SecureCoding-5.31

Passing a non-null-terminated character sequence to a library function that expects a string

Required inputs: IR

Rule description is currently unavailable for legal reasons.

Possible Messages

Key	Text	Severity	Disabled
non-null-termination	Do not pass a non-null-terminated character sequence to a library function that expects a string.	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

excluded_arguments

excluded_arguments

Type: dict[bauhaus.analysis.config.QualifiedName, set[int]]

Default:

{
   'snprintf': {0},
   'sprintf': {0},
   'strcpy': {0},
   'strncpy': {0},
   'strxfrm': {0},
   'vsprintf': {0},
   'wcscpy': {0},
   'wcsncpy': {0}
}

Arguments that should not be checked for entries in functions_under_test; first argument/parameter has index 0.

 

functions_under_test

functions_under_test

Type: set[bauhaus.analysis.config.QualifiedName]

Default: {'c16rtomb', 'c32rtomb', 'fputws', 'fscanf', 'fwprintf', 'fwscanf', 'mbrtoc16', 'mbrtoc32', 'printf', 'scanf', 'snprintf', 'sprintf', 'sscanf', 'strcat', 'strchr', 'strcmp', 'strcoll', 'strcpy', 'strcspn', 'strftime', 'strlen', 'strncat', 'strncmp', 'strncpy', 'strpbrk', 'strrchr', 'strspn', 'strtok', 'strxfrm', 'swprintf', 'swscanf', 'vfprintf', 'vfscanf', 'vprintf', 'vscanf', 'vsnprintf', 'vsprintf', 'vsscanf', 'vswprintf', 'vswscanf', 'vwprintf', 'wcschr', 'wcscmp', 'wcscoll', 'wcscpy', 'wcscspn', 'wcsftime', 'wcslen', 'wcsncat', 'wcsncmp', 'wcsncpy', 'wcspbrk', 'wcsrchr', 'wcsspn', 'wcsstr', 'wcstod', 'wcstof', 'wcstok', 'wcstol', 'wcstold', 'wcstoll', 'wcstoul', 'wcstoull', 'wcsxfrm', 'wprintf', 'wscanf'}

Functions which should not use non-null-terminated character sequences for their arguments. All arguments of type pointer to integral type (char, int, etc.) are checked. You can use excluded_arguments if you want to restrict the considered arguments.

 

use_static_semantic_analysis

use_static_semantic_analysis : bool = True

Whether the rule should use the results of the StaticSemanticAnalysis to check for non-null-terminated arguments. This can produce more findings, as additional appearances of unterminated character sequences are investigated, but can also remove false positives. This will not enforce StaticSemanticAnalysis to be enabled, but will not produce any additional results if it is not.