search

Riverside-Software / sonar-openedge

CABL (Code Analyzer for ABL in SonarQube) - ABL ANTLR4 Parser
https://riverside-software.fr
GNU Lesser General Public License v3.0
63 stars 25 forks source link

Usage of external library 'shell32' #935

Closed stefandrissen closed 2 years ago

stefandrissen commented 2 years ago 
&scoped-define SHELL32.DLL "shell32"

PROCEDURE ShellExecuteW EXTERNAL {&SHELL32.DLL}.
   DEFINE INPUT          PARAMETER hwnd             AS {&HWND}.
   DEFINE INPUT          PARAMETER lpOperation      AS CHARACTER.
   DEFINE INPUT          PARAMETER lpFile           AS CHARACTER.
   DEFINE INPUT          PARAMETER lpParameters     AS CHARACTER.
   DEFINE INPUT          PARAMETER lpDirectory      AS CHARACTER.

END PROCEDURE.

Is flagged, even though the rule description states:

By default, the standard Microsoft Windows libraries are considered safe, as well as the C library on Unix / Linux

Is this a result of the external not having an extension? (this code has been working fine since the previous millennium).

gquerret commented 2 years ago

That's definitely a FP. I'll double-check the exclusion rules.

stefandrissen commented 2 years ago

Another, which is using a full dll name, is also being flagged:

   PROCEDURE gethostname EXTERNAL "wsock32.dll".
      DEFINE       OUTPUT  PARAMETER p-Hostname      AS CHARACTER.
      DEFINE INPUT         PARAMETER p-Length        AS LONG.
      DEFINE       RETURN  PARAMETER p-Return        AS LONG.
   END PROCEDURE.

And another:

PROCEDURE HttpSendRequestA EXTERNAL "wininet.dll".
   DEFINE INPUT         PARAMETER hRequest         AS LONG.
   DEFINE INPUT         PARAMETER lpszHeaders      AS CHARACTER.
   DEFINE INPUT         PARAMETER dwHeadersLength  AS LONG.
   DEFINE INPUT         PARAMETER lpOptional       AS {&POINTER}.
   DEFINE INPUT         PARAMETER dwOptionalLength AS LONG.
gquerret commented 2 years ago

The default value now includes a longer list of libraries. Note that you can modify the list directly in the quality profile.