Fully Automated Static Analysis of Fedora Packages

Similar documents
Common Errors in C/C++ Code and Static Analysis

Applying Clang Static Analyzer to Linux Kernel

8.5. <summary> Cppcheck addons Using Cppcheck addons Where to find some Cppcheck addons

Source Code Review Using Static Analysis Tools

Red Hat Developer Toolset 1.1

The C Programming Language course syllabus associate level

How to Build an RPM OVERVIEW UNDERSTANDING THE PROCESS OF BUILDING RPMS. Author: Chris Negus Editor: Allison Pranger 09/16/2011

SWAMP The Software Assurance Market Place

Introduction to Automated Testing

Red Hat Directory Server 8.0 Release Notes

Zend Server 4.0 Beta 2 Release Announcement What s new in Zend Server 4.0 Beta 2 Updates and Improvements Resolved Issues Installation Issues

Static Checking of C Programs for Vulnerabilities. Aaron Brown

Virtuozzo Virtualization SDK

Oracle Solaris Studio Code Analyzer

How to Write a Checker in 24 Hours

Programming Languages CIS 443

Sources: On the Web: Slides will be available on:

Automated build service to facilitate Continuous Delivery

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

Eliminate Memory Errors and Improve Program Stability

Hudson Continous Integration Server. Stefan Saasen,

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

CS 253: Intro to Systems Programming

RTI Routing Service. Release Notes

Koschei. Continuous integration in Koji. Author: Mikolaj Izdebski Date: 11th July Abstract

Using RADIUS Agent for Transparent User Identification

Advanced Software Testing

Red Hat Enterprise Linux Rebuild mini-howto

MPI-Checker Static Analysis for MPI

Detecting Critical Defects on the Developer s Desktop

NVIDIA CUDA GETTING STARTED GUIDE FOR MAC OS X

How To Install Acronis Backup & Recovery 11.5 On A Linux Computer

Framework for Automated Builds. Natalia Ratnikova CCS Meeting Feb 2003 CMS Week

RUnit - A Unit Test Framework for R

Measuring the Effect of Code Complexity on Static Analysis Results

Introduction to Static Analysis for Assurance

TOOL EVALUATION REPORT: FORTIFY

Linux Distributions. What they are, how they work, which one to choose Avi Alkalay

Using Code Coverage Tools in the Linux Kernel

How to build secure Apache Tomcat deployments with RPM.

Using Clang to Visualize Large Codebases. Nathan Hawes and Ben Barham Oracle Labs Australia October 2014

Siebel Application Deployment Manager Guide. Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013

Xcode Project Management Guide. (Legacy)

Jonathan Worthington Scarborough Linux User Group

C# and Other Languages

RHadoop Installation Guide for Red Hat Enterprise Linux

Drupal CMS for marketing sites

SWAMP: Removing the Barriers to Adopting and Improving Software Assurance Capabilities

Winning the Battle against Automated Testing. Elena Laskavaia March 2016

Acronis Backup & Recovery 10 Server for Linux. Installation Guide

Improve Fortran Code Quality with Static Analysis

This Release Notes document is for F-Secure Linux Security.

Encrypted File Transfer - Customer Testing

Selenium An Effective Weapon In The Open Source Armory

LLVMLinux: Embracing the Dragon

Continuous Integration and Automatic Testing for the FLUKA release using Jenkins (and Docker)

Opening a Command Shell

Týr: a dependent type system for spatial memory safety in LLVM

pbuilder Debian Conference 2004

Sun Grid Engine Package for OSCAR A Google SoC 2005 Project

Testing for Security

Acronis Backup & Recovery 10 Server for Linux. Update 5. Installation Guide

An Evaluation of the Application Hosting Environment Uk e-science Engineering Task Force

How to Write a Simple Makefile

Novell Linux Management Pack for System Center Operations Manager

4PSA DNS Manager Translator's Manual

Good evening. This presentation is based on my GIAC GSNA Gold technical paper entitled Auditing Mac OS X Compliance with the Center for Internet

Introduction to the. Barracuda Embedded Web-Server

OpenChange overview and current server implementation

Good Software. Lecture 6 GSL Peru 2014

Fedora Core 4. Managing software with yum. Stuart Ellis Edited by Paul W. Frields

Internet Payment Gateway

Git Fusion Guide August 2015 Update

TUT19344 Managing RH/CentOS with SUSE Manager

This presentation explains how to monitor memory consumption of DataStage processes during run time.

Test-driving static analysis tools in search of C code vulnerabilities

White Paper. Fabasoft on Linux SELinux Support. Fabasoft Folio 2015 Update Rollup 2

HOWTO configure Xinu under Virtual Box

django-cron Documentation

Apache Thrift and Ruby

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

Red Hat Enterprise Linux Update for IBM System z

How to get Enterprise

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code

Manual vs. Automated Vulnerability Assessment: ACaseStudy

NETWORK OPERATING SYSTEMS. By: Waqas Ahmed (C.E.O at Treesol)

The FDA Forensics Lab, New Tools and Capabilities

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

Developing tests for the KVM autotest framework

Software Developer Program. Application Build Environment Manual

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Installing VMware Tools on Clearswift v4 Gateways

Building Programs with Make. What does it mean to Build a Program?

COVERITY SCAN: 2013 OPEN SOURCE REPORT. Coverity Scan: 2013 Open Source Report

Rebuild Perfume With Python and PyPI

VMware Tools Installation Guide For Operating System Specific Packages

Automatic vs. Manual Code Analysis

HP Fortify Static Code Analyzer

How To Use The C Preprocessor

Open-source Versus Commercial Software: A Quantitative Comparison

Transcription:

Fully Automated Static Analysis of Fedora Packages Red Hat Kamil Dudka August 9th, 2014 Abstract There are static analysis tools (such as Clang or Cppcheck) that are able to find bugs in Fedora packages before they are noticed by users or even Security Response Team. We are announcing an easy to use tool csmock that makes it possible to run static analysis tools on RPM packages fully automatically. csmock is given an SRPM and simply returns a list of defects found in the package.

Definition of Static Analysis Definition of Static Analysis Static analysis is an analysis of code without executing it. Already done by the compiler (optimization, warnings,... ). This presentation focuses on using static analysis tools to find bugs in Fedora packages. 1 / 13

Agenda 1 Definition of Static Analysis 2 Static Analyzers for C/C++ Available in Fedora 3 Fully Automated Static Analysis of Fedora Packages

Static Analyzers for C/C++ Available in Fedora Analyzers of C/C++ Code Available in Fedora Compilers: GCC produces various kinds of useful warnings Analyzers applicable on vast majority of Fedora Packages: Cppcheck based on pattern matching Clang static checkers built on top of LLVM Analyzers with limited scope of use: sparse used mainly by kernel developers... Research prototypes with limited level of automation: frama-c uses CIL as the parser (written in OCaml)... 2 / 13

Static Analyzers for C/C++ Available in Fedora GCC Warnings Taken seriously by upstream developers (of some projects), but usually ignored by Fedora package maintainers. Enforcing -Werror=... to get them fixed is a good way to introduce new bugs (see https://bugzilla.redhat.com/1025257#c5). GCC warnings are difficult to process in an automated way: GCC does not use absolute paths in diagnostic messages. The format of diagnostic messages is not parser-friendly. Multi-line GCC warnings are difficult to collect consistently when building in parallel. 3 / 13

Static Analyzers for C/C++ Available in Fedora Cppcheck Based on pattern matching (very lightweight static analysis). Can be run on a directory with sources, but then it: tries several combinations of -D flags, ignores missing include files in this mode, causes false positives and false negatives (loss of precision), reports bugs in unrelated code (e.g. #ifdef WIN32 sections), there is no easy way to predict the time needed for the analysis (e.g. to limit the time per compilation unit). Can be run per compilation unit with correct -D and -I flags. Not so easy to automate when analyzing arbitrary SRPMs. cscppc is a new package in Fedora that runs Cppcheck fully transparently during the build (in parallel with the compiler). 4 / 13

Static Analyzers for C/C++ Available in Fedora Clang Analyzer A set of static analysis-based checkers built on top of LLVM (Low Level Virtual Machine). There is a Perl script named scan-build that runs Clang during the build somewhat transparently: scan-build rpmbuild --rebuild krb5-1.11.5-7.fc20.src.rpm Uses HTML or plist format for the results. Known to fail when analyzing certain packages: krb5 (because it overrides $CC by the %{ cc} RPM macro) pidgin (because libtool did not recognize the faked compiler)... 5 / 13

Static Analyzers for C/C++ Available in Fedora Static Analyzers in Fedora Summary There are ready to use static analyzers in Fedora, which provide useful results...... but there is no common interface to run them,... and there is no common format for the results. 6 / 13

Agenda 1 Definition of Static Analysis 2 Static Analyzers for C/C++ Available in Fedora 3 Fully Automated Static Analysis of Fedora Packages

Fully Automated Static Analysis of Fedora Packages Fully Automated Static Analysis of SRPMs How to easily analyze a given SRPM by Cppcheck and Clang? csmock -t cppcheck,clang krb5-1.11.5-7.fc20.src.rpm How to get csmock running on Fedora? sudo yum install csmock sudo gpasswd -a $USER mock 7 / 13

Fully Automated Static Analysis of Fedora Packages Results of Static Analysis (HTML format) krb5-1.11.5-7.fc20 List of Defects Error: CLANG_WARNING: [#def1] krb5-1.11.5/src/lib/krad/remote.c:118:9: warning: Access to field 'tqh_last' results in a dereference of a null pointer # TAILQ_REMOVE(&req->rr->list, req, list); # ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ krb5-1.11.5/src/include/k5-queue.h:547:20: note: expanded from macro 'TAILQ_REMOVE' # (head)->tqh_last = (elm)->field.tqe_prev; \ # ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~ Error: CLANG_WARNING: [#def2] krb5-1.11.5/src/lib/rpc/xdr_rec.c:165:9: warning: Potential leak of memory pointed to by 'rstrm' # (void)fprintf(stderr, "xdrrec_create: out of memory\n"); # ^~~~~~~ Error: CPPCHECK_WARNING: [#def3] krb5-1.11.5/src/lib/rpc/xdr_rec.c:166: error[memleak]: Memory leak: rstrm Error: COMPILER_WARNING: [#def4] krb5-1.11.5/src/lib/rpc/xdr_rec.c: scope_hint: In function 'xdrrec_getbytes' krb5-1.11.5/src/lib/rpc/xdr_rec.c:258:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] # current = (len < current)? len : current; # ^ 8 / 13

Fully Automated Static Analysis of Fedora Packages What else can we do with csmock? Capture GCC warnings (by -t gcc). Change the GCC warning level (by -w[0-2]). Check for downstream-only bugs (by --diff-patches). Analyze upstream tarballs instead of SRPMs (by -c CMD). Get the results in a predictable amount of time (by default). You can easily write plug-ins for additional static analyzers. 9 / 13

Fully Automated Static Analysis of Fedora Packages How is csmock implemented? It uses mock (chroot-based tool for building RPMs): to use the same build environment as for production builds, to be able to do destructive changes in the chroot. It uses cswrap (a compiler/analyzer wrapper): to capture the results consistently when building in parallel, to translate relative to absolute paths in GCC output, to transparently add/remove compiler flags, to limit the time spent by analysis per compilation unit. 10 / 13

Fully Automated Static Analysis of Fedora Packages Processing the Results of Static Analysis The csdiff Fedora package provides command-line utilities for processing the results: csdiff matches defects introduced by an update csgrep filters the list of defects by various predicates cshtml generates an HTML report from the list of defects 11 / 13

Fully Automated Static Analysis of Fedora Packages Future Plans Write plug-ins for additional static analyzers. Support additional languages Python, Java,... Expose csmock as a service hook a task on Taskotron? 12 / 13

Fully Automated Static Analysis of Fedora Packages Conclusion There are static analyzers in Fedora that are able to automatically find bugs in our packages. csmock makes it easy to run them on a given SRPM. csdiff utilities can be used to efficiently process the results. These packages are now available in Fedora! 13 / 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information