How do frama-c get CWE-ID?

Question

I am using Frama-c for my research. How can I do to get CWE-ID from the results of Frama-C

[kernel:typing:implicit-function-declaration] 1v3/juliet_suite-c-cplus/CWE401_Memory_Leak__int64_t_calloc_08.c:121: Warning:

Thank you so much

score 0 · Answer 1 · answered Oct 19 '22 at 16:34

0

There are no messages in Frama-C that directly mention a CWE ID (in fact in many cases it would be quite difficult to choose from closely related IDs, eg. CWE 125 (out-of-bounds read), 126 (buffer overread) and 127 (buffer underread)). The section 14.4 of the Frama-C user manual indicates for many CWE whether they are handled by Frama-C (sometimes through additional annotations that users need to provide).

answered Oct 19 '22 at 16:34

Virgile

9,724
18
42

Thank you so much. your answer is really useful to me. – Nguyen Huong Oct 21 '22 at 07:30

score 0 · Answer 2 · answered Oct 20 '22 at 07:11

To complement Virgile's answer: Frama-C's alarms are closely related to the ISO C standard semantics. The Frama-C framework is based on formal methods. CWEs, while useful, are much more informal and it is mathematically impossible to define a precise, one-to-one mapping of semantic alarms and CWEs. In the best case, each alarm would come with a long list of potential CWEs corresponding to it, which would not be very useful.

Here are some related words from NIST, which proposes a different Bugs Framework to help tackle such issues:

However, for very formal, exacting work, CWE definitions are often inaccurate, imprecise or ambiguous, and the various definitions within one CWE can be inconsistent. [...]

Another example is buffer overflows. CWE-121 is write outside of a buffer on the stack, CWE-122 is write outside of a buffer in the heap, CWE-127 is read before the beginning of a buffer and CWE-126 is read after the end of a buffer. But there are no CWEs specifically for read outside a buffer on the stack vs. in the heap.

The ISO C standard does not even distinguish between heap and stack (these words are completely absent from the standard); simply distinguishing between CWE-121 and CWE-122 is not possible at the C semantic level (in practice, implementations map function-local variables to the stack and global variables/dynamic memory allocation to the heap, so all tools assume that; but that already goes beyond the C semantic model and is prone to introduce several kinds of exceptions that would further complicate matters).

For a few specific CWEs, it is possible that, in the future, Frama-C might emit some warnings referring to them; but in that case, the CWE will be immediately present in the warning itself, as is already the case with a few CERT-C rules.

Thank you so much. your answer is really useful to me. – Nguyen Huong Oct 21 '22 at 07:29 — Nguyen Huong, Oct 21 '22 at 07:29

How do frama-c get CWE-ID?

2 Answers2