Closed Bug 148251 Opened 20 years ago Closed 16 years ago

flawfinder meta bug

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: hjtoi-bugzilla, Assigned: hjtoi-bugzilla)

References

()

Details

(Keywords: meta)

Attachments

(32 files)

1.38 KB, text/plain
Details
41.45 KB, text/plain
Details
118.98 KB, text/plain
Details
148.90 KB, application/x-gzip
Details
1.22 KB, text/plain
Details
233.67 KB, text/plain
Details
228.95 KB, text/plain
Details
217.97 KB, text/plain
Details
61.03 KB, text/plain
Details
186.25 KB, text/plain
Details
194.37 KB, text/plain
Details
147.92 KB, text/plain
Details
133.57 KB, text/plain
Details
218.72 KB, text/plain
Details
199.07 KB, text/plain
Details
211.08 KB, text/plain
Details
214.12 KB, text/plain
Details
145.89 KB, text/plain
Details
160.56 KB, text/html
Details
154.15 KB, text/html
Details
231.10 KB, text/html
Details
197.61 KB, text/html
Details
227.50 KB, text/html
Details
257.03 KB, text/html
Details
191.54 KB, text/html
Details
162.64 KB, text/html
Details
287.12 KB, text/html
Details
244.75 KB, text/html
Details
285.90 KB, text/html
Details
275.83 KB, text/html
Details
198.99 KB, text/html
Details
6.42 KB, application/x-zip-compressed
Details
This is a meta bug for flawfinder bugs for various components. I will make the
other bugs block this one.

http://www.dwheeler.com/flawfinder/
Shouldn't we make the flawfinder bugs public? Anybody can run flawfinder, not?
Yes they can. But not everyone knows they could use it to find places for
exploits. Basically these bugs are saying: "Hack me here!". I'd like to get a
single pass through the source in silent first, then open these bugs and make
some Tindebox machine run flawfinder (and maybe other) code scanning tools
automatically.

These warnings are the low hanging fruit; we should analyze these logs quickly
and fix any bugs we find ASAP.
Wrote a perl script that gives:
1. Czech log that is not present in the Flawfinder.
2. Flawfinder log that is not present in the Czech.

Attaching following:

1. Perl script
2. Czech log
3. Flawfinder log
Attached file Perl script
Attached file Czech output
Attached file Flawfinder output
Heikki, this isn't working, since no-one is actually looking at the logs.

I think we should open these bugs because from the Flawfinder output alone it is
not easy to identify which issues are real bugs and then which are exploitable.
Anyone capable of doing that is probably running Flawfinder or something similar
on their own already.

Please make these Flawfinder bugs public.
Attachment #88495 - Attachment mime type: application/octet-stream → text/plain
Depends on: 173414, 173417
Depends on: 173428
Depends on: 173430
Depends on: 173433
Depends on: 173434
Depends on: 173551
Depends on: 173553
Depends on: 173555
Depends on: 173557
Depends on: 173558
Depends on: 173563
Depends on: 173575
Depends on: 173589
Depends on: 173628
Depends on: 173630
Depends on: 173631
Depends on: 173632
Depends on: 173634
Depends on: 173636
Depends on: 173639
Depends on: 173641
Depends on: 173646
Depends on: 173733
Depends on: 173748
Depends on: 173749
Depends on: 173750
Depends on: 173751
Depends on: 173790
Depends on: 173795
Depends on: 173837
Depends on: 173847
Depends on: 173850
Depends on: 173851
Depends on: 173853
Attached file Rats output, gzipped
rats-all.bat:
   for /R %%i in (*.cpp *.c *.h) do c:rats  %%i
Opening all flawfinder warnings bugs to the public.

Bindu, could you make a new/edit the old script that can handle RATS output as
well ?

Steve, is the RATS output from trunk or branch?
Group: security?
Hmm, that script I just attached was an old version... but you can easily modify
it to work better. I think it assumed warnings were grouped by level and not in
the order they appeared.

To have the URLs point to 1.0 branch, change the baseURL to:

http://bonsai.mozilla.org/cvsblame.cgi?file=
<path of file>
&rev=MOZILLA_1_0_0_BRANCH&root=/cvsroot&mark=
<line number, gets marked as green, easy to spot>
RATS output was from trunk.
I will write one that gives the diff between Flawfinder and RATS. It will be
ready next week.
Regarding the warnings, I think we can generally ignore |getenv| issues. If you
disagree, let's hear about it.
Once we get the diffs between Czech, Rats and Flawfinder, let's attach them here
and analyze them a bit first before opening new bugs based on them.
Depends on: 173992
Depends on: 173995
Depends on: 173996
Depends on: 173997
Depends on: 173998
Depends on: 174000
Depends on: 174002
Depends on: 174005
Depends on: 174006
Depends on: 174007
Depends on: 174008
Depends on: 174010
Depends on: 174189
Here's a summary of the flawfinder bugs reported so far.  This should be the
same list as the list of bugs that this tracking bug depends on, unless I made a
mistake and forgot to indicate the dependency on some of the bugs.

This list is only half done so far -- from 0001 to 4610.  Bugs for the second
half half, 4611-7812, still need to be filed.  (Entries preceded by a dot were
filed by Heikki, the others filed by me.)

 173414: 0001-0358 NSPR
.148269: 0359-0860 NSS Libraries (Security)
.148272: 0861-1072 LDAP CDK (directory)
.148275: 1073-1104 Imagelib
 173428: 1105-1110 Installer XPI Packages (libjar)
 173430: 1111-1112 Preferences Backend (libpref)
 173433: 1113-1121 XPCOM Registry (libreg)
 173434: 1122-1127 Browser General (libutil)
 173417: 1128-1131 oji
.148276: 1132-1461 Plugins
 173551: 1462-1486 Build Config (zlib)
 173553: 1487-1491 Editor-Core
 173555: 1492-1493 Internationalization (ctl/src/pangoLite)
 173557: 1494-1494 XP APPS (inspector)
 173558: 1495-1495 layout debug
 173563: 1496-1509 python
.148253: 1510-1516 XSLT (transformiix standalone)
.148256: 1519-1519 XML (Extras)
 173575: 1520-1544 XML (xmlterm)
 173589: 1545-1567 Browser General (dbm)
 <build> 1568-1685 config
 173628: 1686-1689 mailnews (mork/db)
 <test>  1690-1745 embedding/qa/testembed
 173630: 1746-1752 embedding/activex
 <tests> 1753-1755 embedding tests
 173631: 1756-1800 embedding/photon
 173632: 1801-1801 Printing (embedding/components/printingui)
 <tests> 1802-1807 embedding/tests
 <tests> 1808-1831 gc
 173634: 1832-1832 String (include/xp_str.h)
 <tests> 1833-1834 intl/tests
 173636: 1835-1854 intl
 173639: 1855-1866 jpeg
 173641: 1867-1938 js
 173646: 1939-1980 lib/mac
 <tests> 1981-2120 debug
 173733: 2121-2138 netwerk
 <tests> 2139-2153 netwerk/test
 173748: 2154-2168 plugin/oji
 173749: 2169-2169 profile
 173750: 2170-2190 rdf
 173751: 2191-2191 sun-java
 <tests> 2192-2194 tools/leaky
 <build> 2195-2208 tools/preloader
 173790: 2209-2210 uriloader
 173795: 2211-2231 xpcom
 <tests> 2232-2236 xpcom/tests
 173795: 2237-2419 xpcom
 <instl> 2420-3343 xpinstall
 173837  3344-3389 DOM content
 173847: 3390-3495 Printing (gfx)
.148278: 3496-3559 Parser
 173850: 3560-3618 layout
.148257: 3619-3644 XP Toolkit/Widget: XUL (layout/xul)
 <tests> 3645-3666 webshell/tests
 173851: 3667-3710 widget
.148279: 3711-3713 XML (expat)
 173853  3714-3726 XP Apps (xpfe/bootstrap/nsNativeAppSupportWin)
 173992: 3727-3727 Mailnews / Address Book (mailnews/addrbook)
 173993: 3728-3728 Mailnews / Search (mailnews/base/search)
 <tests> 3729-2729 mailnews/base/tests
 173995: 3730-3730 Mailnews / Networking: Mailnews General
(mailnews/base/util/nsMsgUtf7Utils.cpp)
 173996: 3731-3740 Mailnews / Compose (mailnews/compose)
 173997: 3741-3741 Mailnews / Database (mailnews/db)
 173998: 3742-3742 Mailnews / Security (mailnews/extensions/smime)
 174000: 3743-3785 Mailnews / Networking: IMAP (mailnews/imap)
 174002: 3786-3816 Mailnews / Import (mailnews/import)
 174005: 3817-3817 Mailnews / Localization (mailnews/local)
 174006: 3818-3836 Mailnews / MAPI (mailnews/mapi)
 <tests> 3837-3853 mailnews/mapi/old/tests
 174007: 3854-3882 Mailnews / Mime (mailnews/mime)
 174008: 3883-3902 Mailnews / Movemail (mailnews/movemail)
 174010: 3903-3906 Mailnews / Networking: News (mailnews/news)
 <build> 3907-3912 config
 <obsol> 3913-3914 debug
 <build> 3915-3916 directory/c_sdk/config
 <tests> 3917-3917 directory/c_sdk/ldap/examples
 <tests> 3918-3918 intl/locale/tests
 <tools> 3919-3919 intl/uconv/tools
 173428: 3921-3921 modules/libjar
 <tests> 3922-3922 modules/libreg/tests
 <instl> 3923-3924 nsprpub/config/nsinstall.c
 173750  3925-3926 rdf
 <instl> 3927-3928 security/coreconf/nsinstall
 148269: 3929-3944 NSS Libraries (security/nss)
 173795: 3945-3951 xpcom/io
 <instl> 3952-3955 xpinstall/wizard
 <build> 3956-4029 config
 173877: 4030-4066 content
 173628: 4067-4070 db/mork
 173589: 4071-4085 dbm/src
 <tests> 4086-4087 dbm/tests
 <tests> 4088-4116 debug/dist/include
 <tests> 4117-4130 debug/dist/public
 <tests> 4131-4138 debug/gfx
 <tests> 4139-4147 debug/modules
 <tests> 4148-4153 debug/xpcom
 <build> 4154-4166 directory/c-sdk/config
 148272: 4167-4287 directory/c-sdk/ldap
 173553: 4288-4290 editor
 173630: 4291-4294 embedding/browser/activex
 <tests> 4295-4296 embedding/browser/gtk/tests
 173631: 4297-4325 embedding/browser/photon
 <tests> 4326-4331 embedding/browser/photon/tests
 173632: 4332-4332 embedding/components/printing
 <tests> 4333-4340 embedding/qa
 <tests> 4341-4342 embedding/tests
 148279: 4343-4345 expat
 173563: 4346-4355 python
 148253: 4356-4360 transformiix
 <tests> 4361-4362 universalchardet/tests
 148256: 4363-4363 xlmextras SOAP
 173575: 4364-4370 xmlterm
 <tests> 4371-4387 gc/boehm
 173847: 4388-4448 gfx
 148278: 4449-4462 htmlparser
 <tests> 4463-4491 htmpparser/tests
 173634: 4492-4492 xp_str.h
 <tests> 4493-4494 intl/chardet/tests
 <tools> 4495-4597 intl
 174189: 4497-4500 intl
 <tests> 4501-4501 intl/tests
 174189: 4502-4502 intl
 <tools> 4503-4507 intl
 173639: 4508-4512 jpeg
 173641: 4513-4556 js
 173850: 4557-4594 layout/html
.148257: 4595-4610 XP Toolkit/Widget: XUL
         4611-6973 <<<<< to be done >>>>>
.148257: 6974-6983 XP Toolkit/Widget: XUL
         6984-7812 <<<<< to be done >>>>>
Steve, please note that Flawfinder seems to give the same warnings more than
once for the same module in some cases. So if you see a continuous section of
warnings for some module, and later warnings for the same module, it is likely
these warnings will be duplicates (but not necessarily). Please check them
against the list you attached earlier, and only attach those warnings that are
different. Thanks.
Attaching a revised flawfinder output.  This had the dups marked as such.  Note
that there are hardly any dups up to warning 3906 (16 to be exact) and no non-dups
thereafter.

Since I've already filed bug reports up to warning 4610, that means that I've
inadvertently filed about 704 dups.  Also it means that there are no new
flawfinder bug reports to file.
I've run the Rats test on the same source files that flawfinder so they can be
compared.  I wrote some tools for formatting them both the same way and then
doing the comparison.  Attaching the results.

Basically it consists of all the rats warnings, indicating which are dups and
listing the warning number that it is a dup of.  These dup numbers contain a
leading f it is a dup of a flawfinder bug or an r if it is a dup of another rats
bug.

Attaching these results.
Attached file rats warnings 1-999
Steve, could you create an HTML file of the RATS warnings where all dupes
(flawfinder, rats whatever) are removed. I think it would be slightly faster to
check the warnings if people can just click the link to the line where the
warning occurred. If that file (or fragments of it if Bugzilla won't allow it as
whole) is attached here, we can then make the actual new bugs point to the start
location in the file.

Let's not file the bugs just yet, though.
Just attached a reformatting of the rats and flawfinder warnings.  These differ
from the previous attachments in the following manner:

1. They contain pointers to the source code.  However the source pointed to is
the 1.0.0 branch whereas the scanning tools were run on the 1.0.1 branch, so
there might be some discrepancies.

2. Duplicate warnings have been removed

3. Warnings in build, tools, tests, etc portions of the tree have been removed
Closing all still open flawfinder bugs as WORKSFORME because there are now much better tools that are being used (Coverity, Klocwork).
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Closing all still open flawfinder bugs as WORKSFORME because there are now much better tools that are being used (Coverity, Klocwork).
You need to log in before you can comment on or make changes to this bug.