From cdd76a61ed1627668ee5e375a067067c00e59bf7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 18 Apr 2024 17:55:00 +0200 Subject: [PATCH] parser-cov: further tweaks to key event matching Resolves: https://issues.redhat.com/browse/OSH-622 Closes: https://github.com/csutils/csdiff/pull/172 --- src/lib/parser-cov.cc | 31 +- tests/csdiff/CMakeLists.txt | 1 + .../23-cov-parser-key-event-add-z.err | 0 .../diff-misc/23-cov-parser-key-event-add.err | 0 .../23-cov-parser-key-event-fix-z.err | 0 .../diff-misc/23-cov-parser-key-event-fix.err | 0 .../diff-misc/23-cov-parser-key-event-new.err | 246 +++ .../diff-misc/23-cov-parser-key-event-old.err | 1738 +++++++++++++++++ tests/csgrep/0119-cov-parser-sigma-stdout.txt | 6 +- 9 files changed, 2014 insertions(+), 8 deletions(-) create mode 100644 tests/csdiff/diff-misc/23-cov-parser-key-event-add-z.err create mode 100644 tests/csdiff/diff-misc/23-cov-parser-key-event-add.err create mode 100644 tests/csdiff/diff-misc/23-cov-parser-key-event-fix-z.err create mode 100644 tests/csdiff/diff-misc/23-cov-parser-key-event-fix.err create mode 100644 tests/csdiff/diff-misc/23-cov-parser-key-event-new.err create mode 100644 tests/csdiff/diff-misc/23-cov-parser-key-event-old.err diff --git a/src/lib/parser-cov.cc b/src/lib/parser-cov.cc index 030d0116..5539e167 100644 --- a/src/lib/parser-cov.cc +++ b/src/lib/parser-cov.cc @@ -231,6 +231,7 @@ KeyEventDigger::KeyEventDigger(): d->hMap["ARRAY_VS_SINGLETON"] .insert("callee_ptr_arith"); d->hMap["ARRAY_VS_SINGLETON"] .insert("ptr_arith"); d->hMap["ATOMICITY"] .insert("use"); + d->hMap["BAD_CHECK_OF_WAIT_COND"] .insert("dead_wait"); d->hMap["BAD_CHECK_OF_WAIT_COND"] .insert("wait_cond_improperly_checked"); d->hMap["BAD_FREE"] .insert("incorrect_free"); d->hMap["BAD_LOCK_OBJECT"] .insert("boxed_lock"); @@ -290,6 +291,7 @@ KeyEventDigger::KeyEventDigger(): d->hMap["VARARGS"] .insert("missing_va_end"); d->hMap["WRAPPER_ESCAPE"] .insert("escape"); d->hMap["WRAPPER_ESCAPE"] .insert("use_after_free"); + d->hMap["XSS"] .insert("sink"); // we use COMPILER_WARNING as checker for compiler errors/warnings d->hMap["COMPILER_WARNING"] .insert("error"); @@ -315,8 +317,9 @@ KeyEventDigger::KeyEventDigger(): d->searchBackwards.insert("HARDCODED_CREDENTIALS"); d->searchBackwards.insert("HEADER_INJECTION"); d->searchBackwards.insert("INSUFFICIENT_LOGGING"); - d->searchBackwards.insert("LOCK"); + d->searchBackwards.insert("INTEGER_OVERFLOW"); d->searchBackwards.insert("INVALIDATE_ITERATOR"); + d->searchBackwards.insert("LOCK"); d->searchBackwards.insert("NULL_RETURNS"); d->searchBackwards.insert("OVERRUN"); d->searchBackwards.insert("PATH_MANIPULATION"); @@ -379,6 +382,19 @@ KeyEventDigger::~KeyEventDigger() delete d; } +/// FIXME: will not be needed with c++20 +bool startsWith(std::string input, const std::string &prefix) +{ + const size_t prefixLen = prefix.size(); + if (input.size() < prefixLen) + // the input is shorter than the prefix we are looking for + return false; + + // cut the input beyond prefixLen and compare for equality + input.resize(prefixLen); + return (input == prefix); +} + bool KeyEventDigger::guessKeyEvent(Defect *def) { const std::vector &evtList = def->events; @@ -390,15 +406,20 @@ bool KeyEventDigger::guessKeyEvent(Defect *def) const Private::TSet *pKeyEvents = &defKeyEvent; Private::TMap::const_iterator it = d->hMap.find(def->checker); - if (d->hMap.end() == it) { + if (d->hMap.end() != it) { + // use the corresponding set of events from d->hMap + pKeyEvents = &it->second; + } + else if (startsWith(def->checker, "SIGMA.")) { + // all SIGMA.* checkers use the same key event + defKeyEvent.insert("Sigma main event"); + } + else { // no override for the checker -> match the lowered checker name std::string str(def->checker); boost::algorithm::to_lower(str); defKeyEvent.insert(str); } - else - // use the corresponding set of events from d->hMap - pKeyEvents = &it->second; // look for an explicitly defined key event bool found = false; diff --git a/tests/csdiff/CMakeLists.txt b/tests/csdiff/CMakeLists.txt index b19ec04e..fe06e3b9 100644 --- a/tests/csdiff/CMakeLists.txt +++ b/tests/csdiff/CMakeLists.txt @@ -84,5 +84,6 @@ test_csdiff(diff-misc 16-cov-parser-key-event) test_csdiff(diff-misc 17-cov-parser-key-event) test_csdiff(diff-misc 18-cov-parser-key-event) test_csdiff(diff-misc 19-cov-parser-key-event) +test_csdiff(diff-misc 23-cov-parser-key-event) add_subdirectory(filter-file) diff --git a/tests/csdiff/diff-misc/23-cov-parser-key-event-add-z.err b/tests/csdiff/diff-misc/23-cov-parser-key-event-add-z.err new file mode 100644 index 00000000..e69de29b diff --git a/tests/csdiff/diff-misc/23-cov-parser-key-event-add.err b/tests/csdiff/diff-misc/23-cov-parser-key-event-add.err new file mode 100644 index 00000000..e69de29b diff --git a/tests/csdiff/diff-misc/23-cov-parser-key-event-fix-z.err b/tests/csdiff/diff-misc/23-cov-parser-key-event-fix-z.err new file mode 100644 index 00000000..e69de29b diff --git a/tests/csdiff/diff-misc/23-cov-parser-key-event-fix.err b/tests/csdiff/diff-misc/23-cov-parser-key-event-fix.err new file mode 100644 index 00000000..e69de29b diff --git a/tests/csdiff/diff-misc/23-cov-parser-key-event-new.err b/tests/csdiff/diff-misc/23-cov-parser-key-event-new.err new file mode 100644 index 00000000..6c6728cb --- /dev/null +++ b/tests/csdiff/diff-misc/23-cov-parser-key-event-new.err @@ -0,0 +1,246 @@ +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/decompress/huf_decompress.c:1160: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/decompress/huf_decompress.c:1160: deref_overflow: "maxW", which might have underflowed, is passed to "wksp->rankStats[maxW]". +# 1158| +# 1159| /* find maxWeight */ +# 1160|-> for (maxW = tableLog; wksp->rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */ +# 1161| +# 1162| /* Get start index of each weight */ + +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/decompress/huf_decompress.c:1160: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/decompress/huf_decompress.c:1193: overflow: The expression "tableLog + 1U - maxW" is deemed underflowed because at least one of its arguments has underflowed. +zstd-1.5.5/lib/decompress/huf_decompress.c:1193: assign: Assigning: "minBits" = "tableLog + 1U - maxW". +zstd-1.5.5/lib/decompress/huf_decompress.c:1195: assign: Assigning: "consumed" = "minBits". +zstd-1.5.5/lib/decompress/huf_decompress.c:1196: deref_overflow: "consumed", which might have underflowed, is passed to "wksp->rankVal[consumed]". +# 1194| U32 consumed; +# 1195| for (consumed = minBits; consumed < maxTableLog - minBits + 1; consumed++) { +# 1196|-> U32* const rankValPtr = wksp->rankVal[consumed]; +# 1197| U32 w; +# 1198| for (w = 1; w < maxW+1; w++) { + +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/legacy/zstd_v05.c:2170: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/legacy/zstd_v05.c:2170: deref_overflow: "maxW", which might have underflowed, is passed to "rankStats[maxW]". +# 2168| +# 2169| /* find maxWeight */ +# 2170|-> for (maxW = tableLog; rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */ +# 2171| +# 2172| /* Get start index of each weight */ + +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/legacy/zstd_v05.c:2170: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/legacy/zstd_v05.c:2198: overflow: The expression "tableLog + 1U - maxW" is deemed underflowed because at least one of its arguments has underflowed. +zstd-1.5.5/lib/legacy/zstd_v05.c:2198: assign: Assigning: "minBits" = "tableLog + 1U - maxW". +zstd-1.5.5/lib/legacy/zstd_v05.c:2208: assign: Assigning: "consumed" = "minBits". +zstd-1.5.5/lib/legacy/zstd_v05.c:2209: deref_overflow: "consumed", which might have underflowed, is passed to "rankVal[consumed]". +# 2207| } +# 2208| for (consumed = minBits; consumed <= memLog - minBits; consumed++) { +# 2209|-> U32* rankValPtr = rankVal[consumed]; +# 2210| for (w = 1; w <= maxW; w++) { +# 2211| rankValPtr[w] = rankVal0[w] >> consumed; + +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/legacy/zstd_v06.c:2304: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/legacy/zstd_v06.c:2304: deref_overflow: "maxW", which might have underflowed, is passed to "rankStats[maxW]". +# 2302| +# 2303| /* find maxWeight */ +# 2304|-> for (maxW = tableLog; rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */ +# 2305| +# 2306| /* Get start index of each weight */ + +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/legacy/zstd_v06.c:2304: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/legacy/zstd_v06.c:2338: overflow: The expression "tableLog + 1U - maxW" is deemed underflowed because at least one of its arguments has underflowed. +zstd-1.5.5/lib/legacy/zstd_v06.c:2338: assign: Assigning: "minBits" = "tableLog + 1U - maxW". +zstd-1.5.5/lib/legacy/zstd_v06.c:2340: assign: Assigning: "consumed" = "minBits". +zstd-1.5.5/lib/legacy/zstd_v06.c:2341: deref_overflow: "consumed", which might have underflowed, is passed to "rankVal[consumed]". +# 2339| U32 consumed; +# 2340| for (consumed = minBits; consumed < memLog - minBits + 1; consumed++) { +# 2341|-> U32* const rankValPtr = rankVal[consumed]; +# 2342| U32 w; +# 2343| for (w = 1; w < maxW+1; w++) { + +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/legacy/zstd_v07.c:2113: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/legacy/zstd_v07.c:2113: deref_overflow: "maxW", which might have underflowed, is passed to "rankStats[maxW]". +# 2111| +# 2112| /* find maxWeight */ +# 2113|-> for (maxW = tableLog; rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */ +# 2114| +# 2115| /* Get start index of each weight */ + +Error: INTEGER_OVERFLOW (CWE-125): +zstd-1.5.5/lib/legacy/zstd_v07.c:2113: underflow: The decrement operator on the unsigned variable "maxW" might result in an underflow. +zstd-1.5.5/lib/legacy/zstd_v07.c:2147: overflow: The expression "tableLog + 1U - maxW" is deemed underflowed because at least one of its arguments has underflowed. +zstd-1.5.5/lib/legacy/zstd_v07.c:2147: assign: Assigning: "minBits" = "tableLog + 1U - maxW". +zstd-1.5.5/lib/legacy/zstd_v07.c:2149: assign: Assigning: "consumed" = "minBits". +zstd-1.5.5/lib/legacy/zstd_v07.c:2150: deref_overflow: "consumed", which might have underflowed, is passed to "rankVal[consumed]". +# 2148| U32 consumed; +# 2149| for (consumed = minBits; consumed < maxTableLog - minBits + 1; consumed++) { +# 2150|-> U32* const rankValPtr = rankVal[consumed]; +# 2151| U32 w; +# 2152| for (w = 1; w < maxW+1; w++) { + +Error: INTEGER_OVERFLOW (CWE-190): +zstd-1.5.5/programs/benchzstd.c:336: tainted_data_return: Called function "ZSTD_findDecompressedSize(srcPtr, fileSizes[fileNb])", and a possible return value is known to be less than zero. +zstd-1.5.5/programs/benchzstd.c:336: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow. +zstd-1.5.5/programs/benchzstd.c:343: overflow: The expression "totalDSize64 += fSize64" is deemed underflowed because at least one of its arguments has underflowed. +zstd-1.5.5/programs/benchzstd.c:343: overflow: The expression "totalDSize64 += fSize64" is deemed underflowed because at least one of its arguments has underflowed. +zstd-1.5.5/programs/benchzstd.c:343: overflow: The expression "totalDSize64 += fSize64" is deemed underflowed because at least one of its arguments has underflowed. +zstd-1.5.5/programs/benchzstd.c:346: cast_overflow: An assign that casts to a different type, which might trigger an overflow. +zstd-1.5.5/programs/benchzstd.c:352: overflow_sink: "decodedSize", which might have underflowed, is passed to "malloc(decodedSize)". +# 350| RETURN_ERROR(32, BMK_benchOutcome_t, "decompressed size is too large for local system"); +# 351| } +# 352|-> *resultBufferPtr = malloc(decodedSize); +# 353| if (!(*resultBufferPtr)) { +# 354| RETURN_ERROR(33, BMK_benchOutcome_t, "allocation error: not enough memory"); + +Error: INTEGER_OVERFLOW (CWE-190): +zstd-1.5.5/programs/dibio.c:130: tainted_data_return: Called function "DiB_getFileSize(fileNamesTable[fileIndex])", and a possible return value may be less than zero. +zstd-1.5.5/programs/dibio.c:130: assign: Assigning: "fileSize" = "DiB_getFileSize(fileNamesTable[fileIndex])". +zstd-1.5.5/programs/dibio.c:156: overflow: The expression "fileSize - fileDataLoaded" is deemed overflowed because at least one of its arguments has overflowed. +zstd-1.5.5/programs/dibio.c:156: assign: Assigning: "chunkSize" = "((size_t)(fileSize - fileDataLoaded) < targetChunkSize) ? (size_t)(fileSize - fileDataLoaded) : targetChunkSize". +zstd-1.5.5/programs/dibio.c:160: overflow_sink: "chunkSize", which might have underflowed, is passed to "fread(buff + totalDataLoaded, 1UL, chunkSize, f)". [Note: The source code implementation of the function has been overridden by a builtin model.] +# 158| break; +# 159| +# 160|-> if (fread( buff+totalDataLoaded, 1, chunkSize, f ) != chunkSize) +# 161| EXM_THROW(11, "Pb reading %s", fileNamesTable[fileIndex]); +# 162| sampleSizes[nbSamplesLoaded++] = chunkSize; +Error: BAD_CHECK_OF_WAIT_COND: +antlr-2.7.7/antlr/debug/DebuggingCharScanner.java:84:40: lock_acquire: Acquiring lock "DebuggingCharScanner.this". +antlr-2.7.7/antlr/debug/DebuggingCharScanner.java:85:8: dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock "DebuggingCharScanner.this". This can cause a deadlock if the notification happens before the lock is acquired. +antlr-2.7.7/antlr/debug/DebuggingCharScanner.java:85:8: remediation: Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups. +# 83| } +# 84| public synchronized void goToSleep() { +# 85|-> try {wait();} +# 86| catch (InterruptedException e) { } +# 87| } + +Error: BAD_CHECK_OF_WAIT_COND: +antlr-2.7.7/antlr/debug/LLkDebuggingParser.java:92:40: lock_acquire: Acquiring lock "LLkDebuggingParser.this". +antlr-2.7.7/antlr/debug/LLkDebuggingParser.java:93:8: dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock "LLkDebuggingParser.this". This can cause a deadlock if the notification happens before the lock is acquired. +antlr-2.7.7/antlr/debug/LLkDebuggingParser.java:93:8: remediation: Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups. +# 91| } +# 92| public synchronized void goToSleep() { +# 93|-> try {wait();} +# 94| catch (InterruptedException e) { } +# 95| } + +Error: BAD_CHECK_OF_WAIT_COND: +antlr-2.7.7/src/antlr/debug/DebuggingCharScanner.java:84:40: lock_acquire: Acquiring lock "DebuggingCharScanner.this". +antlr-2.7.7/src/antlr/debug/DebuggingCharScanner.java:85:8: dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock "DebuggingCharScanner.this". This can cause a deadlock if the notification happens before the lock is acquired. +antlr-2.7.7/src/antlr/debug/DebuggingCharScanner.java:85:8: remediation: Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups. +# 83| } +# 84| public synchronized void goToSleep() { +# 85|-> try {wait();} +# 86| catch (InterruptedException e) { } +# 87| } + +Error: BAD_CHECK_OF_WAIT_COND: +antlr-2.7.7/src/antlr/debug/LLkDebuggingParser.java:92:40: lock_acquire: Acquiring lock "LLkDebuggingParser.this". +antlr-2.7.7/src/antlr/debug/LLkDebuggingParser.java:93:8: dead_wait: A wait is performed without ensuring that the condition is not already satisfied while holding lock "LLkDebuggingParser.this". This can cause a deadlock if the notification happens before the lock is acquired. +antlr-2.7.7/src/antlr/debug/LLkDebuggingParser.java:93:8: remediation: Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups. +# 91| } +# 92| public synchronized void goToSleep() { +# 93|-> try {wait();} +# 94| catch (InterruptedException e) { } +# 95| } +Error: SIGMA.xss (CWE-79): +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: reading tainted data from _GET with key query +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: $_GET['query'] is a source of tainted data +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: assigning the tainted data to query +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: calling __builtin__.preg_replace assigns to +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: calling __builtin__.preg_replace taints +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: assigning the tainted data to query +doxygen-1.10.0/templates/html/search_opensearch.php:19: Sigma event: calling opensearch_xml_results sinks query +doxygen-1.10.0/templates/html/search_opensearch.php:70: Sigma event: assigning the tainted data to result +doxygen-1.10.0/templates/html/search_opensearch.php:85: Sigma event: assigning the tainted data to result +doxygen-1.10.0/templates/html/search_opensearch.php:89: Sigma event: calling __builtin__.echo +doxygen-1.10.0/templates/html/search_opensearch.php:89: Sigma main event: Untrusted user-supplied data is inserted into a context that can execute JavaScript without adequate validation, escaping, or filtering. A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events. +doxygen-1.10.0/templates/html/search_opensearch.php:89: remediation: Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters sometimes suffices to avoid XSS vulnerabilities, but only the strictest allow lists prevent all attacks. +# 87| +# 88| END_FRAG; +# 89|-> echo $result; +# 90| } +# 91| + +Error: SIGMA.xss (CWE-79): +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: reading tainted data from _GET with key query +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: assigning the tainted data to query +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: $_GET['query'] is a source of tainted data +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: calling __builtin__.preg_replace assigns to +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: assigning the tainted data to query +doxygen-1.10.0/templates/html/search_opensearch.php:16: Sigma event: calling opensearch_json_results sinks query +doxygen-1.10.0/templates/html/search_opensearch.php:120: Sigma event: calling __builtin__.print +doxygen-1.10.0/templates/html/search_opensearch.php:120: Sigma main event: Untrusted user-supplied data is inserted into a context that can execute JavaScript without adequate validation, escaping, or filtering. A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events. +doxygen-1.10.0/templates/html/search_opensearch.php:120: remediation: Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters sometimes suffices to avoid XSS vulnerabilities, but only the strictest allow lists prevent all attacks. +# 118| $i++; +# 119| } +# 120|-> print "[\"$query\", [$json_words],[$json_descriptions]]"; +# 121| } +# 122| + +Error: SIGMA.xss (CWE-79): +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: reading tainted data from _GET with key query +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: $_GET['query'] is a source of tainted data +doxygen-1.10.0/templates/html/search_opensearch.php:5: Sigma event: assigning the tainted data to query +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: calling __builtin__.preg_replace assigns to +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: calling __builtin__.preg_replace taints +doxygen-1.10.0/templates/html/search_opensearch.php:6: Sigma event: assigning the tainted data to query +doxygen-1.10.0/templates/html/search_opensearch.php:22: Sigma event: calling invalid_format sinks query +doxygen-1.10.0/templates/html/search_opensearch.php:125: Sigma event: calling __builtin__.print +doxygen-1.10.0/templates/html/search_opensearch.php:125: Sigma main event: Untrusted user-supplied data is inserted into a context that can execute JavaScript without adequate validation, escaping, or filtering. A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events. +doxygen-1.10.0/templates/html/search_opensearch.php:125: remediation: Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters sometimes suffices to avoid XSS vulnerabilities, but only the strictest allow lists prevent all attacks. +# 123| function invalid_format($query, array $results) +# 124| { +# 125|-> print "Search results for '$query':\n\n"; +# 126| print_r($results); +# 127| } +Error: XSS (CWE-79): +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: taint: The field "r.URL" is a source of untrusted data. +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: identity: Calling "Query". This call assigns "r.URL.RawQuery" to "". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: assign: Assigning: "q" = "r.URL.Query()". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:142:2: identity: Calling "Get". This call returns "q". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:142:2: assign: Assigning: "headerErr" = "q.Get("error")". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: assign: Assigning: "[0]" = "headerErr". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: identity: Calling "Sprintf". This call assigns "{headerErr, desc}" to "". Now "" is tainted. +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: sink: Calling "Write". This call uses "([]byte)Sprintf("\n\n\n\n \n Authentication Failed\n\n\n\t

Authentication failed. You can return to the application. Feel free to close this browser tab.

\n\t

Error details: error %s error_description: %s

\n\n\n", headerErr, desc)" for sensitive computation. (The interface method resolves to "ochttp.trackingResponseWriter.Write([]byte)".) +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: remediation: Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters (whitelisting) sometimes suffices to avoid XSS vulnerabilities, but only the strictest whitelists prevent all attacks. +# 145| // Note: It is a little weird we handle some errors by not going to the failPage. If they all should, +# 146| // change this to s.error() and make s.error() write the failPage instead of an error code. +# 147|-> _, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc))) +# 148| s.putResult(Result{Err: fmt.Errorf(desc)}) +# 149| return + +Error: XSS (CWE-79): +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: taint: The field "r.URL" is a source of untrusted data. +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: identity: Calling "Query". This call assigns "r.URL.RawQuery" to "". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: assign: Assigning: "q" = "r.URL.Query()". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:142:2: identity: Calling "Get". This call returns "q". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:142:2: assign: Assigning: "headerErr" = "q.Get("error")". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: assign: Assigning: "[0]" = "headerErr". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: identity: Calling "Sprintf". This call assigns "{headerErr, desc}" to "". Now "" is tainted. +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: sink: Calling "Write". This call uses "([]byte)Sprintf("\n\n\n\n \n Authentication Failed\n\n\n\t

Authentication failed. You can return to the application. Feel free to close this browser tab.

\n\t

Error details: error %s error_description: %s

\n\n\n", headerErr, desc)" for sensitive computation. (The interface method resolves to "otelhttp.respWriterWrapper.Write([]byte)".) +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: remediation: Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters (whitelisting) sometimes suffices to avoid XSS vulnerabilities, but only the strictest whitelists prevent all attacks. +# 145| // Note: It is a little weird we handle some errors by not going to the failPage. If they all should, +# 146| // change this to s.error() and make s.error() write the failPage instead of an error code. +# 147|-> _, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc))) +# 148| s.putResult(Result{Err: fmt.Errorf(desc)}) +# 149| return + +Error: XSS (CWE-79): +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: taint: The field "r.URL" is a source of untrusted data. +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: identity: Calling "Query". This call assigns "r.URL.RawQuery" to "". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:140:2: assign: Assigning: "q" = "r.URL.Query()". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:142:2: identity: Calling "Get". This call returns "q". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:142:2: assign: Assigning: "headerErr" = "q.Get("error")". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: assign: Assigning: "[0]" = "headerErr". +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: identity: Calling "Sprintf". This call assigns "{headerErr, desc}" to "". Now "" is tainted. +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: sink: Calling "Write". This call uses "([]byte)Sprintf("\n\n\n\n \n Authentication Failed\n\n\n\t

Authentication failed. You can return to the application. Feel free to close this browser tab.

\n\t

Error details: error %s error_description: %s

\n\n\n", headerErr, desc)" for sensitive computation. (The interface method resolves to "v4.Response.Write([]byte)".) +osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go:147:10: remediation: Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters (whitelisting) sometimes suffices to avoid XSS vulnerabilities, but only the strictest whitelists prevent all attacks. +# 145| // Note: It is a little weird we handle some errors by not going to the failPage. If they all should, +# 146| // change this to s.error() and make s.error() write the failPage instead of an error code. +# 147|-> _, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc))) +# 148| s.putResult(Result{Err: fmt.Errorf(desc)}) +# 149| return diff --git a/tests/csdiff/diff-misc/23-cov-parser-key-event-old.err b/tests/csdiff/diff-misc/23-cov-parser-key-event-old.err new file mode 100644 index 00000000..6820955c --- /dev/null +++ b/tests/csdiff/diff-misc/23-cov-parser-key-event-old.err @@ -0,0 +1,1738 @@ +{ + "scan": { + "analyzer-version-clang": "17.0.6", + "analyzer-version-coverity": "2023.12.0", + "analyzer-version-cppcheck": "2.9", + "analyzer-version-gcc": "14.0.1", + "analyzer-version-gcc-analyzer": "14.0.1", + "analyzer-version-shellcheck": "0.7.1", + "analyzer-version-snyk-code": "1.1233.0", + "analyzer-version-unicontrol": "0.0.2", + "cov-compilation-unit-count": 155, + "cov-compilation-unit-ratio": 100, + "cov-lines-processed": 204774, + "cov-time-elapsed-analysis": "00:00:42", + "enabled-plugins": "clang, coverity, cppcheck, gcc, shellcheck, snyk, unicontrol", + "exit-code": 0, + "host": "osh-worker-002.osh-001.prod.iad2.dc.redhat.com", + "known-false-positives": "/usr/share/csmock/known-false-positives.js", + "mock-config": "rhel-10-beta-x86_64", + "project-name": "zstd-1.5.5-5.el10", + "snyk-scanned-files-coverage": 98, + "snyk-scanned-files-success": 278, + "snyk-scanned-files-total": 283, + "store-results-to": "/tmp/tmph4m04_cj/zstd-1.5.5-5.el10.tar.xz", + "time-created": "2024-03-28 05:49:59", + "time-finished": "2024-03-28 06:00:53", + "tool": "csmock", + "tool-args": "'/usr/bin/csmock' '-r' 'rhel-10-beta-x86_64' '-t' 'coverity,snyk,cppcheck,gcc,clang,shellcheck,unicontrol' '-o' '/tmp/tmph4m04_cj/zstd-1.5.5-5.el10.tar.xz' '--keep-going' '--use-host-cppcheck' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '/tmp/tmph4m04_cj/zstd-1.5.5-5.el10.src.rpm'", + "tool-version": "csmock-3.5.3.20240320.172417.g96ec7cf.internal-1.el9" + }, + "defects": [ + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUF_readDTableX2_wksp", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "zstd-1.5.5/lib/decompress/huf_decompress.c", + "line": 1160, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/decompress/huf_decompress.c", + "line": 1160, + "event": "deref_overflow", + "message": "\"maxW\", which might have underflowed, is passed to \"wksp->rankStats[maxW]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1158| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1159| /* find maxWeight */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1160|-> for (maxW = tableLog; wksp->rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1161| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1162| /* Get start index of each weight */", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUF_readDTableX2_wksp", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 4, + "events": [ + { + "file_name": "zstd-1.5.5/lib/decompress/huf_decompress.c", + "line": 1160, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/decompress/huf_decompress.c", + "line": 1193, + "event": "overflow", + "message": "The expression \"tableLog + 1U - maxW\" is deemed underflowed because at least one of its arguments has underflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/decompress/huf_decompress.c", + "line": 1193, + "event": "assign", + "message": "Assigning: \"minBits\" = \"tableLog + 1U - maxW\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/decompress/huf_decompress.c", + "line": 1195, + "event": "assign", + "message": "Assigning: \"consumed\" = \"minBits\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/decompress/huf_decompress.c", + "line": 1196, + "event": "deref_overflow", + "message": "\"consumed\", which might have underflowed, is passed to \"wksp->rankVal[consumed]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1194| U32 consumed;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1195| for (consumed = minBits; consumed < maxTableLog - minBits + 1; consumed++) {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1196|-> U32* const rankValPtr = wksp->rankVal[consumed];", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1197| U32 w;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 1198| for (w = 1; w < maxW+1; w++) {", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUFv05_readDTableX4", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v05.c", + "line": 2170, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v05.c", + "line": 2170, + "event": "deref_overflow", + "message": "\"maxW\", which might have underflowed, is passed to \"rankStats[maxW]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2168| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2169| /* find maxWeight */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2170|-> for (maxW = tableLog; rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2171| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2172| /* Get start index of each weight */", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUFv05_readDTableX4", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 4, + "events": [ + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v05.c", + "line": 2170, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v05.c", + "line": 2198, + "event": "overflow", + "message": "The expression \"tableLog + 1U - maxW\" is deemed underflowed because at least one of its arguments has underflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v05.c", + "line": 2198, + "event": "assign", + "message": "Assigning: \"minBits\" = \"tableLog + 1U - maxW\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v05.c", + "line": 2208, + "event": "assign", + "message": "Assigning: \"consumed\" = \"minBits\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v05.c", + "line": 2209, + "event": "deref_overflow", + "message": "\"consumed\", which might have underflowed, is passed to \"rankVal[consumed]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2207| }", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2208| for (consumed = minBits; consumed <= memLog - minBits; consumed++) {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2209|-> U32* rankValPtr = rankVal[consumed];", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2210| for (w = 1; w <= maxW; w++) {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2211| rankValPtr[w] = rankVal0[w] >> consumed;", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUFv06_readDTableX4", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v06.c", + "line": 2304, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v06.c", + "line": 2304, + "event": "deref_overflow", + "message": "\"maxW\", which might have underflowed, is passed to \"rankStats[maxW]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2302| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2303| /* find maxWeight */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2304|-> for (maxW = tableLog; rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2305| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2306| /* Get start index of each weight */", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUFv06_readDTableX4", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 4, + "events": [ + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v06.c", + "line": 2304, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v06.c", + "line": 2338, + "event": "overflow", + "message": "The expression \"tableLog + 1U - maxW\" is deemed underflowed because at least one of its arguments has underflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v06.c", + "line": 2338, + "event": "assign", + "message": "Assigning: \"minBits\" = \"tableLog + 1U - maxW\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v06.c", + "line": 2340, + "event": "assign", + "message": "Assigning: \"consumed\" = \"minBits\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v06.c", + "line": 2341, + "event": "deref_overflow", + "message": "\"consumed\", which might have underflowed, is passed to \"rankVal[consumed]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2339| U32 consumed;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2340| for (consumed = minBits; consumed < memLog - minBits + 1; consumed++) {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2341|-> U32* const rankValPtr = rankVal[consumed];", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2342| U32 w;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2343| for (w = 1; w < maxW+1; w++) {", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUFv07_readDTableX4", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v07.c", + "line": 2113, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v07.c", + "line": 2113, + "event": "deref_overflow", + "message": "\"maxW\", which might have underflowed, is passed to \"rankStats[maxW]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2111| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2112| /* find maxWeight */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2113|-> for (maxW = tableLog; rankStats[maxW]==0; maxW--) {} /* necessarily finds a solution before 0 */", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2114| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2115| /* Get start index of each weight */", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 125, + "function": "HUFv07_readDTableX4", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 4, + "events": [ + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v07.c", + "line": 2113, + "event": "underflow", + "message": "The decrement operator on the unsigned variable \"maxW\" might result in an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v07.c", + "line": 2147, + "event": "overflow", + "message": "The expression \"tableLog + 1U - maxW\" is deemed underflowed because at least one of its arguments has underflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v07.c", + "line": 2147, + "event": "assign", + "message": "Assigning: \"minBits\" = \"tableLog + 1U - maxW\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v07.c", + "line": 2149, + "event": "assign", + "message": "Assigning: \"consumed\" = \"minBits\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/lib/legacy/zstd_v07.c", + "line": 2150, + "event": "deref_overflow", + "message": "\"consumed\", which might have underflowed, is passed to \"rankVal[consumed]\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2148| U32 consumed;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2149| for (consumed = minBits; consumed < maxTableLog - minBits + 1; consumed++) {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2150|-> U32* const rankValPtr = rankVal[consumed];", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2151| U32 w;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 2152| for (w = 1; w < maxW+1; w++) {", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 190, + "function": "BMK_benchMemAdvancedNoAlloc", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 6, + "events": [ + { + "file_name": "zstd-1.5.5/programs/benchzstd.c", + "line": 336, + "event": "tainted_data_return", + "message": "Called function \"ZSTD_findDecompressedSize(srcPtr, fileSizes[fileNb])\", and a possible return value is known to be less than zero.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/benchzstd.c", + "line": 336, + "event": "cast_underflow", + "message": "An assign of a possibly negative number to an unsigned type, which might trigger an underflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/benchzstd.c", + "line": 343, + "event": "overflow", + "message": "The expression \"totalDSize64 += fSize64\" is deemed underflowed because at least one of its arguments has underflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/benchzstd.c", + "line": 343, + "event": "overflow", + "message": "The expression \"totalDSize64 += fSize64\" is deemed underflowed because at least one of its arguments has underflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/benchzstd.c", + "line": 343, + "event": "overflow", + "message": "The expression \"totalDSize64 += fSize64\" is deemed underflowed because at least one of its arguments has underflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/benchzstd.c", + "line": 346, + "event": "cast_overflow", + "message": "An assign that casts to a different type, which might trigger an overflow.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/benchzstd.c", + "line": 352, + "event": "overflow_sink", + "message": "\"decodedSize\", which might have underflowed, is passed to \"malloc(decodedSize)\".", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 350| RETURN_ERROR(32, BMK_benchOutcome_t, \"decompressed size is too large for local system\");", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 351| }", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 352|-> *resultBufferPtr = malloc(decodedSize);", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 353| if (!(*resultBufferPtr)) {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 354| RETURN_ERROR(33, BMK_benchOutcome_t, \"allocation error: not enough memory\");", + "verbosity_level": 1 + } + ] + }, + { + "checker": "INTEGER_OVERFLOW", + "cwe": 190, + "function": "DiB_loadFiles", + "language": "c/c++", + "tool": "coverity", + "key_event_idx": 4, + "events": [ + { + "file_name": "zstd-1.5.5/programs/dibio.c", + "line": 130, + "event": "tainted_data_return", + "message": "Called function \"DiB_getFileSize(fileNamesTable[fileIndex])\", and a possible return value may be less than zero.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/dibio.c", + "line": 130, + "event": "assign", + "message": "Assigning: \"fileSize\" = \"DiB_getFileSize(fileNamesTable[fileIndex])\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/dibio.c", + "line": 156, + "event": "overflow", + "message": "The expression \"fileSize - fileDataLoaded\" is deemed overflowed because at least one of its arguments has overflowed.", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/dibio.c", + "line": 156, + "event": "assign", + "message": "Assigning: \"chunkSize\" = \"((size_t)(fileSize - fileDataLoaded) < targetChunkSize) ? (size_t)(fileSize - fileDataLoaded) : targetChunkSize\".", + "verbosity_level": 1 + }, + { + "file_name": "zstd-1.5.5/programs/dibio.c", + "line": 160, + "event": "overflow_sink", + "message": "\"chunkSize\", which might have underflowed, is passed to \"fread(buff + totalDataLoaded, 1UL, chunkSize, f)\". [Note: The source code implementation of the function has been overridden by a builtin model.]", + "verbosity_level": 0 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 158| break;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 159| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 160|-> if (fread( buff+totalDataLoaded, 1, chunkSize, f ) != chunkSize)", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 161| EXM_THROW(11, \"Pb reading %s\", fileNamesTable[fileIndex]);", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 162| sampleSizes[nbSamplesLoaded++] = chunkSize;", + "verbosity_level": 1 + } + ] + }, + { + "checker": "BAD_CHECK_OF_WAIT_COND", + "function": "antlr.debug.DebuggingCharScanner.goToSleep()", + "language": "java", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "antlr-2.7.7/antlr/debug/DebuggingCharScanner.java", + "line": 84, + "column": 40, + "event": "lock_acquire", + "message": "Acquiring lock \"DebuggingCharScanner.this\".", + "verbosity_level": 1 + }, + { + "file_name": "antlr-2.7.7/antlr/debug/DebuggingCharScanner.java", + "line": 85, + "column": 8, + "event": "dead_wait", + "message": "A wait is performed without ensuring that the condition is not already satisfied while holding lock \"DebuggingCharScanner.this\". This can cause a deadlock if the notification happens before the lock is acquired.", + "verbosity_level": 0 + }, + { + "file_name": "antlr-2.7.7/antlr/debug/DebuggingCharScanner.java", + "line": 85, + "column": 8, + "event": "remediation", + "message": "Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 83| \t}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 84| \tpublic synchronized void goToSleep() {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 85|-> \t\ttry {wait();}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 86| \t\tcatch (InterruptedException e) {\t}\t\t", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 87| \t}", + "verbosity_level": 1 + } + ] + }, + { + "checker": "BAD_CHECK_OF_WAIT_COND", + "function": "antlr.debug.LLkDebuggingParser.goToSleep()", + "language": "java", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "antlr-2.7.7/antlr/debug/LLkDebuggingParser.java", + "line": 92, + "column": 40, + "event": "lock_acquire", + "message": "Acquiring lock \"LLkDebuggingParser.this\".", + "verbosity_level": 1 + }, + { + "file_name": "antlr-2.7.7/antlr/debug/LLkDebuggingParser.java", + "line": 93, + "column": 8, + "event": "dead_wait", + "message": "A wait is performed without ensuring that the condition is not already satisfied while holding lock \"LLkDebuggingParser.this\". This can cause a deadlock if the notification happens before the lock is acquired.", + "verbosity_level": 0 + }, + { + "file_name": "antlr-2.7.7/antlr/debug/LLkDebuggingParser.java", + "line": 93, + "column": 8, + "event": "remediation", + "message": "Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 91| \t}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 92| \tpublic synchronized void goToSleep() {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 93|-> \t\ttry {wait();}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 94| \t\tcatch (InterruptedException e) {\t}\t\t", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 95| \t}", + "verbosity_level": 1 + } + ] + }, + { + "checker": "BAD_CHECK_OF_WAIT_COND", + "function": "antlr.debug.DebuggingCharScanner.goToSleep()", + "language": "java", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "antlr-2.7.7/src/antlr/debug/DebuggingCharScanner.java", + "line": 84, + "column": 40, + "event": "lock_acquire", + "message": "Acquiring lock \"DebuggingCharScanner.this\".", + "verbosity_level": 1 + }, + { + "file_name": "antlr-2.7.7/src/antlr/debug/DebuggingCharScanner.java", + "line": 85, + "column": 8, + "event": "dead_wait", + "message": "A wait is performed without ensuring that the condition is not already satisfied while holding lock \"DebuggingCharScanner.this\". This can cause a deadlock if the notification happens before the lock is acquired.", + "verbosity_level": 0 + }, + { + "file_name": "antlr-2.7.7/src/antlr/debug/DebuggingCharScanner.java", + "line": 85, + "column": 8, + "event": "remediation", + "message": "Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 83| \t}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 84| \tpublic synchronized void goToSleep() {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 85|-> \t\ttry {wait();}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 86| \t\tcatch (InterruptedException e) {\t}\t\t", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 87| \t}", + "verbosity_level": 1 + } + ] + }, + { + "checker": "BAD_CHECK_OF_WAIT_COND", + "function": "antlr.debug.LLkDebuggingParser.goToSleep()", + "language": "java", + "tool": "coverity", + "key_event_idx": 1, + "events": [ + { + "file_name": "antlr-2.7.7/src/antlr/debug/LLkDebuggingParser.java", + "line": 92, + "column": 40, + "event": "lock_acquire", + "message": "Acquiring lock \"LLkDebuggingParser.this\".", + "verbosity_level": 1 + }, + { + "file_name": "antlr-2.7.7/src/antlr/debug/LLkDebuggingParser.java", + "line": 93, + "column": 8, + "event": "dead_wait", + "message": "A wait is performed without ensuring that the condition is not already satisfied while holding lock \"LLkDebuggingParser.this\". This can cause a deadlock if the notification happens before the lock is acquired.", + "verbosity_level": 0 + }, + { + "file_name": "antlr-2.7.7/src/antlr/debug/LLkDebuggingParser.java", + "line": 93, + "column": 8, + "event": "remediation", + "message": "Acquire the lock, then check the wait condition in a loop, without releasing with the lock before the wait. This will prevent deadlocks and failed conditions from spurious wakeups.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 91| \t}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 92| \tpublic synchronized void goToSleep() {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 93|-> \t\ttry {wait();}", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 94| \t\tcatch (InterruptedException e) {\t}\t\t", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 95| \t}", + "verbosity_level": 1 + } + ] + }, + { + "checker": "SIGMA.xss", + "cwe": 79, + "function": "opensearch_xml_results(Unknown, Dictionary( Unknown,Unknown ))Void", + "language": "php", + "tool": "coverity", + "key_event_idx": 10, + "events": [ + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "reading tainted data from _GET with key query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "$_GET['query'] is a source of tainted data", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "assigning the tainted data to query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "calling __builtin__.preg_replace assigns to ", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "calling __builtin__.preg_replace taints ", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "assigning the tainted data to query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 19, + "event": "Sigma event", + "message": "calling opensearch_xml_results sinks query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 70, + "event": "Sigma event", + "message": "assigning the tainted data to result", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 85, + "event": "Sigma event", + "message": "assigning the tainted data to result", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 89, + "event": "Sigma event", + "message": "calling __builtin__.echo", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 89, + "event": "Sigma main event", + "message": "Untrusted user-supplied data is inserted into a context that can execute JavaScript without adequate validation, escaping, or filtering. A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events.", + "verbosity_level": 0 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 89, + "event": "remediation", + "message": "Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters sometimes suffices to avoid XSS vulnerabilities, but only the strictest allow lists prevent all attacks.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 87| ", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 88| END_FRAG;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 89|-> echo $result;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 90| }", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 91| ", + "verbosity_level": 1 + } + ] + }, + { + "checker": "SIGMA.xss", + "cwe": 79, + "function": "opensearch_json_results(Unknown, Dictionary( Unknown,Unknown ))Void", + "language": "php", + "tool": "coverity", + "key_event_idx": 7, + "events": [ + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "reading tainted data from _GET with key query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "assigning the tainted data to query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "$_GET['query'] is a source of tainted data", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "calling __builtin__.preg_replace assigns to ", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "assigning the tainted data to query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 16, + "event": "Sigma event", + "message": "calling opensearch_json_results sinks query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 120, + "event": "Sigma event", + "message": "calling __builtin__.print", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 120, + "event": "Sigma main event", + "message": "Untrusted user-supplied data is inserted into a context that can execute JavaScript without adequate validation, escaping, or filtering. A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events.", + "verbosity_level": 0 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 120, + "event": "remediation", + "message": "Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters sometimes suffices to avoid XSS vulnerabilities, but only the strictest allow lists prevent all attacks.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 118| $i++;", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 119| }", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 120|-> print \"[\\\"$query\\\", [$json_words],[$json_descriptions]]\";", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 121| }", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 122| ", + "verbosity_level": 1 + } + ] + }, + { + "checker": "SIGMA.xss", + "cwe": 79, + "function": "invalid_format(Unknown, Dictionary( Unknown,Unknown ))Void", + "language": "php", + "tool": "coverity", + "key_event_idx": 8, + "events": [ + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "reading tainted data from _GET with key query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "$_GET['query'] is a source of tainted data", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 5, + "event": "Sigma event", + "message": "assigning the tainted data to query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "calling __builtin__.preg_replace assigns to ", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "calling __builtin__.preg_replace taints ", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 6, + "event": "Sigma event", + "message": "assigning the tainted data to query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 22, + "event": "Sigma event", + "message": "calling invalid_format sinks query", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 125, + "event": "Sigma event", + "message": "calling __builtin__.print", + "verbosity_level": 1 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 125, + "event": "Sigma main event", + "message": "Untrusted user-supplied data is inserted into a context that can execute JavaScript without adequate validation, escaping, or filtering. A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events.", + "verbosity_level": 0 + }, + { + "file_name": "doxygen-1.10.0/templates/html/search_opensearch.php", + "line": 125, + "event": "remediation", + "message": "Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters sometimes suffices to avoid XSS vulnerabilities, but only the strictest allow lists prevent all attacks.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 123| function invalid_format($query, array $results)", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 124| {", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 125|-> print \"Search results for '$query':\\n\\n\";", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 126| print_r($results);", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 127| }", + "verbosity_level": 1 + } + ] + }, + { + "checker": "XSS", + "cwe": 79, + "function": "github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local.Server.handler(net/http.ResponseWriter, *net/http.Request)", + "language": "go", + "tool": "coverity", + "key_event_idx": 7, + "events": [ + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "taint", + "message": "The field \"r.URL\" is a source of untrusted data.", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "identity", + "message": "Calling \"Query\". This call assigns \"r.URL.RawQuery\" to \"\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "assign", + "message": "Assigning: \"q\" = \"r.URL.Query()\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 142, + "column": 2, + "event": "identity", + "message": "Calling \"Get\". This call returns \"q\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 142, + "column": 2, + "event": "assign", + "message": "Assigning: \"headerErr\" = \"q.Get(\"error\")\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "assign", + "message": "Assigning: \"[0]\" = \"headerErr\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "identity", + "message": "Calling \"Sprintf\". This call assigns \"{headerErr, desc}\" to \"\". Now \"\" is tainted.", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "sink", + "message": "Calling \"Write\". This call uses \"([]byte)Sprintf(\"\\n\\n\\n\\n \\n Authentication Failed\\n\\n\\n\\t

Authentication failed. You can return to the application. Feel free to close this browser tab.

\\n\\t

Error details: error %s error_description: %s

\\n\\n\\n\", headerErr, desc)\" for sensitive computation. (The interface method resolves to \"ochttp.trackingResponseWriter.Write([]byte)\".)", + "verbosity_level": 0 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "remediation", + "message": "Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters (whitelisting) sometimes suffices to avoid XSS vulnerabilities, but only the strictest whitelists prevent all attacks.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 145| \t\t// Note: It is a little weird we handle some errors by not going to the failPage. If they all should,", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 146| \t\t// change this to s.error() and make s.error() write the failPage instead of an error code.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 147|-> \t\t_, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc)))", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 148| \t\ts.putResult(Result{Err: fmt.Errorf(desc)})", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 149| \t\treturn", + "verbosity_level": 1 + } + ] + }, + { + "checker": "XSS", + "cwe": 79, + "function": "github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local.Server.handler(net/http.ResponseWriter, *net/http.Request)", + "language": "go", + "tool": "coverity", + "key_event_idx": 7, + "events": [ + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "taint", + "message": "The field \"r.URL\" is a source of untrusted data.", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "identity", + "message": "Calling \"Query\". This call assigns \"r.URL.RawQuery\" to \"\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "assign", + "message": "Assigning: \"q\" = \"r.URL.Query()\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 142, + "column": 2, + "event": "identity", + "message": "Calling \"Get\". This call returns \"q\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 142, + "column": 2, + "event": "assign", + "message": "Assigning: \"headerErr\" = \"q.Get(\"error\")\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "assign", + "message": "Assigning: \"[0]\" = \"headerErr\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "identity", + "message": "Calling \"Sprintf\". This call assigns \"{headerErr, desc}\" to \"\". Now \"\" is tainted.", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "sink", + "message": "Calling \"Write\". This call uses \"([]byte)Sprintf(\"\\n\\n\\n\\n \\n Authentication Failed\\n\\n\\n\\t

Authentication failed. You can return to the application. Feel free to close this browser tab.

\\n\\t

Error details: error %s error_description: %s

\\n\\n\\n\", headerErr, desc)\" for sensitive computation. (The interface method resolves to \"otelhttp.respWriterWrapper.Write([]byte)\".)", + "verbosity_level": 0 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "remediation", + "message": "Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters (whitelisting) sometimes suffices to avoid XSS vulnerabilities, but only the strictest whitelists prevent all attacks.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 145| \t\t// Note: It is a little weird we handle some errors by not going to the failPage. If they all should,", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 146| \t\t// change this to s.error() and make s.error() write the failPage instead of an error code.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 147|-> \t\t_, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc)))", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 148| \t\ts.putResult(Result{Err: fmt.Errorf(desc)})", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 149| \t\treturn", + "verbosity_level": 1 + } + ] + }, + { + "checker": "XSS", + "cwe": 79, + "function": "github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local.Server.handler(net/http.ResponseWriter, *net/http.Request)", + "language": "go", + "tool": "coverity", + "key_event_idx": 7, + "events": [ + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "taint", + "message": "The field \"r.URL\" is a source of untrusted data.", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "identity", + "message": "Calling \"Query\". This call assigns \"r.URL.RawQuery\" to \"\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 140, + "column": 2, + "event": "assign", + "message": "Assigning: \"q\" = \"r.URL.Query()\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 142, + "column": 2, + "event": "identity", + "message": "Calling \"Get\". This call returns \"q\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 142, + "column": 2, + "event": "assign", + "message": "Assigning: \"headerErr\" = \"q.Get(\"error\")\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "assign", + "message": "Assigning: \"[0]\" = \"headerErr\".", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "identity", + "message": "Calling \"Sprintf\". This call assigns \"{headerErr, desc}\" to \"\". Now \"\" is tainted.", + "verbosity_level": 1 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "sink", + "message": "Calling \"Write\". This call uses \"([]byte)Sprintf(\"\\n\\n\\n\\n \\n Authentication Failed\\n\\n\\n\\t

Authentication failed. You can return to the application. Feel free to close this browser tab.

\\n\\t

Error details: error %s error_description: %s

\\n\\n\\n\", headerErr, desc)\" for sensitive computation. (The interface method resolves to \"v4.Response.Write([]byte)\".)", + "verbosity_level": 0 + }, + { + "file_name": "osbuild-composer-100/_build/src/github.com/osbuild/osbuild-composer/vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go", + "line": 147, + "column": 10, + "event": "remediation", + "message": "Escape non-constant data appropriately before concatenating it into HTML. The specific sequence of escapers necessary to make data safe depends on its syntactic position in the HTML. Allowing only safe characters (whitelisting) sometimes suffices to avoid XSS vulnerabilities, but only the strictest whitelists prevent all attacks.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 145| \t\t// Note: It is a little weird we handle some errors by not going to the failPage. If they all should,", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 146| \t\t// change this to s.error() and make s.error() write the failPage instead of an error code.", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 147|-> \t\t_, _ = w.Write([]byte(fmt.Sprintf(failPage, headerErr, desc)))", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 148| \t\ts.putResult(Result{Err: fmt.Errorf(desc)})", + "verbosity_level": 1 + }, + { + "file_name": "", + "line": 0, + "event": "#", + "message": " 149| \t\treturn", + "verbosity_level": 1 + } + ] + } + ] +} diff --git a/tests/csgrep/0119-cov-parser-sigma-stdout.txt b/tests/csgrep/0119-cov-parser-sigma-stdout.txt index 8bb60976..a2fb3e73 100644 --- a/tests/csgrep/0119-cov-parser-sigma-stdout.txt +++ b/tests/csgrep/0119-cov-parser-sigma-stdout.txt @@ -26,14 +26,14 @@ "checker": "SIGMA.xss", "cwe": 79, "tool": "coverity", - "key_event_idx": 0, + "key_event_idx": 3, "events": [ { "file_name": "unpacked_remote_sources/collector/app/builder/third_party/civetweb/test/x.php", "line": 7, "event": "Sigma event", "message": "reading tainted data from _POST with key x", - "verbosity_level": 0 + "verbosity_level": 1 }, { "file_name": "unpacked_remote_sources/collector/app/builder/third_party/civetweb/test/x.php", @@ -54,7 +54,7 @@ "line": 7, "event": "Sigma main event", "message": "Untrusted user-supplied data is inserted into a context that can execute JavaScript without adequate validation, escaping, or filtering. A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events.", - "verbosity_level": 1 + "verbosity_level": 0 }, { "file_name": "unpacked_remote_sources/collector/app/builder/third_party/civetweb/test/x.php",