Add parser for flawfinder

[davidCarlos]

I'm still working on this pull request (missing tests). soon i will remove the 'WIP' tag.

[davidmalcolm]

Do we need to support more than one CWE per issue in the schema? Currently <cwe> is optional within <issue>; should it be zeroOrMore?

[davidCarlos]

I was going to ask this. I don't know what the best pratice in this case. When flawfinder returns more than one CWE, what should i do?

[davidmalcolm]

Can you post some examples of what the output looks like?

My current opinion is that we should change the schema and model.py to support multiple CWEs per issue.

[davidCarlos]

./docs/examples/rtsp.c:170: [4] (buffer) sscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.
./docs/examples/synctime.c:155: [4] (buffer) sscanf:
The scanf() family's %s operation, without a limit specification, permits
buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
different input function.

In my opinion, Add multiple CWEs would generate a more realistic output, once one warning could be related to more than one CWE.

[davidCarlos]

I can send another PR doing this.

[davidmalcolm]

Thanks. I'll update the schema accordingly.

[davidCarlos]

I will first make this change in models, then i finish the flawfinder parser.

[davidCarlos]

@davidmalcolm I have a doubt. Projects that already use firehose, and pass to Issue model a single cwe using a integer value. Should we maintain the compatibility? (Allows de user to pass a integer or a list of integers). Or we keep only a list of integers?

[davidCarlos]

This change impacts the others parsers too.

[davidmalcolm]

As noted in #33 we don't have a good design yet for how to handle multiple CWEs in one issue.

For now, maybe have the parser capture the first CWE (if any), and note the limitation as a bug, marking it as a dependency of #33.

Thanks.

[davidCarlos]

Hey @davidmalcolm , i have updated this PR. I added some tests, and have included flawfinder in the documentation. Now the parser capture the first CWE, as we had discussed. I created the issue #35, to map the multiple cwes problem.

[davidmalcolm]

Thanks; this is looking good. I have some concerns about version-handling, and would prefer it if the parser captured the severity of issues (and maybe categories also).

Sorry if this seems nit-picky.

[davidmalcolm]

Note that a Generator's version can be None. It looks like the actual version is embedded in the first line of the output:

Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.

so presumably parse_file should be looking for lines like that and parsing them.

[davidCarlos]

Fixed. Now i get the version from the Flawfinder output.

[davidmalcolm]

Should have a comment here referencing issue #35, and that it's just the first CWE if there's more than one.

[davidCarlos]

Fixed

[davidmalcolm]

As noted above, I'd much prefer it if parse_file parsed the version header in the output.

If the output file doesn't contain a version string, then I think it's better for the parser to leave the Generator's version as None, rather than trying to scrape it from flawfinder --version (or guessing). Rationale: I use firehose in mock-with-analysis, which does the analysis in a chroot. There might be a different version of flawfinder in the chroot compared to what's in the host $PATH.

So I think it's better to get rid of this function and do the version-handling in parse_file.

[davidmalcolm]

Rather than manually incrementing counter, could this code use Python's enumerate builtin? (and maybe use idx rather then counter?)

[davidCarlos]

Fixed

[davidmalcolm]

Re severity: Flawfinder's docs say:

The risk level is shown inside square brackets and varies from 0, very little risk, to 5, great risk.

It would be good to capture that number as Issue.severity (as a string, without the square brackets):
http://firehose.readthedocs.io/en/latest/data-model.html#firehose.model.severity

[davidmalcolm]

The None here is the Issue.testid:
http://firehose.readthedocs.io/en/latest/data-model.html#firehose.model.testid

Perhaps the (shell) system: stuff should be captured here. If I'm reading the Flawfinder docs correctly:

Each entry has a filename, a colon, a line number, a
risk level in brackets (where 5 is the most risky), a category, the name of the function, and a description of

....then Flawfinder's "category" here is "shell" and the name of the function is "system". I'm not yet sure how that should map to a firehose Issue.testid.

[davidCarlos]

@davidmalcolm how should we handle this? Apprently flawfinder does not have a testid value.

[davidmalcolm]

Can we use flawfinder's "category" here for the FIrehose "testid"? Looking at the sample output, that would give values like "shell", "format", "buffer", "race", which seems sane.

[davidCarlos]

Hey @davidmalcolm , i updated this PR with the last revision.

[davidmalcolm]

Thanks for the updates.

I've got a few more nitpicks (sorry), covering code I had trouble following.

[davidmalcolm]

This doesn't actually load a file into memory; it merely returns a file object representing a file opened for reading. The code would be clearer if you got rid of this function and replace users with just the open builtin.

[davidmalcolm]

"loaded_file" is actually a file-like object, not an in-memory string. Please rename to "infile", or similar ("input" is a builtint IIRC)

[davidmalcolm]

I'm finding it hard to follow this two-stage parsing. If I'm reading things right, the code first reads the lines, building up a list of dicts (flawfinder_data). There's then a second loop over that list, creating Issue objects and adding them to analysis.results.

Wouldn't it be much simpler to have one loop, and append Issue objects directly to analysis.results, without the data dict i.e. work directly with an Issue object instead.

Hope that makes sense; I may have misread this code.

[davidmalcolm]

Wouldn't this be much simpler with a regex e.g.

 re.findall(line, "CWE-([0-9]+)")

or somesuch? (which I think would give a list of tuples of strings).

Could then rename the function to find_cwes and have it return a list of ints, and do the dropping of multiples in the caller.

Can also write a unit test for the CWE parser that way.

[davidmalcolm]

I find the current name to be unclear; please rename to parse_first_line (as that's what it does).

[davidCarlos]

Maybe rename to get_flawfinder_version should be better, what do you think @davidmalcolm ?

[davidmalcolm]

Given that it's a file-like object, maybe turn into:

path = os.path.join(...)
with open(path) as f:
    return parse_file (f)

[davidCarlos]

@davidmalcolm thanks for the great revision, i had updated the PR.

[davidmalcolm]

Thanks for the updated version.

This is looking much better, but I have a few more nitpicks (sorry).

[davidmalcolm]

Typo: "note" should be "not".
But an IOError is not necessarily "file not found"; it could be a permissions error, or an attempt to open a directory rather than a file, etc. Maybe just lose this clause?

[davidmalcolm]

I don't like using try/except for parsing; I prefer to use non-exception program flow (rationale: sometimes we end up catching a different exception than the one we thought we were, so it can conceal bugs).

Anything that matches the ([0-9]+) is known to be convertible to int, so how about:

# list of ints
cwes = []

before the "while message_line" loop, and:

cwes.extend([int(m.group(0))
             for m in re.findall("CWE-([0-9]+)", message_line)])

here, and then after the "message_line" loop:

if cwes:
   first_cwe = cwes[0]
else
   first_cwe = None

to avoid the two try/except clauses.

Please reinstate the comment about issue #35

[davidmalcolm]

If we just want the first match, just use re.search, which returns None for the "not-found" case ( https://docs.python.org/3.4/library/re.html#re.search ).

[davidCarlos]

@davidmalcolm I had updated the PR

[davidmalcolm]

Thanks for your improvements here.

Ironically, with the code cleanups you've done, you've simplified things enough that I can now see a couple of other issues that were hiding.

[davidmalcolm]

Thanks for doing the earlier cleanups; the code is clearer now.

With that, the handling of prog, prog2 and the testid looks a bit unusual; presumably these always appear on the same line, in a consistent way. Given that, I think it would be improved by using a single regular expression; something like:

# We want to match a line like:
#    ./docs/examples/asiohiper.cpp:78:  [4] (shell) system:
filename_group = "(.+)"
linenum_group = "([0-9]+)
severity_group = "\[([0-9])\]"
category_group = "\((.+)\)"
funcname_group = "(\S+)"
ws = '\s+'
PAT= (filename_group + ':' + linenum_group + ':' + ws + severity_group + ws
      + category_group + ws + funcname_group)

It should then be possible to do:

m = re.match(PAT, message_line)
if m:
  # do stuff with m.groups()

[davidmalcolm]

Please set the severity field to the number in square parens (keep it as a string, rather than calling int on it).

[davidmalcolm]

You could reuse the PAT from above here.

[davidCarlos]

@davidmalcolm I had updated the PR

[davidmalcolm]

Thanks for all the updates; this looks good.