quandaryBO now filters out quandary and inferBO errors if they are not enabled.

Reviewed By: mbouaziz Differential Revision: D9875715 fbshipit-source-id: bf7c0b96d
6 years ago · f6afe3a092
parent 5cf66f6da8
commit f6afe3a092
5 changed files with 40 additions and 10 deletions
--- a/infer/src/backend/InferPrint.ml
+++ b/infer/src/backend/InferPrint.ml
@ -1037,9 +1037,7 @@ let pp_summary_and_issues formats_by_report_kind issue_formats =
      all_issues :=
        process_summary filters formats_by_report_kind linereader stats summary !all_issues ) ;
  all_issues := Issue.sort_filter_issues !all_issues ;
-  ( if Config.quandaryBO then
+  if Config.quandaryBO then all_issues := QuandaryBO.update_issues !all_issues ;
    let quandaryBO_issues = QuandaryBO.get_issues !all_issues in
    all_issues := List.rev_append !all_issues quandaryBO_issues ) ;
  List.iter
    ~f:(fun ({Issue.proc_name} as issue) ->
      let error_filter = error_filter filters proc_name in
--- a/infer/src/quandary/quandaryBO.ml
+++ b/infer/src/quandary/quandaryBO.ml
@ -7,7 +7,7 @@
 open! IStd
-let get_issues all_issues =
+let update_issues all_issues =
  let quandary_bug_names =
    IssueType.[untrusted_buffer_access; untrusted_heap_allocation; untrusted_variable_length_array]
  in
@ -68,4 +68,30 @@ let get_issues all_issues =
  in
  (* Can merge List.map, List.concat_map and List.filter_map into a single fold. *)
  let quandaryBO_issues = List.map ~f:merge_issues paired_issues in
-  quandaryBO_issues
+  let quandary_issuetypes =
    IssueType.
      [ quandary_taint_error
      ; shell_injection
      ; shell_injection_risk
      ; sql_injection
      ; sql_injection_risk
      ; untrusted_buffer_access
      ; untrusted_file_risk
      ; untrusted_heap_allocation
      ; untrusted_url_risk
      ; untrusted_variable_length_array
      ; user_controlled_sql_risk ]
  in
  let inferBO_issuetypes = inferbo_bug_names in
  let all_issues_filtered =
    List.filter
      ~f:(fun issue ->
        ( Config.quandary
        || not (List.mem quandary_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal)
        )
        && ( Config.bufferoverrun
           || not (List.mem inferBO_issuetypes issue.Issue.err_key.err_name ~equal:IssueType.equal)
           ) )
      all_issues
  in
  List.rev_append all_issues_filtered quandaryBO_issues
--- a/infer/src/quandary/quandaryBO.mli
+++ b/infer/src/quandary/quandaryBO.mli
@ -7,4 +7,4 @@
 open! IStd
-val get_issues : Issue.t list -> Issue.t list
+val update_issues : Issue.t list -> Issue.t list
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/issues.exp
@ -1,6 +1,3 @@
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, BUFFER_OVERRUN_U5, no_bucket, ERROR, [ArrayDeclaration,Unknown value from: __infer_taint_source,Assignment,ArrayAccess: Offset: [-oo, +oo] Size: 10]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0,-----------,ArrayDeclaration,Unknown value from: __infer_taint_source,Assignment,ArrayAccess: Offset: [-oo, +oo] Size: 10]
-codetoanalyze/cpp/quandaryBO/tainted_index.cpp, basic_bad, 3, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source,Call to __array_access with tainted index 0]
+codetoanalyze/cpp/quandaryBO/tainted_index.cpp, memory_alloc_bad2, 3, TAINTED_MEMORY_ALLOCATION, no_bucket, ERROR, [Return from __infer_taint_source,Call to __set_array_length with tainted index 1,-----------,Unknown value from: __infer_taint_source,Assignment,Alloc: Length: [-oo, 2147483647]]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, BUFFER_OVERRUN_U5, no_bucket, ERROR, [Call,Unknown value from: __infer_taint_source,Assignment,Return,Assignment,Call,ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, TAINTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0,-----------,Call,Unknown value from: __infer_taint_source,Assignment,Return,Assignment,Call,ArrayDeclaration,Parameter: i,ArrayAccess: Offset: [1, +oo] Size: 10 by call to `multi_level_sink_bad` ]
 codetoanalyze/cpp/quandaryBO/tainted_index.cpp, multi_level_bad, 2, UNTRUSTED_BUFFER_ACCESS, no_bucket, ERROR, [Return from __infer_taint_source with tainted data return*,Return from multi_level_source_bad,Call to multi_level_sink_bad with tainted index 0,Call to __array_access with tainted index 0]
--- a/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp
+++ b/infer/tests/codetoanalyze/cpp/quandaryBO/tainted_index.cpp
@ -24,3 +24,12 @@ void multi_level_bad() {
  int i = multi_level_source_bad();
  multi_level_sink_bad(i);
 }
 void memory_alloc_bad1_FN() { int arr[__infer_taint_source()]; }
 void memory_alloc_bad2() {
  int s = __infer_taint_source();
  if (s <= 2147483647) {
    int arr[s];
  }
 }
`@ -7,4 +7,4 @@`

	`open! IStd`	`open! IStd`

	`val get_issues : Issue.t list -> Issue.t list`	`val update_issues : Issue.t list -> Issue.t list`