flawfinder is confused by __attribute__((format(printf,..))) syntax

david-a-wheeler / flawfinder

a static analysis tool for finding vulnerabilities in C/C++ source code

GNU General Public License v2.0

478 stars 81 forks source link

flawfinder is confused by attribute((format(printf,..))) syntax #27

Open zyga opened 3 years ago

zyga commented 3 years ago

I've tried flawfinder on my zt library:

zt.c:35:  [4] (format) printf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.

This refers to https://github.com/zyga/libzt/blob/main/zt.c#L35 - reproduced below for simplicity:

#define ZT_FORMAT_PRINTF(a, b) __attribute__((format(printf, a, b)))

david-a-wheeler commented 3 years ago

What would you suggest?

One "simple" approach is to just ignore everything inside attribute(), since it doesn't actually call anything it just declares attributes.

zyga commented 3 years ago

I'm not deeply familiar with the internals of flawfinder. One suggestion would be to pre-process the input text and then figure out this is an attribute and not a function call. I'm not sure if this is something that is in scope. Another suggestion is to special case __attribute__ and simply ignore it.

david-a-wheeler commented 3 years ago

Although it'd take a little effort, it would be possible to skip everything inside attribute.

I don't know if attribute is used often enough in code to worthwhile; it's not practical for flawfinder to never report a false positive.

david-a-wheeler / flawfinder

flawfinder is confused by __attribute__((format(printf,..))) syntax #27

flawfinder is confused by attribute((format(printf,..))) syntax #27