mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-30 18:41:56 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
mariadb/tests/code_quality/flawfinder_ignorelist.json

819 lines
27 KiB
JSON
Raw Normal View History

All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
{
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Flawfinder",
"version": "2.0.19",
"informationUri": "https://dwheeler.com/flawfinder/",
"supportedTaxonomies": [
{
"name": "CWE",
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
]
}
},
"columnKind": "utf16CodeUnits",
"results": [
{
"ruleId": "FF1010",
"level": "error",
"message": {
"text": "buffer/strncat:Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/tokudb/PerconaFT/portability/file.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 5,
"endColumn": 39,
"snippet": {
"text": " strncat(buf, path, TOKU_PATH_MAX);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "02af921b7054342955d8e30b196aa5ffdc3b1ac019e26c92823a7ab171d2b1fa"
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/tokudb/PerconaFT/ft/logger/logformat.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 5,
"endColumn": 40,
"snippet": {
"text": " chmod(headerpath, S_IRUSR|S_IWUSR);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "085f579f942967e5c81fff75af832721b7b9bc59e54a7a9ebc086065cf56be13"
},
"rank": 1.0
},
{
"ruleId": "FF1035",
"level": "error",
"message": {
"text": "race/readlink:This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/tokudb/PerconaFT/portability/file.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 25,
"endColumn": 63,
"snippet": {
"text": " ssize_t s = readlink(fdname, lname, sizeof lname);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "0dba1d2cdc995ccf30ad8fe5ce3ccf8795bd4f5a207f65c627affa2ef388496c"
},
"rank": 1.0
},
{
"ruleId": "FF1035",
"level": "error",
"message": {
"text": "race/readlink:This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./extra/mariabackup/xtrabackup.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 17,
"endColumn": 57,
"snippet": {
"text": " ssize_t ret = readlink(\"/proc/self/exe\", buf, size-1);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "11523490c7f8cba115bce125bbce94de5cd5e7f66d4dd07a391aac70fbbdd353"
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./client/mysqltest.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 13,
"endColumn": 38,
"snippet": {
"text": " err_code= chmod(ds_file.str, mode);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "12a7fa6bbd4c81be975838bae2b7b26fe841acaf9804e6d0299188683e230908"
},
"rank": 1.0
},
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
{
"ruleId": "FF1031",
"level": "error",
"message": {
"text": "race/chown:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/columnstore/columnstore/writeengine/shared/we_typeext.h",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 16,
"endColumn": 67,
"snippet": {
"text": " if (fs.chown(fileName.c_str(), uid, gid, funcErrno) == -1)"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "16bbd2ed7b8f86182e8f66980ee23b9e0dfe63a9330b7c16a2c2b81a3e8a9377"
},
"rank": 1.0
},
{
"ruleId": "FF1031",
"level": "error",
"message": {
"text": "race/chown:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/columnstore/columnstore/utils/idbdatafile/PosixFileSystem.cpp",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 18,
"endColumn": 51,
"snippet": {
"text": " if ((ret = ::chown(objectName, p_uid, p_gid)))"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "1882617c363794bedb3e70a4a3be704a3ee928778709b75f971e91ffc7a224b6"
},
"rank": 1.0
},
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/tokudb/PerconaFT/ft/logger/logformat.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 5,
"endColumn": 38,
"snippet": {
"text": " chmod(codepath, S_IRUSR|S_IWUSR);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "2827dedcdf10af2bf4105f3d48e30575238fa2552603cdcb09d536b288808f0e"
},
"rank": 1.0
},
{
"ruleId": "FF1014",
"level": "error",
"message": {
"text": "buffer/gets:Does not check for buffer overflows (CWE-120, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./extra/readline/tilde.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 12,
"endColumn": 24,
"snippet": {
"text": " if (!gets (line))"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "34a940ccc6e0248a2cf725e8a0c3f808d1f36d47fc814bd9daadb17f5563d357"
},
"rank": 1.0
},
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
{
"ruleId": "FF1031",
"level": "error",
"message": {
"text": "race/chown:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/columnstore/columnstore/utils/idbdatafile/PosixFileSystem.cpp",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 22,
"endColumn": 51,
"snippet": {
"text": "int PosixFileSystem::chown(const char* objectName,"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "357c9645f4ff806e824ffc5714887bbfaafe92c4387521d0dec855875c0c21e5"
},
"rank": 1.0
},
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./sql/sql_class.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 10,
"endColumn": 28,
"snippet": {
"text": " (void) chmod(path, 0644);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "3f97fd0452062ab69db87a04222a17c37c216c4e28e2ae3622730da8dd070d2e"
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./mysys/my_chmod.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 7,
"endColumn": 25,
"snippet": {
"text": " if (chmod(name, mode))"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "46805eec1d288b072d4edb3214822220d394307195be79a33ec3bce455d14750"
},
"rank": 1.0
},
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
{
"ruleId": "FF1035",
"level": "error",
"message": {
"text": "race/readlink:This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./sql/signal_handler.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 13,
"endColumn": 68,
"snippet": {
"text": " if ((len= readlink(\"/proc/self/cwd\", buff, sizeof(buff)-1)) >= 0)"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "4c4d621e451a67f86c3e999e9dd3ceb2639bf4f63b0a946b7836b01d752ca557"
},
"rank": 1.0
},
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
{
"ruleId": "FF1010",
"level": "error",
"message": {
"text": "buffer/strncat:Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) [MS-banned] (CWE-120)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/tokudb/PerconaFT/ft/tests/recovery-datadir-is-file.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 9,
"endColumn": 47,
"snippet": {
"text": " strncat(buf, testfile, TOKU_PATH_MAX);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "4ca2dff1e35445f7997a9979cdd006d89befcc89922cf5d4a60bc9c07126a78d"
},
"rank": 1.0
},
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
{
"ruleId": "FF1035",
"level": "error",
"message": {
"text": "race/readlink:This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/columnstore/columnstore/primitives/blockcache/fsutils.cpp",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 27,
"endColumn": 79,
"snippet": {
"text": " ssize_t realnamelen = readlink(path.string().c_str(), realname, PATH_MAX);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "52b685022ce9db6c7c332217d74745fc48b65e3e00f2cfdbde8f858d28b8aa9f"
},
"rank": 1.0
},
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
{
"ruleId": "FF1035",
"level": "error",
"message": {
"text": "race/readlink:This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./mysys/my_symlink.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 15,
"endColumn": 56,
"snippet": {
"text": " if ((length=readlink(filename, to, FN_REFLEN-1)) < 0)"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "7da5207ac0f5baba73c026472a2d3805eed92931852575db64f513702977dd70"
},
"rank": 1.0
},
{
"ruleId": "FF1031",
"level": "error",
"message": {
"text": "race/chown:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./mysys/my_redel.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 7,
"endColumn": 49,
"snippet": {
"text": " if (chown(to, statbuf.st_uid, statbuf.st_gid))"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "97d2cfe4cb9428e812b796eb39c27f28dc8b198ab9655c2aff8c442de39bdcfe"
},
"rank": 1.0
},
{
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"ruleId": "FF1031",
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"level": "error",
"message": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"text": "race/chown:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"uri": "./storage/columnstore/columnstore/utils/idbdatafile/IDBFileSystem.h",
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"uriBaseId": "SRCROOT"
},
"region": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"startColumn": 17,
"endColumn": 46,
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"snippet": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"text": " virtual int chown(const char* objectName,"
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
}
}
}
}
],
"fingerprints": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"contextHash/v1": "9d9d3ce8ec5fe165af2a81280b5f9cccf73ba9fbb388bc2ffff6abdbdeb37458"
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
},
"rank": 1.0
},
{
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"ruleId": "FF1033",
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"level": "error",
"message": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"uri": "./storage/tokudb/PerconaFT/ft/logger/logformat.cc",
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"uriBaseId": "SRCROOT"
},
"region": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"startColumn": 9,
"endColumn": 50,
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"snippet": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"text": " chmod(codepath, S_IRUSR|S_IRGRP|S_IROTH);"
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
}
}
}
}
],
"fingerprints": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"contextHash/v1": "a62b28fca5c6218ee4731e78bb3eacb93604fae20c91c69cccad3834973e70d5"
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
},
"rank": 1.0
},
{
"ruleId": "FF1035",
"level": "error",
"message": {
"text": "race/readlink:This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"uri": "./storage/rocksdb/rocksdb/port/stack_trace.cc",
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"uriBaseId": "SRCROOT"
},
"region": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"startColumn": 15,
"endColumn": 54,
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
"snippet": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"text": " auto read = readlink(link, name, sizeof(name) - 1);"
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
}
}
}
}
],
"fingerprints": {
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
"contextHash/v1": "acb399f2a4a15ef8da36c47631bc4ee4bcc1bb0577dfbda141d2eb5d7723af40"
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./mysys/my_copy.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 9,
"endColumn": 46,
"snippet": {
"text": " if (chmod(to, stat_buff.st_mode & 07777))"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "bddb795a7efbd73a4387bbd33fd4f9e505b4f759d784e5d51f60cc43011ee610"
},
"rank": 1.0
},
{
"ruleId": "FF1031",
"level": "error",
"message": {
"text": "race/chown:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./mysys/my_copy.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 9,
"endColumn": 55,
"snippet": {
"text": " if (chown(to, stat_buff.st_uid, stat_buff.st_gid))"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "c63a81105d753de4762cbcab48d9700f7069da3cd9d57bf4329a6d20fad288aa"
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/tokudb/PerconaFT/ft/logger/logformat.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 9,
"endColumn": 52,
"snippet": {
"text": " chmod(headerpath, S_IRUSR|S_IRGRP|S_IROTH);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "cc51b21d9b803a08b6c619b63abf77f4ca9ce247db0ef1b81f4bd83dfb95f3d8"
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./sql/mysqld.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 12,
"endColumn": 71,
"snippet": {
"text": " (void) chmod(mysqld_unix_port,S_IFSOCK);\t/* Fix solaris 2.6 bug */"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "d0c4f1302290e2367e246ef7c8d3ea69589cbc4bc148e0efdd4c283fa03cbe01"
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./mysys/my_redel.c",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 7,
"endColumn": 42,
"snippet": {
"text": " if (chmod(to, statbuf.st_mode & 07777))"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "e11b8df9cbb9e459e4d67a0af5e627b6b1285c78fe23f5a1c823285da96495a8"
},
"rank": 1.0
},
{
"ruleId": "FF1035",
"level": "error",
"message": {
"text": "race/readlink:This accepts filename arguments; if an attacker can move those files or change the link content, a race condition results. Also, it does not terminate with ASCII NUL. (CWE-362, CWE-20)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/tokudb/PerconaFT/portability/file.cc",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 29,
"endColumn": 67,
"snippet": {
"text": " ssize_t n = readlink(fname, symname, MY_MAX_PATH);"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "e307b1923cc852324e3050b3e4423be7ac4d1d64af274b70b897a85b1cde815f"
},
"rank": 1.0
Refactor GitLab cppcheck and update SAST ignorelists Line numbers had to be removed from the ignorelists in order to be diffed against since locations of the same findings can differ across runs. Therefore preprocessing has to be done on the CI findings so that it can be compared to the ignorelist and new findings can be outputted. However, since line numbers have to be removed, a situation occurs where it is difficult to reference the location of findings in code given the output of the CI job. To lessen this pain, change the cppcheck template to include code snippets which make it easier to reference where in the code the finding is referring to, even in the absence of line numbers. Ignorelisting works as before since locations of the finding may change but not the code it is referring to. Furthermore, due to the innate difficulty in maintaining ignorelists across branches and triaging new findings, allow failure as to not have constantly failing pipelines as a result of a new findings that have not been addressed yet. Lastly, update SAST ignorelists to match the newly refactored cppcheck job and the current state of the codebase. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2024-05-11 00:37:05 +00:00
},
{
"ruleId": "FF1031",
"level": "error",
"message": {
"text": "race/chown:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/columnstore/columnstore/utils/idbdatafile/PosixFileSystem.h",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 9,
"endColumn": 38,
"snippet": {
"text": " int chown(const char* objectName,"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "edadf52c51b65383fbcdec8fcf70136a279635c3c98024e456b364d81f9605f7"
},
"rank": 1.0
},
{
"ruleId": "FF1033",
"level": "error",
"message": {
"text": "race/chmod:This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362)."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "./storage/columnstore/columnstore/versioning/BRM/oidserver.cpp",
"uriBaseId": "SRCROOT"
},
"region": {
"startColumn": 13,
"endColumn": 93,
"snippet": {
"text": " chmod(fFilename.c_str(), 0664); // XXXPAT: override umask at least for testing"
}
}
}
}
],
"fingerprints": {
"contextHash/v1": "fab02b6c6609db1b8bb60e7d58130b030d12cced8cf09f8b6ae499171f612a7b"
},
"rank": 1.0
All-green GitLab CI in 10.4 branch Note to mergers: Do not merge this commit to 10.5+. An additional PR will be created for the 10.5 branch which is compatible with later branches. Include cppcheck and FlawFinder for SAST scanning. From 10.6, cherry-picked 12bf5c46 (Remove unused French translations in Connect engine) and c6072ed9 (Ensure that source files contain only valid UTF8 encodings). Necessary for FlawFinder to execute and useful anyway. Removing MSAN build and test as it was not introduced until 10.5 and does not successfully build. Remove failing upgrade test since Fedora installs MariaDB 10.5 and the 10.5->10.4 upgrade rightfully complains Add to skiplist failing test: main.func_math (MDEV-20966) All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2023-03-18 00:19:08 +00:00
}
],
"externalPropertyFileReferences": {
"taxonomies": [
{
"location": {
"uri": "https://raw.githubusercontent.com/sarif-standard/taxonomies/main/CWE_v4.4.sarif"
},
"guid": "FFC64C90-42B6-44CE-8BEB-F6B7DAE649E5"
}
]
}
}
]
}
Reference in a new issue Copy permalink