cwe-mapper: do not assign unrelated CWEs for GCC and ShellCheck

kdudka · kdudka · commit 57f06354756d · 2022-06-01T10:50:38.000+02:00
Due to historical reasons, we distinguish checkers (a.k.a. rules) by the checker field for Coverity only. For other tools we map this to the key events, such as `warning[-Wshadow]` in case of gcc. The CWE mapping is defined for checker/keyEvent pairs. For Coverity, it is fine to assign CWE based on checker only in case the exact pair is not matched. For other tools, it does not make any sense, because the checker field maps to the tool and the actual checkers (rules) can be distinguished by the key event only. This is a follow-up to commit 142ee3f, which landed when we had CWE mapping for Coverity and Cppcheck only. Reported-by: Steve Grubb Closes: #52
diff --git a/src/cwe-mapper.cc b/src/cwe-mapper.cc
@@ -19,6 +19,8 @@
 
 #include "cwe-mapper.hh"
 
+#include "parser-common.hh"
+
 #include <cstdio>
 
 // /////////////////////////////////////////////////////////////////////////////
@@ -28,8 +30,19 @@ struct CweMap::Private {
     typedef std::map<std::string, TNumByEvent>      TMapByChk;
 
     TMapByChk           mapByChk;
+    ImpliedAttrDigger   digger;
+
+    bool detectedByTool(Defect def, const char *tool);
 };
 
+bool CweMap::Private::detectedByTool(Defect def, const char *tool)
+{
+    // detect tool in case it is not explicitly specified
+    this->digger.inferToolFromChecker(&def);
+
+    return (def.tool == tool);
+}
+
 CweMap::CweMap():
     d(new Private)
 {
@@ -106,13 +119,15 @@ bool CweMap::assignCwe(Defect &def) const
             std::cerr << "warning: CWE not found: checker = " << def.checker
                 << ", event = " << evt.event << "\n";
 
-        if (def.checker == "CPPCHECK_WARNING") {
-            // we cannot fallback to a random CWE that Cppcheck has mapping for
+        if (d->detectedByTool(def, "coverity")) {
+            // we assign per-checker CWE only for Coverity
+            cweIt = row.begin();
+        }
+        else {
+            // for other tools there is no fallback if the event is not found
             cweDst = 0;
             return false;
         }
-
-        cweIt = row.begin();
     }
 
     const int cweSrc = cweIt->second;
diff --git a/tests/cslinker/0001-smoke/cwe-map.csv b/tests/cslinker/0001-smoke/cwe-map.csv
@@ -20,6 +20,8 @@
 "BAD_LOCK_OBJECT","lock_on_assigned_field","CWE-543"
 "BAD_LOCK_OBJECT","single_thread_lock","CWE-543"
 "BAD_OVERRIDE","bad_override","CWE-398"
+"BAD_SHIFT","large_shift","CWE-682"
+"BAD_SHIFT","negative_shift","CWE-682"
 "BAD_SIZEOF","bad_sizeof","CWE-467"
 "BUFFER_SIZE","buffer_size","CWE-120"
 "BUFFER_SIZE","overlapping_buffer","CWE-474"
@@ -45,6 +47,7 @@
 "COMPILER_WARNING","warning[-Wnull-dereference]","CWE-476"
 "COMPILER_WARNING","warning[-Wpointer-compare]","CWE-569"
 "COMPILER_WARNING","warning[-Wreturn-local-addr]","CWE-562"
+"COMPILER_WARNING","warning[-Wswitch]","CWE-1023"
 "COMPILER_WARNING","warning[-Wtautological-compare]","CWE-569"
 "COMPILER_WARNING","warning[-Wuninitialized]","CWE-457"
 "COMPILER_WARNING","warning[-Wunused-but-set-variable]","CWE-563"
@@ -56,6 +59,7 @@
 "COMPILER_WARNING","warning[-Wunused-result]","CWE-252"
 "COMPILER_WARNING","warning[-Wunused-value]","CWE-563"
 "COMPILER_WARNING","warning[-Wunused-variable]","CWE-563"
+"COMPILER_WARNING","warning[-Wwrite-strings]","CWE-710"
 "CONSTANT_EXPRESSION_RESULT","always_true_or","CWE-569"
 "CONSTANT_EXPRESSION_RESULT","bit_and_with_zero","CWE-569"
 "CONSTANT_EXPRESSION_RESULT","extra_high_bits","CWE-569"
@@ -100,12 +104,11 @@
 "CPPCHECK_WARNING","error[insecureCmdLineArgs]","CWE-120"
 "CPPCHECK_WARNING","error[integerOverflow]","CWE-190"
 "CPPCHECK_WARNING","error[invalidFunctionArgBool]","CWE-686"
-"CPPCHECK_WARNING","error[invalidFunctionArg ]","CWE-628"
+"CPPCHECK_WARNING","error[invalidFunctionArg]","CWE-628"
 "CPPCHECK_WARNING","error[invalidPointer]","CWE-664"
 "CPPCHECK_WARNING","error[invalidScanfFormatWidth]","CWE-120"
 "CPPCHECK_WARNING","error[IOWithoutPositioning]","CWE-227"
 "CPPCHECK_WARNING","error[iterators]","CWE-664"
-"CPPCHECK_WARNING","error[iterators]","CWE-MAP-NOMATCH"
 "CPPCHECK_WARNING","error[leakNoVarFunctionCall]","CWE-401"
 "CPPCHECK_WARNING","error[leakReturnValNotUsed]","CWE-252"
 "CPPCHECK_WARNING","error[mallocOnClassError]","CWE-665"
@@ -124,6 +127,8 @@
 "CPPCHECK_WARNING","error[obsoleteFunctions]","CWE-477"
 "CPPCHECK_WARNING","error[operatorEq]","CWE-480"
 "CPPCHECK_WARNING","error[outOfBounds]","CWE-805"
+"CPPCHECK_WARNING","error[overlappingWriteUnion]","CWE-758"
+"CPPCHECK_WARNING","error[overlappingWriteFunction]","CWE-758"
 "CPPCHECK_WARNING","error[passedByValue]","CWE-686"
 "CPPCHECK_WARNING","error[pointerArithBool]","CWE-571"
 "CPPCHECK_WARNING","error[pointerOutOfBounds]","CWE-823"
@@ -165,8 +170,8 @@
 "CPPCHECK_WARNING","error[uninitdata]","CWE-456"
 "CPPCHECK_WARNING","error[uninitstring]","CWE-170"
 "CPPCHECK_WARNING","error[uninitStructMember]","CWE-909"
-"CPPCHECK_WARNING","error[uninitvar]","CWE-456"
-"CPPCHECK_WARNING","error[uninitVar]","CWE-456"
+"CPPCHECK_WARNING","error[uninitvar]","CWE-457"
+"CPPCHECK_WARNING","error[uninitVar]","CWE-457"
 "CPPCHECK_WARNING","error[unknownEvaluationOrder]","CWE-768"
 "CPPCHECK_WARNING","error[unsignedPositive]","CWE-571"
 "CPPCHECK_WARNING","error[unusedScopedObject]","CWE-826"
@@ -186,7 +191,6 @@
 "CPPCHECK_WARNING","warning[invalidScanfArgType_int]","CWE-686"
 "CPPCHECK_WARNING","warning[invalidScanfArgType_s]","CWE-686"
 "CPPCHECK_WARNING","warning[nullPointer]","CWE-476"
-"CPPCHECK_WARNING","warning[pureVirtualCall]","CWE-MAP-NOMATCH"
 "CTOR_DTOR_LEAK","ctor_dtor_leak","CWE-772"
 "DC.STREAM_BUFFER","dont_call","CWE-120"
 "DC.WEAK_CRYPTO","dont_call","CWE-327"
@@ -250,6 +254,7 @@
 "LOCK_INVERSION","getlock","CWE-833"
 "MISSING_BREAK","fallthrough","CWE-484"
 "MISSING_LOCK","missing_lock","CWE-667"
+"MISSING_MOVE_ASSIGNMENT","missing_move_assignment","CWE-710"
 "MISSING_RETURN","missing_return","CWE-710"
 "NEGATIVE_RETURNS","negative_returns","CWE-394"
 "NEGATIVE_RETURNS","var_tested_neg","CWE-394"
@@ -336,27 +341,28 @@
 "SECURE_TEMP","secure_temp","CWE-377"
 "SHELLCHECK_WARNING","error[SC1008]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1019]","CWE-398"
-"SHELLCHECK_WARNING","error[SC1020]","CWE-398"
+"SHELLCHECK_WARNING","error[SC1020]","CWE-569"
+"SHELLCHECK_WARNING","error[SC1035]","CWE-569"
 "SHELLCHECK_WARNING","error[SC1036]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1061]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1062]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1064]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1065]","CWE-398"
-"SHELLCHECK_WARNING","error[SC1068]","CWE-398"
+"SHELLCHECK_WARNING","error[SC1068]","CWE-456"
 "SHELLCHECK_WARNING","error[SC1071]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1072]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1073]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1075]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1087]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1088]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1089]","CWE-398"
-"SHELLCHECK_WARNING","error[SC1097]","CWE-398"
+"SHELLCHECK_WARNING","error[SC1097]","CWE-482"
 "SHELLCHECK_WARNING","error[SC1101]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1113]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1127]","CWE-398"
 "SHELLCHECK_WARNING","error[SC1128]","CWE-398"
 "SHELLCHECK_WARNING","error[SC2045]","CWE-398"
-"SHELLCHECK_WARNING","error[SC2068]","CWE-398"
+"SHELLCHECK_WARNING","error[SC2068]","CWE-88"
 "SHELLCHECK_WARNING","error[SC2070]","CWE-398"
 "SHELLCHECK_WARNING","error[SC2071]","CWE-398"
 "SHELLCHECK_WARNING","error[SC2076]","CWE-398"
@@ -366,85 +372,92 @@
 "SHELLCHECK_WARNING","error[SC2105]","CWE-398"
 "SHELLCHECK_WARNING","error[SC2127]","CWE-398"
 "SHELLCHECK_WARNING","error[SC2142]","CWE-398"
-"SHELLCHECK_WARNING","error[SC2145]","CWE-398"
-"SHELLCHECK_WARNING","error[SC2148]","CWE-398"
+"SHELLCHECK_WARNING","error[SC2145]","CWE-138"
+"SHELLCHECK_WARNING","error[SC2148]","CWE-758"
+"SHELLCHECK_WARNING","error[SC2168]","CWE-1126"
 "SHELLCHECK_WARNING","error[SC2173]","CWE-398"
 "SHELLCHECK_WARNING","error[SC2199]","CWE-398"
-"SHELLCHECK_WARNING","error[SC2218]","CWE-398"
-"SHELLCHECK_WARNING","error[SC2242]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC1007]","CWE-398"
+"SHELLCHECK_WARNING","error[SC2218]","CWE-758"
+"SHELLCHECK_WARNING","error[SC2242]","CWE-393"
+"SHELLCHECK_WARNING","warning[SC1007]","CWE-480"
 "SHELLCHECK_WARNING","warning[SC1010]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC1011]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC1078]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC1083]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC1083]","CWE-569"
 "SHELLCHECK_WARNING","warning[SC1090]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC1098]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2010]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2027]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2034]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2011]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2027]","CWE-149"
+"SHELLCHECK_WARNING","warning[SC2034]","CWE-563"
 "SHELLCHECK_WARNING","warning[SC2038]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2039]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2039]","CWE-475"
 "SHELLCHECK_WARNING","warning[SC2041]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2043]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2043]","CWE-1164"
 "SHELLCHECK_WARNING","warning[SC2044]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2045]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2046]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2048]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2046]","CWE-156"
+"SHELLCHECK_WARNING","warning[SC2048]","CWE-569"
 "SHELLCHECK_WARNING","warning[SC2050]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2053]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2051]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2053]","CWE-153"
 "SHELLCHECK_WARNING","warning[SC2060]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2061]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2062]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2064]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2065]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2069]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2064]","CWE-569"
+"SHELLCHECK_WARNING","warning[SC2065]","CWE-697"
+"SHELLCHECK_WARNING","warning[SC2069]","CWE-783"
 "SHELLCHECK_WARNING","warning[SC2088]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2089]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2090]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2091]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2092]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2093]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2089]","CWE-569"
+"SHELLCHECK_WARNING","warning[SC2090]","CWE-569"
+"SHELLCHECK_WARNING","warning[SC2091]","CWE-829"
+"SHELLCHECK_WARNING","warning[SC2092]","CWE-829"
+"SHELLCHECK_WARNING","warning[SC2093]","CWE-561"
 "SHELLCHECK_WARNING","warning[SC2097]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2098]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2100]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2112]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2113]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2114]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2115]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2120]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2121]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2124]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2125]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2128]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2140]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2153]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2154]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2155]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2120]","CWE-685"
+"SHELLCHECK_WARNING","warning[SC2121]","CWE-456"
+"SHELLCHECK_WARNING","warning[SC2124]","CWE-569"
+"SHELLCHECK_WARNING","warning[SC2125]","CWE-569"
+"SHELLCHECK_WARNING","warning[SC2128]","CWE-670"
+"SHELLCHECK_WARNING","warning[SC2140]","CWE-149"
+"SHELLCHECK_WARNING","warning[SC2153]","CWE-457"
+"SHELLCHECK_WARNING","warning[SC2154]","CWE-457"
+"SHELLCHECK_WARNING","warning[SC2155]","CWE-571"
 "SHELLCHECK_WARNING","warning[SC2156]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2163]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2164]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2165]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2166]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2167]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2164]","CWE-252"
+"SHELLCHECK_WARNING","warning[SC2165]","CWE-1095"
+"SHELLCHECK_WARNING","warning[SC2166]","CWE-477"
+"SHELLCHECK_WARNING","warning[SC2167]","CWE-1095"
 "SHELLCHECK_WARNING","warning[SC2172]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2174]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2174]","CWE-277"
 "SHELLCHECK_WARNING","warning[SC2178]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2183]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2184]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2186]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2188]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2188]","CWE-569"
 "SHELLCHECK_WARNING","warning[SC2198]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2206]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2207]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2209]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2206]","CWE-140"
+"SHELLCHECK_WARNING","warning[SC2207]","CWE-140"
+"SHELLCHECK_WARNING","warning[SC2209]","CWE-456"
 "SHELLCHECK_WARNING","warning[SC2211]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2214]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2217]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2221]","CWE-398"
-"SHELLCHECK_WARNING","warning[SC2222]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2221]","CWE-569"
+"SHELLCHECK_WARNING","warning[SC2222]","CWE-569"
 "SHELLCHECK_WARNING","warning[SC2229]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2238]","CWE-398"
 "SHELLCHECK_WARNING","warning[SC2240]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2247]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2254]","CWE-691"
+"SHELLCHECK_WARNING","warning[SC2256]","CWE-398"
+"SHELLCHECK_WARNING","warning[SC2258]","CWE-398"
 "SIGN_EXTENSION","sign_extension","CWE-194"
 "SIZECHECK","ampersand_in_size","CWE-131"
 "SIZECHECK","incorrect_multiplication","CWE-131"
@@ -459,8 +472,6 @@
 "STACK_USE","stack_use_local_overflow","CWE-400"
 "STACK_USE","stack_use_overflow","CWE-400"
 "STRAY_SEMICOLON","stray_semicolon","CWE-398"
-"STREAM_FORMAT_STATE","format_changed","CWE-MAP-NOMATCH"
-"STREAM_FORMAT_STATE","format_restored","CWE-MAP-NOMATCH"
 "STRING_NULL","string_null","CWE-170"
 "STRING_OVERFLOW","fixed_size_dest","CWE-120"
 "STRING_OVERFLOW","parameter_as_source","CWE-120"
@@ -476,6 +487,7 @@
 "UNCAUGHT_EXCEPT","exception_thrown","CWE-248"
 "UNCAUGHT_EXCEPT","rethrow","CWE-248"
 "UNEXPECTED_CONTROL_FLOW","do_while_false_condition","CWE-398"
+"UNICONTROL_WARNING","warning","CWE-94"
 "UNINIT_CTOR","member_not_init_in_gen_ctor","CWE-456"
 "UNINIT_CTOR","uninit_member","CWE-456"
 "UNINIT","uninit_use","CWE-457"
@@ -495,6 +507,7 @@
 "USE_AFTER_FREE","pass_freed_arg","CWE-416"
 "USE_AFTER_FREE","use_after_free","CWE-416"
 "USE_AFTER_FREE","use_closed_file","CWE-672"
+"USELESS_CALL","side_effect_free","CWE-252"
 "VARARGS","missing_va_end","CWE-237"
 "VARARGS","va_arg","CWE-237"
 "VOLATILE_ATOMICITY","stale_update","CWE-366"
diff --git a/tests/cslinker/0001-smoke/scan-results.json b/tests/cslinker/0001-smoke/scan-results.json
