search

Fraunhofer-AISEC / codyze

Codyze is a static analyzer for Java, C, C++ based on code property graphs
https://www.codyze.io
Apache License 2.0
87 stars 18 forks source link

Introduce Length Type Keyword #876

Open CodingDepot opened 4 months ago

CodingDepot commented 4 months ago

This adds the new Length() Type to use in Coko queries. This enables rules to verify the length of an argument, e.g. how many bytes a salt parameter can assume. One issue with the implementation if that when the length can not be determined (length == -1), false positives may be produced. The current evaluator structure makes it hard to propagate an open result from the length check to the Finding. (Refer to #886)

Additionally, this PR includes an optimization for Ranges given as arguments for Only and Never evaluators: By only verifying that every possible value lies within the upper and lower bounds of the range we do not have to iterate over every value in the range. This is especially noticeable when specifying a huge range of allowed parameter values.

Tasks:

codecov[bot] commented 4 months ago

Codecov Report

Attention: Patch coverage is 78.94737% with 4 lines in your changes missing coverage. Please review.

Project coverage is 77.22%. Comparing base (6377273) to head (a60f69b). Report is 5 commits behind head on main.

Files Patch % Lines
.../codyze/backends/cpg/coko/dsl/ImplementationDsl.kt 77.77% 1 Missing and 3 partials :warning:
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #876 +/- ## ============================================ + Coverage 77.20% 77.22% +0.01% Complexity 250 250 ============================================ Files 59 59 Lines 1882 1901 +19 Branches 265 273 +8 ============================================ + Hits 1453 1468 +15 - Misses 308 309 +1 - Partials 121 124 +3 ``` | [Flag](https://app.codecov.io/gh/Fraunhofer-AISEC/codyze/pull/876/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Fraunhofer-AISEC) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/Fraunhofer-AISEC/codyze/pull/876/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Fraunhofer-AISEC) | `77.22% <78.94%> (+0.01%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=Fraunhofer-AISEC#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

CodingDepot commented 3 months ago

This PR is waiting for an update to the SizeEvaluator in the CPG to cover more cases

CodingDepot commented 3 months ago

Moved everything regarding the new OPEN result into #886.