From 04d27abbfe1cd97838eac124d4a1c3ddbc9b7b68 Mon Sep 17 00:00:00 2001 From: Daniel Krupp Date: Wed, 22 May 2024 14:19:36 +0200 Subject: [PATCH] [config] Adding sei-cert rule mappings for clang diagnostics (#4243) * Adding sei-cert rule mappings for clang diagnostics * Adding sei cert checkers to the security profile. * Adding label-tool-skip:severity to all checkers with verified severities --------- Co-authored-by: whisperity --- .../tests/functional/cmdline/test_cmdline.py | 9 +- config/labels/analyzers/clang-tidy.json | 100 ++++++++++++++++-- config/labels/analyzers/clangsa.json | 1 + 3 files changed, 101 insertions(+), 9 deletions(-) diff --git a/analyzer/tests/functional/cmdline/test_cmdline.py b/analyzer/tests/functional/cmdline/test_cmdline.py index de1280bd3f..a9ff1d17db 100644 --- a/analyzer/tests/functional/cmdline/test_cmdline.py +++ b/analyzer/tests/functional/cmdline/test_cmdline.py @@ -169,9 +169,12 @@ def test_checkers_guideline(self): out = json.loads(out) for checker in out: - self.assertTrue(checker['name'].endswith('sizeof-expression') or - checker['name'].endswith('Malloc') or - checker['name'].endswith('MallocSizeof')) + self.assertTrue(any(checker['name'].endswith(c) + for c in ['sizeof-expression', + 'Malloc', + 'MallocSizeof', + 'clang-diagnostic-format-overflow', + 'overflow-non-kprintf'])) checkers_cmd = [env.codechecker_cmd(), 'checkers', '--guideline'] _, out, _ = run_cmd(checkers_cmd) diff --git a/config/labels/analyzers/clang-tidy.json b/config/labels/analyzers/clang-tidy.json index ee328083b3..9eb434989d 100644 --- a/config/labels/analyzers/clang-tidy.json +++ b/config/labels/analyzers/clang-tidy.json @@ -1795,7 +1795,12 @@ ], "clang-diagnostic-conditional-uninitialized": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wconditional-uninitialized", - "severity:MEDIUM" + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:default", + "profile:security", + "sei-cert:exp33-c", + "severity:HIGH" ], "clang-diagnostic-config-macros": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wconfig-macros", @@ -1879,7 +1884,11 @@ ], "clang-diagnostic-dangling": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wdangling", - "severity:MEDIUM" + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:mem50-cpp", + "severity:HIGH" ], "clang-diagnostic-dangling-else": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wdangling-else", @@ -1954,9 +1963,13 @@ ], "clang-diagnostic-delete-non-abstract-non-virtual-dtor": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wdelete-non-abstract-non-virtual-dtor", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", + "sei-cert:oop52-cpp", "severity:MEDIUM" ], "clang-diagnostic-delete-non-virtual-dtor": [ @@ -2470,9 +2483,13 @@ ], "clang-diagnostic-format": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wformat", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", + "sei-cert:fio47-c", "severity:MEDIUM" ], "clang-diagnostic-format-extra-args": [ @@ -2502,18 +2519,30 @@ ], "clang-diagnostic-format-nonliteral": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wformat-nonliteral", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", + "sei-cert:fio30-c", "severity:MEDIUM" ], "clang-diagnostic-format-overflow": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wformat-overflow", - "severity:MEDIUM" + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:mem35-c", + "severity:HIGH" ], "clang-diagnostic-format-overflow-non-kprintf": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wformat-overflow-non-kprintf", - "severity:MEDIUM" + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:mem35-c", + "severity:HIGH" ], "clang-diagnostic-format-pedantic": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wformat-pedantic", @@ -2907,6 +2936,10 @@ ], "clang-diagnostic-implicit-int-conversion": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wimplicit-int-conversion", + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:int36-c", "severity:MEDIUM" ], "clang-diagnostic-implicit-int-float-conversion": [ @@ -2955,6 +2988,10 @@ ], "clang-diagnostic-incompatible-function-pointer-types-strict": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wincompatible-function-pointer-types-strict", + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:exp37-c", "severity:MEDIUM" ], "clang-diagnostic-incompatible-library-redeclaration": [ @@ -3088,6 +3125,10 @@ ], "clang-diagnostic-int-conversion": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wint-conversion", + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:int36-c", "severity:HIGH" ], "clang-diagnostic-int-conversions": [ @@ -3456,7 +3497,11 @@ ], "clang-diagnostic-mismatched-new-delete": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wmismatched-new-delete", - "severity:MEDIUM" + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:mem51-cpp", + "severity:HIGH" ], "clang-diagnostic-mismatched-parameter-types": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wmismatched-parameter-types", @@ -4049,6 +4094,10 @@ ], "clang-diagnostic-over-aligned": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wover-aligned", + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:mem57-cpp", "severity:MEDIUM" ], "clang-diagnostic-overflow": [ @@ -4111,8 +4160,12 @@ ], "clang-diagnostic-parentheses": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wparentheses", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", + "sei-cert:exp45-c", "profile:extreme", + "profile:security", "profile:sensitive", "severity:MEDIUM" ], @@ -4196,6 +4249,10 @@ ], "clang-diagnostic-pointer-to-int-cast": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wpointer-to-int-cast", + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:int36-c", "severity:MEDIUM" ], "clang-diagnostic-pointer-type-mismatch": [ @@ -4562,9 +4619,14 @@ ], "clang-diagnostic-return-type": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wreturn-type", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", + "sei-cert:msc37-c", + "sei-cert:msc52-cpp", "severity:MEDIUM" ], "clang-diagnostic-return-type-c-linkage": [ @@ -4626,9 +4688,13 @@ ], "clang-diagnostic-self-assign-overloaded": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wself-assign-overloaded", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", + "sei-cert:oop54-cpp", "severity:MEDIUM" ], "clang-diagnostic-self-move": [ @@ -4783,9 +4849,14 @@ ], "clang-diagnostic-sometimes-uninitialized": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wsometimes-uninitialized", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", + "sei-cert:dcl41-c", + "sei-cert:exp33-c", "severity:MEDIUM" ], "clang-diagnostic-source-mgr": [ @@ -5272,16 +5343,24 @@ ], "clang-diagnostic-uninitialized": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wuninitialized", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", - "severity:MEDIUM" + "sei-cert:exp33-c", + "severity:HIGH" ], "clang-diagnostic-uninitialized-const-reference": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wuninitialized-const-reference", + "guideline:sei-cert", + "label-tool-skip:severity", "profile:default", "profile:extreme", + "profile:security", "profile:sensitive", + "sei-cert:exp33-c", "severity:MEDIUM" ], "clang-diagnostic-unknown-argument": [ @@ -5600,6 +5679,11 @@ ], "clang-diagnostic-varargs": [ "doc_url:https://clang.llvm.org/docs/DiagnosticsReference.html#wvarargs", + "guideline:sei-cert", + "label-tool-skip:severity", + "profile:security", + "sei-cert:exp47-c", + "sei-cert:exp58-cpp", "severity:MEDIUM" ], "clang-diagnostic-variadic-macros": [ @@ -5701,10 +5785,14 @@ ], "concurrency-mt-unsafe": [ "doc_url:https://clang.llvm.org/extra/clang-tidy/checks/concurrency/mt-unsafe.html", + "guideline:sei-cert", + "profile:security", + "sei-cert:con33-c", "severity:MEDIUM" ], "concurrency-thread-canceltype-asynchronous": [ "doc_url:https://clang.llvm.org/extra/clang-tidy/checks/concurrency/thread-canceltype-asynchronous.html", + "guideline:sei-cert", "profile:default", "profile:extreme", "profile:security", diff --git a/config/labels/analyzers/clangsa.json b/config/labels/analyzers/clangsa.json index db5600b915..4ad03b1b09 100644 --- a/config/labels/analyzers/clangsa.json +++ b/config/labels/analyzers/clangsa.json @@ -427,6 +427,7 @@ ], "core.StackAddressEscape": [ "doc_url:https://clang.llvm.org/docs/analyzer/checkers.html#core-stackaddressescape-c", + "guideline:sei-cert", "profile:default", "profile:extreme", "profile:security",