C Test Suite for Source Code Analyzer - Secure v2 Test suite #101
DownloadDescription
This test suite replaces test suite 46 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of targeted weaknesses from 13 "GOOD" test cases in test suite 46, removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published.
-
Printf is called with a programmer supplied format string.
-
A syslog is called with a static format string.
-
A malloc-ed data is freed only once.
-
A file is accessed multiple times by its file descriptor in a publically accessible directory. A race condition does not exist between the accesses where an attacker cannot replace the file referenced by the name.
-
A system() is called with user-provided data but the data is strictly scrutinized first.
-
A string decode function properly checks for termination and no buffer overflow occurs.
-
An ad hoc gets with bounds check does not allow a stack buffer to be overrun.
-
An ad-hoc string copy with bounds check does not overflows a stack buffer.
-
A syslog is called with a static format string.
-
A printf is called with a static format string. This is not a defect.
-
fgets is used in place of gets with a proper bounds check.
-
An fgets is called with a correct bound.
-
integer overflow results in a short malloc and an overflow. A guard is put in place to protect against the overflow.
-
A malloc-ed data is freed.
-
malloc\'d data is freed in the caller.
-
malloc\'d data is freed only once.
-
A strcpy does not overflow a stack buffer because a check is made to avoid an overflow condition.
-
A length check is made before strcpy, avoiding heap buffer overflow.
-
A strncpy safely copies a string into a heap buffer.
-
A strcpy is used to copy a string into a heap buffer. The caller shortens the string to prevent a buffer overflow from occuring.
-
Test if tool can detect a heap inspection vulnerability (fixed).
-
The test case avoids a Stack-based Buffer Overflow.
-
Test of tool ability to identify use of an uninitialized variable (fixed).
-
Correctly refer to the expected memory address due to the semantics of when math operations are implicitly scaled.
-
The test case avoids a Cross-Site Scripting of a CGI program in C that takes the arguments and print it out.