diff --git a/c/cert/src/rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.md b/c/cert/src/rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.md new file mode 100644 index 0000000000..b6663872bf --- /dev/null +++ b/c/cert/src/rules/EXP37-C/CallPOSIXOpenWithCorrectArgumentCount.md @@ -0,0 +1,243 @@ +# EXP37-C: Pass the correct number of arguments to the POSIX open function. + +This query implements the CERT-C rule EXP37-C: + +> Call functions with the correct number and type of arguments + + +## Description + +Do not call a function with the wrong number or type of arguments. + +The C Standard identifies five distinct situations in which [undefined behavior](https://wiki.sei.cmu.edu/confluence/display/c/BB.+Definitions#BB.Definitions-undefinedbehavior) (UB) may arise as a result of invoking a function using a declaration that is incompatible with its definition or by supplying incorrect types or numbers of arguments: + +
| UB | Description |
| 26 | A pointer is used to call a function whose type is not compatible with the referenced type (6.3.2.3). |
| 38 | For a call to a function without a function prototype in scope, the number of arguments does not equal the number of parameters (6.5.2.2). |
| 39 | For a call to a function without a function prototype in scope where the function is defined with a function prototype, either the prototype ends with an ellipsis or the types of the arguments after promotion are not compatible with the types of the parameters (6.5.2.2). |
| 40 | For a call to a function without a function prototype in scope where the function is not defined with a function prototype, the types of the arguments after promotion are not compatible with those of the parameters after promotion (with certain exceptions) (6.5.2.2). |
| 41 | A function is defined with a type that is not compatible with the type (of the expression) pointed to by the expression that denotes the called function (6.5.2.2). |
atan2() | erf | fdim | fmin | ilogb | llround | logb | nextafter | rint | tgamma |
cbrt | erfc | floor | fmod | ldexp | log10 | lrint | nexttoward | round | trunc |
ceil | exp2 | fma | frexp | lgamma | log1p | lround | remainder | scalbn | |
copysign | expm1 | fmax | hypot | llrint | log2 | nearbyint | remquo | scalbln |
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| EXP37-C | Medium | Probable | High | P4 | L3 |
| Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 22.04 | incompatible-argument-type parameter-match parameter-match-computed parameter-match-type | Fully checked |
| Axivion Bauhaus Suite | 7.2.0 | CertC-EXP37 | |
| CodeSonar | 7.0p0 | LANG.FUNCS.APM | Array parameter mismatch |
| Compass/ROSE | Can detect some violations of this rule. In particular, it ensures that all calls to open() supply exactly two arguments if the second argument does not involve O_CREAT , and exactly three arguments if the second argument does involve O_CREAT | ||
| Coverity | 2017.07 | MISRA C 2012 Rule 8.2 MISRA C 2012 Rule 17.3 | Implemented Relies on functions declared with prototypes, allow compiler to check |
| ECLAIR | 1.2 | CC2.EXP37 | Partially implemented |
| EDG | |||
| GCC | 4.3.5 | Can detect violation of this rule when the -Wstrict-prototypes flag is used. However, it cannot detect violations involving variadic functions, such as the open() example described earlier | |
| Helix QAC | 2022.2 | C1331, C1332, C1333, C3002, C3320, C3335 C++0403 | |
| Klocwork | 2022.2 | MISRA.FUNC.UNMATCHED.PARAMS | |
| LDRA tool suite | 9.7.1 | 41 D, 21 S, 98 S, 170 S, 496 S, 576 S | Partially implemented |
| Parasoft C/C++test | 2022.1 | CERT_C-EXP37-a CERT_C-EXP37-b CERT_C-EXP37-c CERT_C-EXP37-d | Identifiers shall be given for all of the parameters in a function prototype declaration Function types shall have named parameters Function types shall be in prototype form Functions shall always have visible prototype at the function call |
| Polyspace Bug Finder | R2022a | CERT C: Rule EXP37-C | Checks for: Implicit function declarationmplicit function declaration, bad file access mode or statusad file access mode or status, unreliable cast of function pointernreliable cast of function pointer, standard function call with incorrect argumentstandard function call with incorrect arguments. Rule partially covered. |
| PRQA QA-C | 9.7 | 1331, 1332, 1333, 3002, 3320, 3335 | Partially implemented |
| PRQA QA-C++ | 4.4 | 0403 | |
| PVS-Studio | 7.20 | V540 , V541 , V549 , V575 , V632 , V639 , V666 , V671 , V742 , V743 , V764 , V1004 | |
| SonarQube C/C++ Plugin | 3.11 | S930 | Detects incorrect argument count |
| RuleChecker | 22.04 | parameter-match parameter-match-type | Partially checked |
| TrustInSoft Analyzer | 1.38 | unclassified ("function type matches") | Partially verified (see one compliant and one non-compliant example ). |
| Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | DCL07-C. Include the appropriate type information in function declarators | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | MSC00-C. Compile cleanly at high warning levels | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | FIO06-C. Create files with appropriate access permissions | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Subprogram Signature Mismatch \[OTR\] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Calling functions with incorrect arguments \[argcomp\] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 8.2 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 17.3 (mandatory) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-628 , Function Call with Incorrectly Specified Arguments | 2017-07-05: CERT: Rule subset of CWE |
| \[ CVE \] | CVE-2006-1174 |
| \[ ISO/IEC 9899:2011 \] | 6.3.2.3, "Pointers" 6.5.2.2, "Function Calls" |
| \[ IEEE Std 1003.1:2013 \] | open() |
| \[ Spinellis 2006 \] | Section 2.6.1, "Incorrect Routine or Arguments" |
| UB | Description |
| 26 | A pointer is used to call a function whose type is not compatible with the referenced type (6.3.2.3). |
| 38 | For a call to a function without a function prototype in scope, the number of arguments does not equal the number of parameters (6.5.2.2). |
| 39 | For a call to a function without a function prototype in scope where the function is defined with a function prototype, either the prototype ends with an ellipsis or the types of the arguments after promotion are not compatible with the types of the parameters (6.5.2.2). |
| 40 | For a call to a function without a function prototype in scope where the function is not defined with a function prototype, the types of the arguments after promotion are not compatible with those of the parameters after promotion (with certain exceptions) (6.5.2.2). |
| 41 | A function is defined with a type that is not compatible with the type (of the expression) pointed to by the expression that denotes the called function (6.5.2.2). |
atan2() | erf | fdim | fmin | ilogb | llround | logb | nextafter | rint | tgamma |
cbrt | erfc | floor | fmod | ldexp | log10 | lrint | nexttoward | round | trunc |
ceil | exp2 | fma | frexp | lgamma | log1p | lround | remainder | scalbn | |
copysign | expm1 | fmax | hypot | llrint | log2 | nearbyint | remquo | scalbln |
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| EXP37-C | Medium | Probable | High | P4 | L3 |
| Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 22.04 | incompatible-argument-type parameter-match parameter-match-computed parameter-match-type | Fully checked |
| Axivion Bauhaus Suite | 7.2.0 | CertC-EXP37 | |
| CodeSonar | 7.0p0 | LANG.FUNCS.APM | Array parameter mismatch |
| Compass/ROSE | Can detect some violations of this rule. In particular, it ensures that all calls to open() supply exactly two arguments if the second argument does not involve O_CREAT , and exactly three arguments if the second argument does involve O_CREAT | ||
| Coverity | 2017.07 | MISRA C 2012 Rule 8.2 MISRA C 2012 Rule 17.3 | Implemented Relies on functions declared with prototypes, allow compiler to check |
| ECLAIR | 1.2 | CC2.EXP37 | Partially implemented |
| EDG | |||
| GCC | 4.3.5 | Can detect violation of this rule when the -Wstrict-prototypes flag is used. However, it cannot detect violations involving variadic functions, such as the open() example described earlier | |
| Helix QAC | 2022.2 | C1331, C1332, C1333, C3002, C3320, C3335 C++0403 | |
| Klocwork | 2022.2 | MISRA.FUNC.UNMATCHED.PARAMS | |
| LDRA tool suite | 9.7.1 | 41 D, 21 S, 98 S, 170 S, 496 S, 576 S | Partially implemented |
| Parasoft C/C++test | 2022.1 | CERT_C-EXP37-a CERT_C-EXP37-b CERT_C-EXP37-c CERT_C-EXP37-d | Identifiers shall be given for all of the parameters in a function prototype declaration Function types shall have named parameters Function types shall be in prototype form Functions shall always have visible prototype at the function call |
| Polyspace Bug Finder | R2022a | CERT C: Rule EXP37-C | Checks for: Implicit function declarationmplicit function declaration, bad file access mode or statusad file access mode or status, unreliable cast of function pointernreliable cast of function pointer, standard function call with incorrect argumentstandard function call with incorrect arguments. Rule partially covered. |
| PRQA QA-C | 9.7 | 1331, 1332, 1333, 3002, 3320, 3335 | Partially implemented |
| PRQA QA-C++ | 4.4 | 0403 | |
| PVS-Studio | 7.20 | V540 , V541 , V549 , V575 , V632 , V639 , V666 , V671 , V742 , V743 , V764 , V1004 | |
| SonarQube C/C++ Plugin | 3.11 | S930 | Detects incorrect argument count |
| RuleChecker | 22.04 | parameter-match parameter-match-type | Partially checked |
| TrustInSoft Analyzer | 1.38 | unclassified ("function type matches") | Partially verified (see one compliant and one non-compliant example ). |
| Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | DCL07-C. Include the appropriate type information in function declarators | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | MSC00-C. Compile cleanly at high warning levels | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | FIO06-C. Create files with appropriate access permissions | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Subprogram Signature Mismatch \[OTR\] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Calling functions with incorrect arguments \[argcomp\] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 8.2 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 17.3 (mandatory) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-628 , Function Call with Incorrectly Specified Arguments | 2017-07-05: CERT: Rule subset of CWE |
| \[ CVE \] | CVE-2006-1174 |
| \[ ISO/IEC 9899:2011 \] | 6.3.2.3, "Pointers" 6.5.2.2, "Function Calls" |
| \[ IEEE Std 1003.1:2013 \] | open() |
| \[ Spinellis 2006 \] | Section 2.6.1, "Incorrect Routine or Arguments" |
| UB | Description |
| 26 | A pointer is used to call a function whose type is not compatible with the referenced type (6.3.2.3). |
| 38 | For a call to a function without a function prototype in scope, the number of arguments does not equal the number of parameters (6.5.2.2). |
| 39 | For a call to a function without a function prototype in scope where the function is defined with a function prototype, either the prototype ends with an ellipsis or the types of the arguments after promotion are not compatible with the types of the parameters (6.5.2.2). |
| 40 | For a call to a function without a function prototype in scope where the function is not defined with a function prototype, the types of the arguments after promotion are not compatible with those of the parameters after promotion (with certain exceptions) (6.5.2.2). |
| 41 | A function is defined with a type that is not compatible with the type (of the expression) pointed to by the expression that denotes the called function (6.5.2.2). |
atan2() | erf | fdim | fmin | ilogb | llround | logb | nextafter | rint | tgamma |
cbrt | erfc | floor | fmod | ldexp | log10 | lrint | nexttoward | round | trunc |
ceil | exp2 | fma | frexp | lgamma | log1p | lround | remainder | scalbn | |
copysign | expm1 | fmax | hypot | llrint | log2 | nearbyint | remquo | scalbln |
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| EXP37-C | Medium | Probable | High | P4 | L3 |
| Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 22.04 | incompatible-argument-type parameter-match parameter-match-computed parameter-match-type | Fully checked |
| Axivion Bauhaus Suite | 7.2.0 | CertC-EXP37 | |
| CodeSonar | 7.0p0 | LANG.FUNCS.APM | Array parameter mismatch |
| Compass/ROSE | Can detect some violations of this rule. In particular, it ensures that all calls to open() supply exactly two arguments if the second argument does not involve O_CREAT , and exactly three arguments if the second argument does involve O_CREAT | ||
| Coverity | 2017.07 | MISRA C 2012 Rule 8.2 MISRA C 2012 Rule 17.3 | Implemented Relies on functions declared with prototypes, allow compiler to check |
| ECLAIR | 1.2 | CC2.EXP37 | Partially implemented |
| EDG | |||
| GCC | 4.3.5 | Can detect violation of this rule when the -Wstrict-prototypes flag is used. However, it cannot detect violations involving variadic functions, such as the open() example described earlier | |
| Helix QAC | 2022.2 | C1331, C1332, C1333, C3002, C3320, C3335 C++0403 | |
| Klocwork | 2022.2 | MISRA.FUNC.UNMATCHED.PARAMS | |
| LDRA tool suite | 9.7.1 | 41 D, 21 S, 98 S, 170 S, 496 S, 576 S | Partially implemented |
| Parasoft C/C++test | 2022.1 | CERT_C-EXP37-a CERT_C-EXP37-b CERT_C-EXP37-c CERT_C-EXP37-d | Identifiers shall be given for all of the parameters in a function prototype declaration Function types shall have named parameters Function types shall be in prototype form Functions shall always have visible prototype at the function call |
| Polyspace Bug Finder | R2022a | CERT C: Rule EXP37-C | Checks for: Implicit function declarationmplicit function declaration, bad file access mode or statusad file access mode or status, unreliable cast of function pointernreliable cast of function pointer, standard function call with incorrect argumentstandard function call with incorrect arguments. Rule partially covered. |
| PRQA QA-C | 9.7 | 1331, 1332, 1333, 3002, 3320, 3335 | Partially implemented |
| PRQA QA-C++ | 4.4 | 0403 | |
| PVS-Studio | 7.20 | V540 , V541 , V549 , V575 , V632 , V639 , V666 , V671 , V742 , V743 , V764 , V1004 | |
| SonarQube C/C++ Plugin | 3.11 | S930 | Detects incorrect argument count |
| RuleChecker | 22.04 | parameter-match parameter-match-type | Partially checked |
| TrustInSoft Analyzer | 1.38 | unclassified ("function type matches") | Partially verified (see one compliant and one non-compliant example ). |
| Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| CERT C Secure Coding Standard | DCL07-C. Include the appropriate type information in function declarators | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | MSC00-C. Compile cleanly at high warning levels | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CERT C Secure Coding Standard | FIO06-C. Create files with appropriate access permissions | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Subprogram Signature Mismatch \[OTR\] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Calling functions with incorrect arguments \[argcomp\] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 8.2 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| MISRA C:2012 | Rule 17.3 (mandatory) | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-628 , Function Call with Incorrectly Specified Arguments | 2017-07-05: CERT: Rule subset of CWE |
| \[ CVE \] | CVE-2006-1174 |
| \[ ISO/IEC 9899:2011 \] | 6.3.2.3, "Pointers" 6.5.2.2, "Function Calls" |
| \[ IEEE Std 1003.1:2013 \] | open() |
| \[ Spinellis 2006 \] | Section 2.6.1, "Incorrect Routine or Arguments" |
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
| EXP46-C | Low | Likely | Low | P9 | L2 |
| Tool | Version | Checker | Description |
|---|---|---|---|
| Astrée | 22.04 | inappropriate-bool | Supported indirectly via MISRA C:2012 Rule 10.1 |
| Axivion Bauhaus Suite | 7.2.0 | CertC-EXP46 | |
| CodeSonar | 7.0p0 | LANG.TYPE.IOT | Inappropriate operand type |
| Coverity | 2017.07 | CONSTANT_EXPRESSION_RESULT | Partially implemented |
| Cppcheck | 1.66 | cert.py | Detected by the addon cert.py |
| Helix QAC | 2022.2 | C3344, C4502 C++3709 | |
| Klocwork | 2022.2 | MISRA.LOGIC.OPERATOR.NOT_BOOL | |
| LDRA tool suite | 9.7.1 | 136 S | Fully Implemented |
| Parasoft C/C++test | 2022.1 | CERT_C-EXP46-b | Expressions that are effectively Boolean should not be used as operands to operators other than (&&, ||, !, =, ==, !=, ?:) |
| PC-lint Plus | 1.4 | 514 | Fully supported |
| Polyspace Bug Finder | R2022a | CERT C: Rule EXP46-C | Checks for bitwise operations on boolean operands (rule fully covered) |
| PRQA QA-C | 9.7 | 3344,4502 | |
| PRQA QA-C++ | 4.4 | 3709 | |
| PVS-Studio | 7.20 | V564, V1015 | |
| RuleChecker | 22.04 | inappropriate-bool | Supported indirectly via MISRA C:2012 Rule 10.1 |
| Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| ISO/IEC TR 24772:2013 | Likely Incorrect Expression \[KOA\] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-480 , Use of incorrect operator | 2017-07-05: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-569 | 2017-07-06: CERT: Rule subset of CWE |
| \[ Hatton 1995 \] | Section 2.7.2, "Errors of Omission and Addition" |