Merge pull request #738 from github/michaelrfairhurst/implement-banne…

…d2-rule-package-rule-21-24 Implement banned2 package, rule 21-24 ban rand() and srand().
github · Oct 17, 2024 · d0c84dc · d0c84dc
2 parents b476450 + ee78b9b
commit d0c84dc
Show file tree

Hide file tree

Showing 7 changed files with 90 additions and 0 deletions.
diff --git a/c/misra/src/rules/RULE-21-24/CallToBannedRandomFunction.ql b/c/misra/src/rules/RULE-21-24/CallToBannedRandomFunction.ql
@@ -0,0 +1,23 @@
+/**
+ * @id c/misra/call-to-banned-random-function
+ * @name RULE-21-24: The random number generator functions of <stdlib.h> shall not be used
+ * @description The standard functions rand() and srand() will not give high quality random results
+ *              in all implementations and are therefore banned.
+ * @kind problem
+ * @precision very-high
+ * @problem.severity warning
+ * @tags external/misra/id/rule-21-24
+ *       security
+ *       external/misra/c/2012/amendment3
+ *       external/misra/obligation/required
+ */
+
+import cpp
+import codingstandards.c.misra
+
+from FunctionCall call, string name
+where
+  not isExcluded(call, Banned2Package::callToBannedRandomFunctionQuery()) and
+  name = ["rand", "srand"] and
+  call.getTarget().hasGlobalOrStdName(name)
+select call, "Call to banned random number generation function '" + name + "'."
diff --git a/c/misra/test/rules/RULE-21-24/CallToBannedRandomFunction.expected b/c/misra/test/rules/RULE-21-24/CallToBannedRandomFunction.expected
@@ -0,0 +1,2 @@
+| test.c:5:3:5:7 | call to srand | Call to banned random number generation function 'srand'. |
+| test.c:6:11:6:14 | call to rand | Call to banned random number generation function 'rand'. |
diff --git a/c/misra/test/rules/RULE-21-24/CallToBannedRandomFunction.qlref b/c/misra/test/rules/RULE-21-24/CallToBannedRandomFunction.qlref
@@ -0,0 +1 @@
+rules/RULE-21-24/CallToBannedRandomFunction.ql
diff --git a/c/misra/test/rules/RULE-21-24/test.c b/c/misra/test/rules/RULE-21-24/test.c
@@ -0,0 +1,11 @@
+#include "stdlib.h"
+
+void f() {
+  // rand() is banned -- and thus, so is srand().
+  srand(0);       // NON-COMPLIANT
+  int x = rand(); // NON-COMPLIANT
+
+  // Other functions from stdlib are not banned by this rule.
+  x = abs(-4);       // COMPLIANT
+  getenv("ENV_VAR"); // COMPLIANT
+}
diff --git a/cpp/common/src/codingstandards/cpp/exclusions/c/Banned2.qll b/cpp/common/src/codingstandards/cpp/exclusions/c/Banned2.qll
@@ -0,0 +1,26 @@
+//** THIS FILE IS AUTOGENERATED, DO NOT MODIFY DIRECTLY.  **/
+import cpp
+import RuleMetadata
+import codingstandards.cpp.exclusions.RuleMetadata
+
+newtype Banned2Query = TCallToBannedRandomFunctionQuery()
+
+predicate isBanned2QueryMetadata(Query query, string queryId, string ruleId, string category) {
+  query =
+    // `Query` instance for the `callToBannedRandomFunction` query
+    Banned2Package::callToBannedRandomFunctionQuery() and
+  queryId =
+    // `@id` for the `callToBannedRandomFunction` query
+    "c/misra/call-to-banned-random-function" and
+  ruleId = "RULE-21-24" and
+  category = "required"
+}
+
+module Banned2Package {
+  Query callToBannedRandomFunctionQuery() {
+    //autogenerate `Query` type
+    result =
+      // `Query` type for `callToBannedRandomFunction` query
+      TQueryC(TBanned2PackageQuery(TCallToBannedRandomFunctionQuery()))
+  }
+}
diff --git a/cpp/common/src/codingstandards/cpp/exclusions/c/RuleMetadata.qll b/cpp/common/src/codingstandards/cpp/exclusions/c/RuleMetadata.qll
@@ -3,6 +3,7 @@ import cpp
 import codingstandards.cpp.exclusions.RuleMetadata
 //** Import packages for this language **/
 import Banned
+import Banned2
 import BitfieldTypes
 import BitfieldTypes2
 import Concurrency1
@@ -78,6 +79,7 @@ import Types2
 /** The TQuery type representing this language * */
 newtype TCQuery =
   TBannedPackageQuery(BannedQuery q) or
+  TBanned2PackageQuery(Banned2Query q) or
   TBitfieldTypesPackageQuery(BitfieldTypesQuery q) or
   TBitfieldTypes2PackageQuery(BitfieldTypes2Query q) or
   TConcurrency1PackageQuery(Concurrency1Query q) or
@@ -153,6 +155,7 @@ newtype TCQuery =
 /** The metadata predicate * */
 predicate isQueryMetadata(Query query, string queryId, string ruleId, string category) {
   isBannedQueryMetadata(query, queryId, ruleId, category) or
+  isBanned2QueryMetadata(query, queryId, ruleId, category) or
   isBitfieldTypesQueryMetadata(query, queryId, ruleId, category) or
   isBitfieldTypes2QueryMetadata(query, queryId, ruleId, category) or
   isConcurrency1QueryMetadata(query, queryId, ruleId, category) or

diff --git a/rule_packages/c/Banned2.json b/rule_packages/c/Banned2.json
@@ -0,0 +1,24 @@
+{
+  "MISRA-C-2012": {
+    "RULE-21-24": {
+      "properties": {
+        "obligation": "required"
+      },
+      "queries": [
+        {
+          "description": "The standard functions rand() and srand() will not give high quality random results in all implementations and are therefore banned.",
+          "kind": "problem",
+          "name": "The random number generator functions of <stdlib.h> shall not be used",
+          "precision": "very-high",
+          "severity": "warning",
+          "short_name": "CallToBannedRandomFunction",
+          "tags": [
+            "security",
+            "external/misra/c/2012/amendment3"
+          ]
+        }
+      ],
+      "title": "The random number generator functions of <stdlib.h> shall not be used"
+    }
+  }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		\| test.c:5:3:5:7 \| call to srand \| Call to banned random number generation function 'srand'. \|
		\| test.c:6:11:6:14 \| call to rand \| Call to banned random number generation function 'rand'. \|