github · jsinglet · Aug 16, 2022 · Aug 16, 2022
diff --git a/c/cert/src/rules/CON31-C/DoNotAllowAMutexToGoOutOfScopeWhileLocked.md b/c/cert/src/rules/CON31-C/DoNotAllowAMutexToGoOutOfScopeWhileLocked.md
@@ -165,7 +165,7 @@ CWE-667 = Union, CON31-C, POS48-C, list) where list =
 
 ## Implementation notes
 
-None
+This implementation does not allow for thread synchronization to be performed in subroutines. All synchronization must be performed within the context of the other thread management functions.
 
 ## References
 

diff --git a/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.md b/c/cert/src/rules/CON37-C/DoNotCallSignalInMultithreadedProgram.md
@@ -105,6 +105,8 @@ Search for [vulnerabilities](https://wiki.sei.cmu.edu/confluence/display/c/BB.+D
 
 ## Implementation notes
 
+This implementation does not consider threads created function pointers.
+
 ## References
 
 * CERT-C: [CON37-C: Do not call signal() in a multithreaded program](https://wiki.sei.cmu.edu/confluence/display/c)
diff --git a/c/cert/src/rules/CON38-C/PreserveSafetyWhenUsingConditionVariables.md b/c/cert/src/rules/CON38-C/PreserveSafetyWhenUsingConditionVariables.md
@@ -350,7 +350,7 @@ Search for [vulnerabilities](https://www.securecoding.cert.org/confluence/displa
 
 ## Implementation notes
 
-None
+This implementation does not attempt to identify unique condition variables and instead advocates for the usage of `cnd_broadcast`.
 
 ## References
 

diff --git a/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.md b/c/cert/src/rules/CON41-C/WrapFunctionsThatCanFailSpuriouslyInLoop.md
@@ -149,7 +149,7 @@ Search for [vulnerabilities](https://www.securecoding.cert.org/confluence/displa
 
 ## Implementation notes
 
-None
+This implementation does not attempt to identify a relationship between the condition variable and the atomic operation.
 
 ## References
 

diff --git a/c/cert/src/rules/ENV31-C/EnvPointerIsInvalidAfterCertainOperations.md b/c/cert/src/rules/ENV31-C/EnvPointerIsInvalidAfterCertainOperations.md
@@ -218,7 +218,7 @@ Search for vulnerabilities resulting from the violation of this rule on the [CER
 
 ## Implementation notes
 
-None
+The rule is enforced in the context of a single function.
 
 ## References
 

diff --git a/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.md b/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.md
@@ -249,7 +249,7 @@ FIO32-C = Union( CWE-67, list) where list =
 
 ## Implementation notes
 
-None
+The rule checks that filenames are not tainted. It does not verify that appropriate OS-specific checks are in place to exclude that the opened file is a device.
 
 ## References
 

diff --git a/c/cert/src/rules/FIO34-C/DistinguishBetweenCharReadFromAFileAndEofOrWeof.md b/c/cert/src/rules/FIO34-C/DistinguishBetweenCharReadFromAFileAndEofOrWeof.md
@@ -199,7 +199,7 @@ Therefore: FIO34-C = Subset( CWE-197)
 
 ## Implementation notes
 
-None
+The rule is enforced in the context of a single function. The query does not validate if the FILE status is handled correctly after being read.
 
 ## References
 

diff --git a/c/cert/src/rules/FIO34-C/EndOfFileCheckPortability.md b/c/cert/src/rules/FIO34-C/EndOfFileCheckPortability.md
@@ -199,7 +199,7 @@ Therefore: FIO34-C = Subset( CWE-197)
 
 ## Implementation notes
 
-None
+The rule is enforced in the context of a single function. The query does not validate if the FILE status is handled correctly after being read.
 
 ## References
 

diff --git a/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.md b/c/cert/src/rules/FIO37-C/SuccessfulFgetsOrFgetwsMayReturnAnEmptyString.md
@@ -102,7 +102,7 @@ CWE-241 = Union( FIO37-C, list) where list =
 
 ## Implementation notes
 
-None
+The rule checks that access to a string returned by fgets() or fgetws() if protected by a guard condition. The rule is enforced in the context of a single function.
 
 ## References
 

diff --git a/c/cert/src/rules/FIO39-C/DoNotAlternatelyIOFromAStreamWithoutPositioning.md b/c/cert/src/rules/FIO39-C/DoNotAlternatelyIOFromAStreamWithoutPositioning.md
@@ -135,7 +135,7 @@ This CWE is vague on what constitutes “improper control of a resource”. It c
 
 ## Implementation notes
 
-None
+The rule is enforced in the context of a single function.
 
 ## References
 

diff --git a/c/cert/src/rules/FIO42-C/CloseFilesWhenTheyAreNoLongerNeeded.md b/c/cert/src/rules/FIO42-C/CloseFilesWhenTheyAreNoLongerNeeded.md
@@ -229,7 +229,7 @@ FIO42-C - CWE-403 = SPECIAL_CASES, where SPECIAL_CASES =
 
 ## Implementation notes
 
-None
+The rule is enforced in the context of a single function.
 
 ## References
 

diff --git a/c/cert/src/rules/FIO46-C/UndefinedBehaviorAccessingAClosedFile.md b/c/cert/src/rules/FIO46-C/UndefinedBehaviorAccessingAClosedFile.md
@@ -68,7 +68,7 @@ Search for [vulnerabilities](https://wiki.sei.cmu.edu/confluence/display/c/BB.+D
 
 ## Implementation notes
 
-None
+The rule is enforced in the context of a single function.
 
 ## References
 

diff --git a/c/cert/src/rules/MSC32-C/ProperlySeedPseudorandomNumberGenerators.md b/c/cert/src/rules/MSC32-C/ProperlySeedPseudorandomNumberGenerators.md
@@ -162,7 +162,7 @@ MSC30-C, MSC32-C and CON33-C are independent, they have no intersections. They e
 
 ## Implementation notes
 
-None
+This rule will be checked by looking for calls to random that are no preceded by a call to srandom(). We perform a simple check for the argument to srandom() and verify it is not a literal (or a value easily deduced to be a literal).
 
 ## References
 

diff --git a/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.md b/c/cert/src/rules/STR31-C/StringsHasSufficientSpaceForTheNullTerminator.md
@@ -475,7 +475,7 @@ Copying string data to a buffer that is too small to hold that data results in a
 
 Array access out of bounds, Buffer overflow from incorrect string format specifier, Destination buffer overflow in string manipulation, Invalid use of standard library string routine, Missing null in string array, Pointer access out of bounds, Tainted NULL or non-null-terminated string, Use of dangerous standard function
 
-<table> <tbody> <tr> <th> Tool </th> <th> Version </th> <th> Checker </th> <th> Description </th> </tr> <tr> <td> <a> Astrée </a> </td> <td> 22.04 </td> <td> </td> <td> Supported Astrée reports all buffer overflows resulting from copying data to a buffer that is not large enough to hold that data. </td> </tr> <tr> <td> <a> Axivion Bauhaus Suite </a> </td> <td> 7.2.0 </td> <td> <strong>CertC-STR31</strong> </td> <td> Detects calls to unsafe string function that may cause buffer overflow Detects potential buffer overruns, including those caused by unsafe usage of <code>fscanf()</code> </td> </tr> <tr> <td> <a> CodeSonar </a> </td> <td> 7.0p0 </td> <td> <strong>LANG.MEM.BO</strong> <strong>LANG.MEM.TO</strong> <strong>MISC.MEM.NTERM</strong> <strong>BADFUNC.BO.\*</strong> </td> <td> Buffer overrun Type overrun No space for null terminator A collection of warning classes that report uses of library functions prone to internal buffer overflows </td> </tr> <tr> <td> <a> Compass/ROSE </a> </td> <td> </td> <td> </td> <td> Can detect violations of the rule. However, it is unable to handle cases involving <code>strcpy_s()</code> or manual string copies such as the one in the first example </td> </tr> <tr> <td> <a> Coverity </a> </td> <td> 2017.07 </td> <td> <strong>STRING_OVERFLOW</strong> <strong>BUFFER_SIZE</strong> <strong>OVERRUN</strong> <strong>STRING_SIZE</strong> </td> <td> Fully implemented </td> </tr> <tr> <td> <a> Fortify SCA </a> </td> <td> 5.0 </td> <td> </td> <td> </td> </tr> <tr> <td> <a> Helix QAC </a> </td> <td> 2022.2 </td> <td> <strong>C2840, C2841, C2842, C2843, C2845, C2846, C2847, C2848, C2930, C2931, C2932, C2933, C2935, C2936, C2937, C2938</strong> <strong>C++0145, C++2840, C++2841, C++2842, C++2843, C++2845, C++2846, C++2847, C++2848, C++2930, C++2931, C++2932, C++2933, C++2935, C++2936, C++2937, C++2938</strong> </td> <td> </td> </tr> <tr> <td> <a> Klocwork </a> </td> <td> 2022.2 </td> <td> <strong>SV.FMT_STR.BAD_SCAN_FORMAT</strong> <strong>SV.UNBOUND_STRING_INPUT.FUNC</strong> </td> <td> </td> </tr> <tr> <td> <a> LDRA tool suite </a> </td> <td> 9.7.1 </td> <td> <strong>489 S, 109 D, 66 X, 70 X, 71 X</strong> </td> <td> Partially implemented </td> </tr> <tr> <td> <a> Parasoft C/C++test </a> </td> <td> 2022.1 </td> <td> <strong>CERT_C-STR31-a</strong> <strong>CERT_C-STR31-b</strong> <strong>CERT_C-STR31-c</strong> <strong>CERT_C-STR31-d</strong> <strong>CERT_C-STR31-e</strong> </td> <td> Avoid accessing arrays out of bounds Avoid overflow when writing to a buffer Prevent buffer overflows from tainted data Avoid buffer write overflow from tainted data Avoid using unsafe string functions which may cause buffer overflows </td> </tr> <tr> <td> <a> PC-lint Plus </a> </td> <td> 1.4 </td> <td> <strong>421, 498</strong> </td> <td> Partially supported </td> </tr> <tr> <td> <a> Polyspace Bug Finder </a> </td> <td> R2022a </td> <td> <a> CERT C: Rule STR31-C </a> </td> <td> Checks for: Use of dangerous standard functionse of dangerous standard function, missing null in string arrayissing null in string array, buffer overflow from incorrect string format specifieruffer overflow from incorrect string format specifier, destination buffer overflow in string manipulationestination buffer overflow in string manipulation, tainted null or non-null-terminated stringainted null or non-null-terminated string. Rule partially covered. </td> </tr> <tr> <td> <a> PRQA QA-C </a> </td> <td> 9.7 </td> <td> <strong>5009, 5038, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938</strong> </td> <td> Partially implemented </td> </tr> <tr> <td> <a> PRQA QA-C++ </a> </td> <td> 4.4 </td> <td> <strong>0145, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938, 5006, 5038</strong> </td> <td> </td> </tr> <tr> <td> <a> PVS-Studio </a> </td> <td> 7.19 </td> <td> <strong>V518<a></a></strong> , <strong>V645<a></a></strong> , <strong>V727<a></a></strong> , <strong><a>V755</a></strong> </td> <td> </td> </tr> <tr> <td> <a> Splint </a> </td> <td> 3.1.1 </td> <td> </td> <td> </td> </tr> <tr> <td> <a> TrustInSoft Analyzer </a> </td> <td> 1.38 </td> <td> <strong>mem_access</strong> </td> <td> Exhaustively verified (see <a> one compliant and one non-compliant example </a> ). </td> </tr> </tbody> </table>
+<table> <tbody> <tr> <th> Tool </th> <th> Version </th> <th> Checker </th> <th> Description </th> </tr> <tr> <td> <a> Astrée </a> </td> <td> 22.04 </td> <td> </td> <td> Supported Astrée reports all buffer overflows resulting from copying data to a buffer that is not large enough to hold that data. </td> </tr> <tr> <td> <a> Axivion Bauhaus Suite </a> </td> <td> 7.2.0 </td> <td> <strong>CertC-STR31</strong> </td> <td> Detects calls to unsafe string function that may cause buffer overflow Detects potential buffer overruns, including those caused by unsafe usage of <code>fscanf()</code> </td> </tr> <tr> <td> <a> CodeSonar </a> </td> <td> 7.0p0 </td> <td> <strong>LANG.MEM.BO</strong> <strong>LANG.MEM.TO</strong> <strong>MISC.MEM.NTERM</strong> <strong>BADFUNC.BO.\*</strong> </td> <td> Buffer overrun Type overrun No space for null terminator A collection of warning classes that report uses of library functions prone to internal buffer overflows </td> </tr> <tr> <td> <a> Compass/ROSE </a> </td> <td> </td> <td> </td> <td> Can detect violations of the rule. However, it is unable to handle cases involving <code>strcpy_s()</code> or manual string copies such as the one in the first example </td> </tr> <tr> <td> <a> Coverity </a> </td> <td> 2017.07 </td> <td> <strong>STRING_OVERFLOW</strong> <strong>BUFFER_SIZE</strong> <strong>OVERRUN</strong> <strong>STRING_SIZE</strong> </td> <td> Fully implemented </td> </tr> <tr> <td> <a> Fortify SCA </a> </td> <td> 5.0 </td> <td> </td> <td> </td> </tr> <tr> <td> <a> Helix QAC </a> </td> <td> 2022.2 </td> <td> <strong>C2840, C2841, C2842, C2843, C2845, C2846, C2847, C2848, C2930, C2931, C2932, C2933, C2935, C2936, C2937, C2938</strong> <strong>C++0145, C++2840, C++2841, C++2842, C++2843, C++2845, C++2846, C++2847, C++2848, C++2930, C++2931, C++2932, C++2933, C++2935, C++2936, C++2937, C++2938</strong> </td> <td> </td> </tr> <tr> <td> <a> Klocwork </a> </td> <td> 2022.2 </td> <td> <strong>SV.FMT_STR.BAD_SCAN_FORMAT</strong> <strong>SV.UNBOUND_STRING_INPUT.FUNC</strong> </td> <td> </td> </tr> <tr> <td> <a> LDRA tool suite </a> </td> <td> 9.7.1 </td> <td> <strong>489 S, 109 D, 66 X, 70 X, 71 X</strong> </td> <td> Partially implemented </td> </tr> <tr> <td> <a> Parasoft C/C++test </a> </td> <td> 2022.1 </td> <td> <strong>CERT_C-STR31-a</strong> <strong>CERT_C-STR31-b</strong> <strong>CERT_C-STR31-c</strong> <strong>CERT_C-STR31-d</strong> <strong>CERT_C-STR31-e</strong> </td> <td> Avoid accessing arrays out of bounds Avoid overflow when writing to a buffer Prevent buffer overflows from tainted data Avoid buffer write overflow from tainted data Avoid using unsafe string functions which may cause buffer overflows </td> </tr> <tr> <td> <a> PC-lint Plus </a> </td> <td> 1.4 </td> <td> <strong>421, 498</strong> </td> <td> Partially supported </td> </tr> <tr> <td> <a> Polyspace Bug Finder </a> </td> <td> R2022a </td> <td> <a> CERT C: Rule STR31-C </a> </td> <td> Checks for: Use of dangerous standard functionse of dangerous standard function, missing null in string arrayissing null in string array, buffer overflow from incorrect string format specifieruffer overflow from incorrect string format specifier, destination buffer overflow in string manipulationestination buffer overflow in string manipulation, tainted null or non-null-terminated stringainted null or non-null-terminated string. Rule partially covered. </td> </tr> <tr> <td> <a> PRQA QA-C </a> </td> <td> 9.7 </td> <td> <strong>5009, 5038, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938</strong> </td> <td> Partially implemented </td> </tr> <tr> <td> <a> PRQA QA-C++ </a> </td> <td> 4.4 </td> <td> <strong>0145, 2840, 2841, 2842, 2843, 2845, 2846, 2847, 2848, 2930, 2931, 2932, 2933, 2935, 2936, 2937, 2938, 5006, 5038</strong> </td> <td> </td> </tr> <tr> <td> <a> PVS-Studio </a> </td> <td> 7.20 </td> <td> <strong>V518<a></a></strong> , <strong>V645<a></a></strong> , <strong>V727<a></a></strong> , <strong><a>V755</a></strong> </td> <td> </td> </tr> <tr> <td> <a> Splint </a> </td> <td> 3.1.1 </td> <td> </td> <td> </td> </tr> <tr> <td> <a> TrustInSoft Analyzer </a> </td> <td> 1.38 </td> <td> <strong>mem_access</strong> </td> <td> Exhaustively verified (see <a> one compliant and one non-compliant example </a> ). </td> </tr> </tbody> </table>
 
 
 ## Related Vulnerabilities
@@ -574,7 +574,7 @@ CWE-193 involves an integer computation error (typically off-by-one), which is o
 
 ## Implementation notes
 
-None
+The enforcement of this rule does not try to approximate the effects of loops and as such may not find cases where a loop operation on a string fails to null terminate a string (or causes an overflow).
 
 ## References
 

diff --git a/rule_packages/c/Concurrency1.json b/rule_packages/c/Concurrency1.json
@@ -53,11 +53,13 @@
           "precision": "very-high",
           "severity": "error",
           "short_name": "DoNotCallSignalInMultithreadedProgram",
-          "implementation_scope" : "This implementation does not consider threads created function pointers.",
           "tags": [
             "correctness",
             "concurrency"
-          ]
+          ],
+          "implementation_scope": {
+            "description": "This implementation does not consider threads created function pointers."
+          }
         }
       ],
       "title": "Do not call signal() in a multithreaded program"

diff --git a/rule_packages/c/Concurrency3.json b/rule_packages/c/Concurrency3.json
@@ -16,7 +16,10 @@
           "tags": [
             "correctness",
             "concurrency"
-          ]
+          ],
+          "implementation_scope": {
+            "description": "This implementation does not allow for thread synchronization to be performed in subroutines. All synchronization must be performed within the context of the other thread management functions."
+          }
         },
         {
           "description": "Calling delete on a locked mutex removes protections around shared resources.",
@@ -32,10 +35,7 @@
           ]
         }
       ],
-      "title": "Do not destroy a mutex while it is locked",
-      "implementation_scope": {
-        "description": "This implementation does not allow for thread synchronization to be performed in subroutines. All synchronization must be performed within the context of the other thread management functions."
-      }
+      "title": "Do not destroy a mutex while it is locked"
     },
     "CON38-C": {
       "properties": {
@@ -53,13 +53,13 @@
           "tags": [
             "correctness",
             "concurrency"
-          ]
+          ],
+          "implementation_scope": {
+            "description": "This implementation does not attempt to identify unique condition variables and instead advocates for the usage of `cnd_broadcast`."
+          }
         }
       ],
-      "title": "Preserve thread safety and liveness when using condition variables",
-      "implementation_scope": {
-        "description": "This implementation does not attempt to identify unique condition variables and instead advocates for the usage of `cnd_broadcast`."
-      }
+      "title": "Preserve thread safety and liveness when using condition variables"
     },
     "CON41-C": {
       "properties": {
@@ -76,13 +76,13 @@
           "tags": [
             "correctness",
             "concurrency"
-          ]
+          ],
+          "implementation_scope": {
+            "description": "This implementation does not attempt to identify a relationship between the condition variable and the atomic operation."
+          }
         }
       ],
-      "title": "Wrap functions that can fail spuriously in a loop",
-      "implementation_scope": {
-        "description": "This implementation does not attempt to identify a relationship between the condition variable and the atomic operation."
-      }
+      "title": "Wrap functions that can fail spuriously in a loop"
     }
   }
 }
diff --git a/rule_packages/c/Contracts1.json b/rule_packages/c/Contracts1.json
@@ -1,9 +1,6 @@
 {
   "CERT-C": {
     "ENV30-C": {
-      "implementation_scope": {
-        "description": "None."
-      },
       "properties": {
         "obligation": "rule"
       },
@@ -23,9 +20,6 @@
       "title": "Do not modify the object referenced by the return value of certain functions"
     },
     "ENV31-C": {
-      "implementation_scope": {
-        "description": "The rule is enforced in the context of a single function."
-      },
       "properties": {
         "obligation": "rule"
       },
@@ -39,7 +33,10 @@
           "short_name": "EnvPointerIsInvalidAfterCertainOperations",
           "tags": [
             "correctness"
-          ]
+          ],
+          "implementation_scope": {
+            "description": "The rule is enforced in the context of a single function."
+          }
         }
       ],
       "title": "Do not rely on an environment pointer following an operation that may invalidate it"
-Original file line number
+Diff line change
@@ Expand Up / @@ -165,7 +165,7 @@ CWE-667 = Union, CON31-C, POS48-C, list) where list = @@
     ## Implementation notes
-    None
+    This implementation does not allow for thread synchronization to be performed in subroutines. All synchronization must be performed within the context of the other thread management functions.
     ## References
@@ Expand Down @@