CWE items mapped to Goanna checks

Common Weakness Enumeration (CWE) is a widely accepted, community-developed list of general software vulnerabilities. The CWE website, which contains detailed definitions of each weakness, is here.

Over the last couple of weeks, I’ve been looking into how Goanna maps to the current CWE list. That is, for each of Goanna’s (currently) 100 checks, I’ve reported the CWE items that may be the cause of a warning. I’ve also reported on the mapping in the other direction: for each CWE item, the checks that may report on it are listed. These two mappings are tabulated below.

The table on the left lists all the CWE items that are identified by Goanna, along with each check that may warn about code with each weakness. Code with one of the listed weaknesses will not necessarily fail each associated check, but it may fail some. This table is useful for identifying the checks that are designed to find certain weaknesses. This may help identify the checks that should be enabled or disabled, in order to get the most useful feedback from Goanna.

The table on the right lists each check performed by Goanna, along with each CWE item that may cause the check to fail and yield a warning. The table can be useful for identifying the potential weaknesses in code, based on the warning that Goanna provides.

In the Goanna userguides with the next release, the relevant CWE IDs (from the table on the right) will appear with the detailed descriptions of each check. These two tables will also be included, and updated as more checks are added.

These results are comparable to thosee market-leading analysis tools, and while there is some overlap, there are many CWE items that some leading tools don’t find, such as mismatching the standard and array versions of the new and delete operators, dismissing return values of certain library functions, and the use of uninitialized pointers, just to name a few.

Goanna can currently identify 41 CWE items, including many of the most serious (null pointer dereferences, memory leaks and array index violations), and 61% of our current checks identify the existence of at least one of these vulnerabilities.  Combine this with our relatively low rate of false positives compared to competing tools, and it’s easy to see that Goanna is essential for efficiently finding the most serious vulnerabilities in any software project.

CWE ID Goanna check name Goanna check name CWE mapping
120 ARR-inv-index ARR-inv-index 120, 121, 805
ARR-inv-index-pos ARR-inv-index-pos 120, 121, 119, 805
121 ARR-inv-index ARR-neg-index 124
ARR-inv-index-pos ATH-cmp-float 480
124 ARR-neg-index ATH-cmp-unsign-neg
193 ARR-inv-index-pos ATH-cmp-unsign-pos
252 LIB-return-leak ATH-div-0 369
369 ATH-div-0 ATH-div-0-aft-assign 369
ATH-div-0-aft-assign ATH-div-0-aft-cmp 369
ATH-div-0-aft-cmp ATH-div-0-bef-cmp 369
ATH-div-0-bef-cmp ATH-div-0-interval 369
ATH-div-0-interval ATH-inc-bool 480
394 LIB-return-leak ATH-neg-check-nonneg
401 MEM-lose-assign ATH-neg-check-pos
RED-unused-val-ptr ATH-shift-bounds
404 MEM-delete-array-op ATH-shift-bounds-zero
MEM-delete-op ATH-sizeof-by-sizeof 480
MEM-free-op COP-alloc-ctor
415 MEM-double-free COP-assign-op
416 MEM-use-free-all COP-assign-op-ret
MEM-use-free-some COP-assign-op-self
456 COP-member-uninit COP-copy-ctor
457 SPC-uninit-arr-all COP-dealloc-dtor
SPC-uninit-struct COP-dtor
SPC-uninit-struct-field COP-init-order
SPC-uninit-var-all COP-member-uninit 456
SPC-uninit-var-some builtin_ctor_dto_leak
466 MEM-stack-global CPU-ctor-call-virt
MEM-stack-param CPU-dtor-call-virt
MEM-stack-param-ref CPU-malloc-class
467 MEM-malloc-sizeof-ptr CPU-nonvirt-dtor
476 MEM-free-some EXP-cond-assign 481
PTR-null-assign EXP-dangling-else 483
PTR-null-assign-fun-pos EXP-loop-exit
PTR-null-assign-pos EXP-loop-var-mod
PTR-null-cmp-aft EXP-loop-var-uninit
PTR-null-cmp-bef EXP-main-ret-int
PTR-null-cmp-bef-fun EXP-null-stmt 480
PTR-null-const-pos FPT-arith 480
PTR-null-pos-assign FPT-cmp-null 480
480 ATH-cmp-float LIB-return-leak 252, 394
ATH-inc-bool MEM-delete-array-op 404, 762
ATH-sizeof-by-sizeof MEM-delete-op 404, 762
EXP-null-stmt MEM-double-free 415
FPT-arith MEM-free-op 404, 762
FPT-cmp-null MEM-free-some 476
RED-self-assign MEM-free-variable 590
481 EXP-cond-assign MEM-lose-assign 401, 772
482 RED-no-effect MEM-malloc-arith
483 EXP-dangling-else MEM-malloc-sizeof
561 RED-dead MEM-malloc-sizeof-ptr 467
562 SPC-ret-stack MEM-stack-global 466
563 RED-unused-val MEM-stack-param 466
RED-unused-val-ptr MEM-stack-param-ref 466
RED-unused-var-all MEM-use-free-all 416
570 RED-cmp-never MEM-use-free-some 416
571 RED-cmp-always POR-imp-cast-subscript
RED-const-assign-cond POR-imp-cast-ternary
RED-const-expr-cond PTR-cmp-str-lit 597
572 RED-const-assign-cond PTR-null-assign 476
RED-const-expr-cond PTR-null-assign-fun-pos 476
587 PTR-null-const-pos PTR-null-assign-pos 476
590 MEM-free-variable PTR-null-cmp-aft 476
597 PTR-cmp-str-lit PTR-null-cmp-bef 476
665 PTR-uninit PTR-null-cmp-bef-fun 476
PTR-uninit-pos PTR-null-const-pos 476, 587
696 SPC-order PTR-null-pos-assign 476
762 MEM-delete-array-op PTR-param-unchk 822
MEM-delete-op PTR-param-unchk-some 822
MEM-free-op PTR-uninit 665, 824
772 MEM-lose-assign PTR-uninit-pos 665, 824
805 ARR-inv-index RED-case-reach
ARR-inv-index-pos RED-cmp-always 571
822 PTR-param-unchk RED-cmp-never 570
PTR-param-unchk-some RED-const-assign-cond 571, 572
824 PTR-uninit RED-const-expr-cond 571, 572
PTR-uninit-pos RED-dead 561
RED-expr
RED-local-hides-global
RED-local-hides-local
RED-local-hides-member
RED-local-hides-param
RED-no-effect 482
RED-self-assign 480
RED-unused-param
RED-unused-val 563
RED-unused-val-ptr 401, 563
RED-unused-var-all 563
SEM-const-call
SME-const-global
SEM-pure-call
SEM-pure-global
SPC-order 696
SPC-ret-stack 562
SPC-return
SPC-uninit-arr-al 457
SPC-uninit-struct 457
SPC-uninit-struct-field 457
SPC-uninit-var-all 457
SPC-uninit-var-some 457
No Comments

Post a Comment