.CWE482violationCPP - CatID=2002000 PropID=2002012 SubID=2002262 QRID=2002574 # NOTE: The code uses an operator for comparison when the intention was to perform an assignment. # In many languages, the compare statement is very close in appearance to the assignment statement; they are often confused. # nbViolation = 0 nbNAViolation = 0 isInMultiLineComment = False isInSingleLineComment = False #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-482 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-482 : Starting scan_file_CWE_482 > " + str(pfile.name)) # search #pathSrc="(^[ \ta-zA-Z0-9_\s\*]+)(==)([a-zA-Z0-9\s]+)" pathSrc="[^\s\t]*(\**[a-zA-Z0-9_]+(\s*\[\s*[a-zA-Z0-9_]*\s*\]\s*)?)\s*==\s*([a-zA-Z0-9\s]+)\s*(\,|\;|\.)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) # Get the most specific object containing the line obj = pfile.find_most_specific_object(current_line, 1) result = re.finditer(pathSrc, line) if not result is None: for p in result: #logging.debug("Found Stmt > %s at line %s, col. %s", p.group(), current_line, p.start()+1) # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) #logging.debug("CWE-482 : Detected violation > %s at line %s, col. %s", p.group(), current_line, p.start()+1) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE482violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-482 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 except FileNotFoundError: logging.error("CWE-482 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-482 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-482 : END scan_file_CWE_482 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-482",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-482",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)
def scan_file_CWE_480_481(application, pfile, fileType): # Author : PMB # Last modification date: 10/4/2017 # Description: CWE-481: Assigning instead of Comparing # Languages: C/C++ C# # Property : CWEforFDA_CustomMetrics_C_CPP.CWE480violationCPP - CatID=2002000 PropID=2002010 SubID=2002260 QRID=2002570 # CWEforFDA_CustomMetrics_C_CPP.CWE481violationCPP - CatID=2002000 PropID=2002011 SubID=2002261 QRID=2002571 # CWEforFDA_CustomMetrics_C_CPP.CWE480violationCSharp - CatID=2003000 PropID=2003010 SubID=2003260 QRID=2003570 # CWEforFDA_CustomMetrics_C_CPP.CWE480violationCSharp - CatID=2003000 PropID=2003011 SubID=2003261 QRID=2003571 # NOTE: The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. # nbProgramCall = 0 isInMultiLineComment = False isInSingleLineComment = False nbViolation=0 nbNAViolation = 0 allIntVars = set() #SCS msecs = local_library.millis() nBytes = 0 local_library.cwefdaLoggerInfo("CWE-480-481 : -------------------------------------------------------------------------") local_library.cwefdaLoggerInfo("CWE-480-481 : Starting scan_file_CWE_480_481 > " +str(pfile.name)) PathIntB = "([\(]+)int ([a-zA-Z0-9_\.]+)" PathIntF = "([ \t]+)int ([a-zA-Z0-9_\.]+)" PathIf = "[ \t]+if([ \(]+)([a-zA-Z0-9_]+)" PathBitWise = "[ \t]+if([ \(]+)([a-zA-Z0-9_\!\(\)]+)( & | \| )+([a-zA-Z0-9_\!\(\)]+)" patComment = "(^[ \t]*[\/][\/])|([\/][\*])|([\*][\/])" try: with open_source_file(pfile.get_path()) as f: #current line number current_line = 0 for line in f: # Line of code current_line += 1 resultCom = re.finditer(patComment, line) # Comment Exclusion - Start if not resultCom is None: for c in resultCom: if c.group(1): isInSingleLineComment = True if c.group(2): isInMultiLineComment = True if c.group(3): isInMultiLineComment = False if isInMultiLineComment: continue if isInSingleLineComment: isInSingleLineComment = False continue # Comment Exclusion - End #SCS nBytes = nBytes + len(line) obj = pfile.find_most_specific_object(current_line, 1) #logging.debug("Statement to analize >> %s >> %s", current_line, line) resultIntB = re.finditer(PathIntB, line) if not resultIntB is None: for c in resultIntB: #logging.debug("CWE_480_481 : Group StmtIntB > %s ", c.group(2)) varIntB=c.group(2) allIntVars.add(varIntB) resultIntF = re.finditer(PathIntF, line) if not resultIntF is None: for c in resultIntF: #logging.debug("CWE_480_481 : Group StmtIntF > %s ", c.group(2)) varIntF=c.group(2) allIntVars.add(varIntF) resultBitWise = re.finditer(PathBitWise, line) if not resultBitWise is None: for c in resultBitWise: if fileType == "CCPP": # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,c.start()+1,current_line,c.end()) #logging.debug("sono in test cpp >> %s", bk) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE480violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 continue if fileType == "CSHARP": # Set a bookmark for violation and save violation bk = Bookmark(pfile,current_line,c.start()+1,current_line,c.end()) #logging.debug("sono in test csharp >> %s", bk) try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE480violationCSharp',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 continue resultPathIf = re.finditer(PathIf, line) if not resultPathIf is None: resultPathIf = re.finditer(PathIf, line) for p in resultPathIf: varIf=p.group(2) for v in allIntVars: if v==varIf: CheckNoEq=line[line.find("!"):line.find("=")+2] CheckLtEq=line[line.find("<"):line.find("=")+2] CheckGtEq=line[line.find(">"):line.find("=")+2] if CheckNoEq or CheckLtEq or CheckGtEq: continue CheckEqEq=line[line.find("="):line.find("=")+2] if not CheckEqEq: continue if CheckEqEq != "==": if fileType == "CCPP": bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_C_CPP.CWE481violationCPP',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 if fileType == "CSHARP": bk = Bookmark(pfile,current_line,p.start()+1,current_line,p.end()) try: obj.save_violation('CWEforFDA_CustomMetrics_CSharp.CWE481violationCSharp',bk) except: local_library.cwefdaLoggerWarning("CWE-480-481 : Violation not allowed on this object, next version") nbNAViolation = nbNAViolation + 1 else: nbViolation +=1 nbProgramCall += 1 except FileNotFoundError: logging.error("CWE-480-481 : File not found > " + str(pfile.get_path()) ) except Exception as e: logging.error("CWE-480-481 : Error: %s", str(e)) msecs = local_library.millis() - msecs if msecs == 0: msecs = 1 local_library.cwefdaLoggerInfo("CWE-480-481 : END scan_file_CWE_480_481 %s - Found %s violation ", str(pfile.name), str(nbViolation)) tc = "CWE-480-481",nbViolation,nbNAViolation update_counts(tc) #Extra log t = "CWE-480-481",int(nBytes/msecs),nBytes,msecs local_library.extraLogWrite(t)