如何启用clang静态分析器" alpha.security.tai​​nt检查"检查

时间:2018-04-09 18:44:28

标签: c clang-static-analyzer

我正在尝试对其文档(https://clang-analyzer.llvm.org/alpha_checks.html#security_alpha_checkers)中显示的一些示例执行clang静态分析器(版本3.8)。

我创建了一个小型C程序,如下所示:

// note: requires alpha.security.taint check turned on.
void test() {
    char s[] = "abc";
    int x = getchar();
    char c = s[x]; // warn: index is tainted
}

我正在执行以下命令来分析上面的代码:

/usr/lib/llvm-3.8/bin/scan-build -enable-checker alpha.security.taint.TaintPropagation clang -c example.c

以上命令会生成以下错误报告:

scan-build: Using '/usr/lib/llvm-3.8/bin/clang' for static analysis
example.c:5:8: warning: Value stored to 'c' during its initialization is never read
char c = s[x]; // warn: index is tainted
   ^   ~~~~
1 warning generated.
scan-build: 1 bug found.
scan-build: Run 'scan-view /tmp/scan-build-2018-04-09-143549-15413-1' to examine bug reports.

我原以为clang SA会抱怨第5行可能存在缓冲区溢出和缓冲区下溢,但似乎没有进行污点分析。

有人可以建议如何启用" alpha.security.tai​​nt"检查?

1 个答案:

答案 0 :(得分:0)

要在使用带有污染的数组索引时收到警告,必须启用alpha.security.ArrayBoundV2 alpha.security.taint.TaintPropagation

$ ~/bld/llvm-project/build/bin/scan-build -enable-checker \
    alpha.security.taint.TaintPropagation,alpha.security.ArrayBoundV2 \
    gcc -c taint2.c
scan-build: Using '/home/scott/bld/llvm-project/build/bin/clang-9' for static analysis
taint2.c:6:10: warning: Value stored to 'c' during its initialization is never read
    char c = s[x]; // warn: index is tainted
         ^   ~~~~
taint2.c:6:14: warning: Out of bound memory access (index is tainted)
    char c = s[x]; // warn: index is tainted
             ^~~~
2 warnings generated.
scan-build: 2 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2019-09-11-204837-97704-1' to examine bug reports.

TaintPropagation检查器本身会报告某些内容,例如,将受污染的数据传递到system()。它还会导出染色信息供其他检查人员使用。

(我主要通过查看source code来发现此信息,其次是通过反复试验。documentation并没有太大帮助。)

相关问题
最新问题