From 9c60338061bf3679f925be12273dc723b3913b75 Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Thu, 28 Jul 2022 17:21:29 -0400 Subject: [PATCH] analyzer: add CWE identifier URLs to docs gcc/analyzer/ChangeLog: * sm-malloc.cc (free_of_non_heap::emit): Add comment about CWE. * sm-taint.cc (tainted_size::emit): Likewise. gcc/ChangeLog: * doc/invoke.texi (-fdiagnostics-show-cwe): Use uref rather than url. (Static Analyzer Options): Likewise. Add urefs for all of the warnings that have associated CWE identifiers. Signed-off-by: David Malcolm --- gcc/analyzer/sm-malloc.cc | 1 + gcc/analyzer/sm-taint.cc | 1 + gcc/doc/invoke.texi | 50 ++++++++++++++++++++++++++++++++++++++++++----- 3 files changed, 47 insertions(+), 5 deletions(-) diff --git a/gcc/analyzer/sm-malloc.cc b/gcc/analyzer/sm-malloc.cc index 608aceb..73c549f 100644 --- a/gcc/analyzer/sm-malloc.cc +++ b/gcc/analyzer/sm-malloc.cc @@ -1300,6 +1300,7 @@ public: bool emit (rich_location *rich_loc) final override { + /* "CWE-401: Missing Release of Memory after Effective Lifetime". */ diagnostic_metadata m; m.add_cwe (401); if (m_arg) diff --git a/gcc/analyzer/sm-taint.cc b/gcc/analyzer/sm-taint.cc index 51bfe06..549373b 100644 --- a/gcc/analyzer/sm-taint.cc +++ b/gcc/analyzer/sm-taint.cc @@ -435,6 +435,7 @@ public: bool emit (rich_location *rich_loc) override { + /* "CWE-129: Improper Validation of Array Index". */ diagnostic_metadata m; m.add_cwe (129); if (m_arg) diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi index fd7edd1..38ae900 100644 --- a/gcc/doc/invoke.texi +++ b/gcc/doc/invoke.texi @@ -5045,7 +5045,7 @@ the vertical bars and the ``char *'' and ``long int'' text). @opindex fno-diagnostics-show-cwe @opindex fdiagnostics-show-cwe Diagnostic messages can optionally have an associated -@url{https://cwe.mitre.org/index.html, CWE} identifier. +@uref{https://cwe.mitre.org/index.html, CWE} identifier. GCC itself only provides such metadata for some of the @option{-fanalyzer} diagnostics. GCC plugins may also provide diagnostics with such metadata. By default, if this information is present, it will be printed with @@ -9808,7 +9808,7 @@ This diagnostic warns for paths through the code in which a pointer to a buffer is assigned to point at a buffer with a size that is not a multiple of @code{sizeof (*pointer)}. -See @url{https://cwe.mitre.org/data/definitions/131.html, CWE-131: Incorrect Calculation of Buffer Size}. +See @uref{https://cwe.mitre.org/data/definitions/131.html, CWE-131: Incorrect Calculation of Buffer Size}. @item -Wno-analyzer-double-fclose @opindex Wanalyzer-double-fclose @@ -9819,6 +9819,8 @@ This warning requires @option{-fanalyzer}, which enables it; use This diagnostic warns for paths through the code in which a @code{FILE *} can have @code{fclose} called on it more than once. +See @uref{https://cwe.mitre.org/data/definitions/1341.html, CWE-1341: Multiple Releases of Same Resource or Handle}. + @item -Wno-analyzer-double-free @opindex Wanalyzer-double-free @opindex Wno-analyzer-double-free @@ -9829,6 +9831,8 @@ This diagnostic warns for paths through the code in which a pointer can have a deallocator called on it more than once, either @code{free}, or a deallocator referenced by attribute @code{malloc}. +See @uref{https://cwe.mitre.org/data/definitions/415.html, CWE-415: Double Free}. + @item -Wno-analyzer-exposure-through-output-file @opindex Wanalyzer-exposure-through-output-file @opindex Wno-analyzer-exposure-through-output-file @@ -9840,6 +9844,8 @@ This diagnostic warns for paths through the code in which a security-sensitive value is written to an output file (such as writing a password to a log file). +See @uref{https://cwe.mitre.org/data/definitions/532.html, CWE-532: Information Exposure Through Log Files}. + @item -Wno-analyzer-fd-access-mode-mismatch @opindex Wanalyzer-fd-access-mode-mismatch @opindex Wno-analyzer-fd-access-mode-mismatch @@ -9866,6 +9872,8 @@ to disable it. This diagnostic warns for paths through code in which a file descriptor can be closed more than once. +See @uref{https://cwe.mitre.org/data/definitions/1341.html, CWE-1341: Multiple Releases of Same Resource or Handle}. + @item -Wno-analyzer-fd-leak @opindex Wanalyzer-fd-leak @opindex Wno-analyzer-fd-leak @@ -9876,6 +9884,8 @@ to disable it. This diagnostic warns for paths through code in which an open file descriptor is leaked. +See @uref{https://cwe.mitre.org/data/definitions/775.html, CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime}. + @item -Wno-analyzer-fd-use-after-close @opindex Wanalyzer-fd-use-after-close @opindex Wno-analyzer-fd-use-after-close @@ -9916,6 +9926,8 @@ to disable it. This diagnostic warns for paths through the code in which a @code{} @code{FILE *} stream object is leaked. +See @uref{https://cwe.mitre.org/data/definitions/775.html, CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime}. + @item -Wno-analyzer-free-of-non-heap @opindex Wanalyzer-free-of-non-heap @opindex Wno-analyzer-free-of-non-heap @@ -9926,6 +9938,8 @@ to disable it. This diagnostic warns for paths through the code in which @code{free} is called on a non-heap pointer (e.g. an on-stack buffer, or a global). +See @uref{https://cwe.mitre.org/data/definitions/590.html, CWE-590: Free of Memory not on the Heap}. + @item -Wno-analyzer-malloc-leak @opindex Wanalyzer-malloc-leak @opindex Wno-analyzer-malloc-leak @@ -9937,6 +9951,8 @@ This diagnostic warns for paths through the code in which a pointer allocated via an allocator is leaked: either @code{malloc}, or a function marked with attribute @code{malloc}. +See @uref{https://cwe.mitre.org/data/definitions/401.html, CWE-401: Missing Release of Memory after Effective Lifetime}. + @item -Wno-analyzer-mismatching-deallocation @opindex Wanalyzer-mismatching-deallocation @opindex Wno-analyzer-mismatching-deallocation @@ -9951,6 +9967,8 @@ will warn about mismatches between @code{free}, scalar @code{delete} and vector @code{delete[]}, and those marked as allocator/deallocator pairs using attribute @code{malloc}. +See @uref{https://cwe.mitre.org/data/definitions/762.html, CWE-762: Mismatched Memory Management Routines}. + @item -Wno-analyzer-possible-null-argument @opindex Wanalyzer-possible-null-argument @opindex Wno-analyzer-possible-null-argument @@ -9962,6 +9980,8 @@ possibly-NULL value is passed to a function argument marked with @code{__attribute__((nonnull))} as requiring a non-NULL value. +See @uref{https://cwe.mitre.org/data/definitions/690.html, CWE-690: Unchecked Return Value to NULL Pointer Dereference}. + @item -Wno-analyzer-possible-null-dereference @opindex Wanalyzer-possible-null-dereference @opindex Wno-analyzer-possible-null-dereference @@ -9971,6 +9991,8 @@ This warning requires @option{-fanalyzer}, which enables it; use This diagnostic warns for paths through the code in which a possibly-NULL value is dereferenced. +See @uref{https://cwe.mitre.org/data/definitions/690.html, CWE-690: Unchecked Return Value to NULL Pointer Dereference}. + @item -Wno-analyzer-null-argument @opindex Wanalyzer-null-argument @opindex Wno-analyzer-null-argument @@ -9982,6 +10004,8 @@ value known to be NULL is passed to a function argument marked with @code{__attribute__((nonnull))} as requiring a non-NULL value. +See @uref{https://cwe.mitre.org/data/definitions/476.html, CWE-476: NULL Pointer Dereference}. + @item -Wno-analyzer-null-dereference @opindex Wanalyzer-null-dereference @opindex Wno-analyzer-null-dereference @@ -9991,6 +10015,8 @@ This warning requires @option{-fanalyzer}, which enables it; use This diagnostic warns for paths through the code in which a value known to be NULL is dereferenced. +See @uref{https://cwe.mitre.org/data/definitions/476.html, CWE-476: NULL Pointer Dereference}. + @item -Wno-analyzer-shift-count-negative @opindex Wanalyzer-shift-count-negative @opindex Wno-analyzer-shift-count-negative @@ -10049,7 +10075,7 @@ of an allocation without being sanitized, so that an attacker could inject an excessively large allocation and potentially cause a denial of service attack. -See @url{https://cwe.mitre.org/data/definitions/789.html, CWE-789: Memory Allocation with Excessive Size Value}. +See @uref{https://cwe.mitre.org/data/definitions/789.html, CWE-789: Memory Allocation with Excessive Size Value}. @item -Wno-analyzer-tainted-array-index @opindex Wanalyzer-tainted-array-index @@ -10063,7 +10089,7 @@ that could be under an attacker's control is used as the index of an array access without being sanitized, so that an attacker could inject an out-of-bounds access. -See @url{https://cwe.mitre.org/data/definitions/129.html, CWE-129: Improper Validation of Array Index}. +See @uref{https://cwe.mitre.org/data/definitions/129.html, CWE-129: Improper Validation of Array Index}. @item -Wno-analyzer-tainted-divisor @opindex Wanalyzer-tainted-divisor @@ -10077,6 +10103,8 @@ that could be under an attacker's control is used as the divisor in a division or modulus operation without being sanitized, so that an attacker could inject a division-by-zero. +See @uref{https://cwe.mitre.org/data/definitions/369.html, CWE-369: Divide By Zero}. + @item -Wno-analyzer-tainted-offset @opindex Wanalyzer-tainted-offset @opindex Wno-analyzer-tainted-offset @@ -10089,7 +10117,7 @@ that could be under an attacker's control is used as a pointer offset without being sanitized, so that an attacker could inject an out-of-bounds access. -See @url{https://cwe.mitre.org/data/definitions/823.html, CWE-823: Use of Out-of-range Pointer Offset}. +See @uref{https://cwe.mitre.org/data/definitions/823.html, CWE-823: Use of Out-of-range Pointer Offset}. @item -Wno-analyzer-tainted-size @opindex Wanalyzer-tainted-size @@ -10103,6 +10131,8 @@ that could be under an attacker's control is used as the size of an operation such as @code{memset} without being sanitized, so that an attacker could inject an out-of-bounds access. +See @uref{https://cwe.mitre.org/data/definitions/129.html, CWE-129: Improper Validation of Array Index}. + @item -Wno-analyzer-unsafe-call-within-signal-handler @opindex Wanalyzer-unsafe-call-within-signal-handler @opindex Wno-analyzer-unsafe-call-within-signal-handler @@ -10113,6 +10143,8 @@ This diagnostic warns for paths through the code in which a function known to be async-signal-unsafe (such as @code{fprintf}) is called from a signal handler. +See @uref{https://cwe.mitre.org/data/definitions/479.html, CWE-479: Signal Handler Use of a Non-reentrant Function}. + @item -Wno-analyzer-use-after-free @opindex Wanalyzer-use-after-free @opindex Wno-analyzer-use-after-free @@ -10123,6 +10155,8 @@ This diagnostic warns for paths through the code in which a pointer is used after a deallocator is called on it: either @code{free}, or a deallocator referenced by attribute @code{malloc}. +See @uref{https://cwe.mitre.org/data/definitions/416.html, CWE-416: Use After Free}. + @item -Wno-analyzer-use-of-pointer-in-stale-stack-frame @opindex Wanalyzer-use-of-pointer-in-stale-stack-frame @opindex Wno-analyzer-use-of-pointer-in-stale-stack-frame @@ -10145,6 +10179,8 @@ the analyzer detects an attempt to use @code{va_arg} to extract a value passed to a variadic call, but uses a type that does not match that of the expression passed to the call. +See @uref{https://cwe.mitre.org/data/definitions/686.html, CWE-686: Function Call With Incorrect Argument Type}. + @item -Wno-analyzer-va-list-exhausted @opindex Wanalyzer-va-list-exhausted @opindex Wno-analyzer-va-list-exhausted @@ -10157,6 +10193,8 @@ the analyzer detects an attempt to use @code{va_arg} to access the next value passed to a variadic call, but all of the values in the @code{va_list} have already been consumed. +See @uref{https://cwe.mitre.org/data/definitions/685.html, CWE-685: Function Call With Incorrect Number of Arguments}. + @item -Wno-analyzer-va-list-leak @opindex Wanalyzer-va-list-leak @opindex Wno-analyzer-va-list-leak @@ -10213,6 +10251,8 @@ This warning requires @option{-fanalyzer}, which enables it; use This diagnostic warns for paths through the code in which an uninitialized value is used. +See @uref{https://cwe.mitre.org/data/definitions/457.html, CWE-457: Use of Uninitialized Variable}. + @end table Pertinent parameters for controlling the exploration are: -- 2.7.4