flawfinder
flawfinder copied to clipboard
david-a-wheeler
SARIF artifact location paths
Issue
Flawfinder generates artifact locations starting with a / slash or ./. At the same time and for portability reasons Flawfinder uses the uriBaseId property in SARIF. However, the idea of the uriBaseId is, that it is a placeholder to allow the artifactLocation to be relative. The placeholder of the SRCROOT can be replaced easily to make absolute paths.
Example
Test project: https://github.com/pwk4m1/Damn_Vulnerable_Device_Driver
Calling Flawfinder like this:
flawfinder --sarif .
Will result in:
{
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Flawfinder",
"version": "2.0.19",
"informationUri": "https://dwheeler.com/flawfinder/",
"rules": [
{
"id": "FF1022",
"name": "buffer/strlen",
"shortDescription": {
"text": "Does not handle strings that are not \\0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126)."
},
"defaultConfiguration": {
"level": "note"
},
"helpUri": "https://cwe.mitre.org/data/definitions/126.html",
"relationships": [
{
"target": {
"id": "CWE-126",
"toolComponent": {
"name": "CWE",
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
},
"kinds": [
"relevant"
]
}
]
},
{
"id": "FF1015",
"name": "format/sprintf",
"shortDescription": {
"text": "Potential format string problem (CWE-134)."
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://cwe.mitre.org/data/definitions/134.html",
"relationships": [
{
"target": {
"id": "CWE-134",
"toolComponent": {
"name": "CWE",
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
},
"kinds": [
"relevant"
]
}
]
}
],
"supportedTaxonomies": [
{
"name": "CWE",
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
]
}
},
"columnKind": "utf16CodeUnits",
"results": [
{
"ruleId": "FF1022",
"level": "note",
"message": {
"text": "buffer/strlen:Does not handle strings that are not \\0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./Damn_Vulnerable_Device_Driver/DVDD.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startLine": 102,
"startColumn": 6,
"endColumn": 28,
"snippet": {
"text": "\tif (strlen(buff) != len) {"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "e4347673c7b5f2f2fe6fbcca2fce047b1823698f122199f1f2c7c602f62d581f"
},
"rank": 0.2
},
{
"ruleId": "FF1015",
"level": "error",
"message": {
"text": "format/sprintf:Potential format string problem (CWE-134)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./Damn_Vulnerable_Device_Driver/DVDD.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startLine": 106,
"startColumn": 2,
"endColumn": 34,
"snippet": {
"text": "\tsprintf(diode->data, buff, len);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "f6bfebb1bd7afaa981eb091cc3ddf89686b6dc50e4ede92d76c48046e4ae266c"
},
"rank": 0.8
}
],
"externalPropertyFileReferences": {
"taxonomies": [
{
"location": {
"uri": "https://raw.githubusercontent.com/sarif-standard/taxonomies/main/CWE_v4.4.sarif"
},
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
]
}
}
]
}
Instead of "uri": "./Damn_Vulnerable_Device_Driver/DVDD.c", it should be "uri": "Damn_Vulnerable_Device_Driver/DVDD.c",`.
Solution
Improve the SARIF output by removing the slash / in front of the result.
"physicalLocation": {
"artifactLocation": {
"uri": "Damn_Vulnerable_Device_Driver/DVDD.c",
"uriBaseId": "SRCROOT"
},
@cooljeanius no, this issue has nothing to do with issue #66, they are not related in any way. This issue is about the artifact location of findings. Oppose to issue #66, which is about links to additional help resources in rules.