[cfe-commits] [PATCH] review request: strcpy() security checker CWE-119

[Ted Kremenek]

On Mar 31, 2011, at 12:34 PM, Lenny Maiorani wrote:

> While I am at it, poking around in the string functions, here is a security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers.

I think this looks great.  Comments below.

> I included in the warning description the CWE number. Is this useful?

Yes that is useful.  This is actually a "documentation reference"; it would be great to eventually extend the analyzer (and compiler) diagnostic subsystems to have references to different kinds of external documentation.  CWE is great for people who care about security documents.  Eventually I would hope this not to appear in the diagnostic text itself, but be a link to the actual documentation.

> 
> Should the warning description also contain suggestions like strncpy() and strlcpy()? Since there are a number of options I left that suggestion out in leiu of the CWE number.

I think mentioning strncpy() is useful since it is so common.  Eventually, I'd like static analyzer diagnostics to also support "notes", just link Clang compiler warnings.  Information like this would be great to have as notes, instead of part of the actual diagnostic.  Moreover, since all of these checks are purely syntactic, it is conceivable that we will move them directly into the frontend (where they can be notes).