C Test Suite for Source Code Analyzer - Secure v2 Test suite #101
DownloadDescription
This test suite replaces test suite 46 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of targeted weaknesses from 13 "GOOD" test cases in test suite 46, removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published.
-
The SQL Injection is not possible because the arguments are validated before the MySQL query.
-
The SQL Injection is possible if the arguments are not validated.
-
The SQL Injection is not possible because the arguments are validated. The code complexity is in the call of another function to perform the MySQL query.
-
This test case exposes a Race Condition error at the line 26. Many processes can access the same file in different moment.[br] We can have something like that:[br] Process 1: Open File[br] Process 1: Close File[br] Process 2: Open File[br] Process 3: Open File[br] Process 2: Close File[br] Proces...
-
This test case exposes a Race Condition error at the line 47. Many processes can access the same file in different moment.
-
The test case exposes a password which is not hard-coded in the source code.
-
This test case shows a double free in a local control flow complexity.
-
This test case shows a double free in a for loop structure.
-
This test cases exposes a format string vulnerability with a container code complexity.
-
This test case avoids a format string vulnerability in a local control flow; here, we use function pointer for control flow.
-
The test cases shows hard-coded passwords; these passwords are in a array.
-
The test case exposes a password which is not hard-coded in the source code.
-
This test case shows a hard-coded password in a local control flow.
-
This test case uses PAM to avoid hard coded password in a for loop structure.
-
The test case avoids Heap Overflow with an array complexity.
-
This test case exposes a Heap Overflow with an array index complexity.
-
The test cases avoids an improper null termination.
-
The test case avoids an improper null termination with an address alias level as code complexity.
-
The test case avoids an improper null termination in a string which is in a structure.
-
This test case exposes an improper null termination which occurred when a argv contains tainted data.
-
The test case avoids a leftover debug weakness.
-
The test case avoids a buffer overflow by using an appropriate function.
-
The test case shows how it is easy to get a buffer overflow if a string function is misused.
-
The test case avoids a buffer overflow by using an appropriate function with a string which is in a structure.
-
The test case avoids a buffer overflow by using an appropriate function with scope complexity.