C Test Suite for Source Code Analyzer - Secure v2 Test suite #101
DownloadDescription
This test suite replaces test suite 46 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of targeted weaknesses from 13 "GOOD" test cases in test suite 46, removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published.
-
The test case shows how it is easy to get a buffer overflow if a string function is misused.
-
The test case avoids a null dereference with an address alias level as code complexity.
-
The test case avoids a null dereference.
-
The test case avoids an OS Command Injection weakness in a local control flow.
-
The test case avoids an OS Command Injection weakness in a loop.
-
The test case exposes an OS Command Injection.
-
The test case exposes a resource injection.
-
The test case avoids a resource injection.
-
The test case avoids a resource injection with a string which is in a structure.
-
The test case avoids a resource injection weakness in a scoping context.
-
The test case shows a Stack Overflow.
-
The test case avoids a Stack Overflow by fixing a bad array index.
-
The test case avoids a Stack Overflow by fixing a bad loop exit condition (and start index).
-
The test case exposes a Cross-Site Scripting (XSS) in C/CGI programming.
-
The test case avoids a Cross-Site Scripting (XSS) in a C/CGI program with a string which is in a structure.
-
The test case avoids a Cross-Site Scripting (XSS) in a C/CGI program with scope complexity.
-
The test case prevents a memory leak with a pointer which is in a structure.
-
The test case shows a memory leak.
-
The test case shows an unintentional pointer scaling.
-
If we check the return of scanf we know how many parameters have been passed.
-
The SQL Injection is not possible because the arguments are validated before the MySQL query.
-
No memory leak, the allocated memory is freed.
-
The variable px now is initialized, avoiding the use of an uninitialized value.
-
No buffer overflow even if the input is not validated. Every operation may write outside the bound of the statically allocated character array.
-
The test case shows avoiding improper null termination with a buffer address type complexity.