[Cabal] Fwd: results au the audit (sort of)

Ethan Blanton elb at psg.com
Thu Jan 4 16:19:29 EST 2007 

Replying to the list, as sanitizing the reply in such a way that no
one will accidentally Cc this list to endrazine seemed difficult.
I will send the comments directly to him, as well.

Luke Schierer spake unto us the following wisdom:
> PS: I use flex/bison scanners I wrote especially for this audit, so no 
> false positives are possible...

This is not at all true.  In fact, the first two I checked were false
positives.  What this means is that any false positives were generated
by your code, not some existing tool.

> gaim/branches/soc-2006-file-loggers/console/libgnt/.svn/text-base/gntmain.c.svn-base
> Vulnerability in :         fprintf(file, start)  args: 2 instead of 3, 
> around line: 343
> Missing format string
> Vulnerability in :         fprintf(file, end)  args: 2 instead of 3, 
> around line: 347
> Missing format string

You don't want to check all of svn.  You should be checking only
trunk/, most likely.  In particular, you do *not* want to check old
tags (as you have).

> gaim/tags/v2_0_0beta5/console/libgnt/.svn/text-base/gntwm.c.svn-base
> Vulnerability in :         fprintf(file, start)  args: 2 instead of 3, 
> around line: 351
> Missing format string
> Vulnerability in :         fprintf(file, end)  args: 2 instead of 3, 
> around line: 355
> Missing format string

You do not want to check both the .c files and the .svn/text-base
copies of the same file.  This will *double* the number of hits you
think you have found.

Additionally, this is a macro, and the macro does *not* constitute an
error in and of itself -- this is a bug in your analyzer, which a
standard static analysis tool would probably have handled correctly.

> gaim/trunk/libgaim/plugins/mono/loader/debug-glue.c
> Vulnerability in :     gaim_debug(type, ccat, cstr)  args: 3 instead of 
> 4, around line: 12
> Missing format string

This is the first error that is even in trunk; almost all of the
previous errors are scads upon scads of duplicates, reporting the same
error in the same code over and over due to a misunderstanding of svn
branches and workspace format.  This is *not* an error, gaim_debug
does *not* require four arguments unless the third argument contains
expandos.  This is a bug in your analyzer.

There are no other bugs reported in svn trunk.

I appreciate what you are trying to do here, but your tool is going to
need a lot more work before it provides us with much useful output.
Given that we are already audited in an automated fashion by coverity,
probably most of the bugs like what you are looking for have already
been found, if a naive static analyzer can find them.

Ethan

-- 
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://pidgin.im/cgi-bin/mailman/private/cabal/attachments/20070104/def86099/attachment-0001.pgp

More information about the Cabal mailing list