✨ New Probe: Memory safety #4499
Conversation
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Signed-off-by: balteravishay <[email protected]>
The intention was always to sort, but the wrong sort function was used. This led to an unsorted list, which was dependent on map iteration order, leading to flaky unit tests. This was reproducible with go test when passing a large --count option. Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: balteravishay <[email protected]>
Signed-off-by: balteravishay <[email protected]>
Signed-off-by: balteravishay <[email protected]>
Since upgrading to v1.9.1 we've had performance issues in the weekly analysis, which may be related to one of the Maven features here. Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: balteravishay <[email protected]>
…sf#4467) Signed-off-by: balteravishay <[email protected]>
Signed-off-by: balteravishay <[email protected]>
Signed-off-by: balteravishay <[email protected]>
Signed-off-by: balteravishay <[email protected]>
Signed-off-by: balteravishay <[email protected]>
Signed-off-by: balteravishay <[email protected]>
balteravishay
force-pushed
the
memory-safety-probe
branch
from
a159254 to
56f3ef7
Compare
Signed-off-by: balteravishay <[email protected]>
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4499 +/- ##
==========================================
+ Coverage 66.80% 68.58% +1.77%
==========================================
Files 230 247 +17
Lines 16602 18583 +1981
==========================================
+ Hits 11091 12745 +1654
- Misses 4808 5003 +195
- Partials 703 835 +132 |
Signed-off-by: balteravishay <[email protected]>
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
balteravishay
requested review from
justaugustus and
raghavkaul
and removed request for
a team
Signed-off-by: balteravishay <[email protected]>
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Signed-off-by: balteravishay <[email protected]>
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
|
here are some repos to test the code: go run main.go --repo github.com/microsoft/midi --probes memorysafe --format probe (.net unsafe code) |
Signed-off-by: balteravishay <[email protected]>
balteravishay
temporarily deployed
to
integration-test
GitHub Actions
Inactive
|
Hoping to have some time to look at this tomorrow. Quick question about organization:
Probes are usually one specific behavior. In this case, the probe is concerned with looking for |
| id: memorysafe | ||
| lifecycle: experimental | ||
| short: Flags non memory safe practices in this project. | ||
| motivation: > | ||
| Memory safety in software should be considered a continuum, rather than being binary. | ||
| This probe does not consider a specific ecosystem more or less memory safe than another, but rather tries to surface non memory safe code or practices in the project, in the context of the ecosystems it is using. | ||
| implementation: > | ||
| The probe is ecosystem-specific and tries to flag non memory safe code blocks in the project by looking at the code and practices used in the project. | ||
| It may look for specific memory safety practices, such as the use tools or non memory-safe patterns and code. | ||
| The probe supports multiple checks for each ecosystem, and the outcome is based on the results of these checks. |
There was a problem hiding this comment.
this would need to be altered to focus on just unsafe detection if the probe does just one thing. Though unsafe is too generic.
So maybe something like unsafeblock? Open to suggestions/brainstorming.
| clients: | ||
| - github |
There was a problem hiding this comment.
It's just based on file content? so it could support all of them?
- github
- gitlab
- localdir
| if langFunc == nil { | ||
| raw.Dlogger.Warn(&checker.LogMessage{ | ||
| Text: fmt.Sprintf("no function pointer found for language %s", lang.Desc), | ||
| }) | ||
| } |
There was a problem hiding this comment.
what's the goal for this? it would still panic below because we call langFunc(raw) below.
We could avoid the panic by adding a continue, but this is based on languageMemorySafeSpecs which should be constant. So any nil pointer is a programming mistake, and a panic could be appropriate to keep.
My vote is to remove this block, since the warning wouldn't be visible to anyone due to the panic. Thoughts?
| func getRepositoryLanguageChecks(raw *checker.CheckRequest) []languageMemoryCheckConfig { | ||
| langs, err := raw.RepoClient.ListProgrammingLanguages() | ||
| if err != nil { | ||
| raw.Dlogger.Warn(&checker.LogMessage{ | ||
| Text: fmt.Sprintf("RepoClient retured error for ListProgrammingLanguages: %v", err), | ||
| }) |
There was a problem hiding this comment.
instead of handling the error and continuing, let's just return it. We're not going to be able to do much without the repo's languages.
func getLanguageChecks(raw *checker.CheckRequest) ([]languageMemoryCheckConfig, error) {| dl, ok := args[1].(checker.DetailLogger) | ||
| if !ok { | ||
| // panic if it is not correct type | ||
| panic(fmt.Sprintf("expected type checker.DetailLogger, got %v", reflect.TypeOf(args[1]))) |
There was a problem hiding this comment.
we should move the type checking out of the err != nil block to make the panics when passing wrong types more obvious.
| "Golang code uses the unsafe package", &finding.Location{ | ||
| Path: path, | ||
| }, finding.OutcomeFalse) |
There was a problem hiding this comment.
we have much more info than path available if we use :
https://pkg.go.dev/go/ast#ImportSpec.Pos and https://pkg.go.dev/go/ast#ImportSpec.End
Something like:
position := fset.Position(i.Pos())
and then we have access to line info too and can set finding. LineStart. https://pkg.go.dev/go/token#Position
| if len(findings) == 0 { | ||
| found, err := finding.NewWith(fs, Probe, | ||
| "Golang code does not use the unsafe package", nil, finding.OutcomeTrue) |
There was a problem hiding this comment.
we could also move this (and the c# version) to one combined top level check in Run before the return,depending on the semantics we want the probe to have.
| dl, ok := args[1].(checker.DetailLogger) | ||
| if !ok { | ||
| // panic if it is not correct type | ||
| panic(fmt.Sprintf("expected type checker.DetailLogger, got %v", reflect.TypeOf(args[1]))) |
There was a problem hiding this comment.
same comment about moving type check
What kind of change does this PR introduce?
This PR provides the foundation for addressing issue #3736 by adding a new probe that checks if the code uses non memory safe practices for the repository languages.
The goal is to automate the detection of as many of the practices that the memory safety SIG provides under the Best Practices - Memory-Safe By Default Languages and the Best Practices - Non Memory-Safe By Default Languages guides.
What is the current behavior?
Today scorecard does not detect memory safe practices in it's core features or in any of the probes.
What is the new behavior (if this is a feature change)?**
Probe detects the following:
for golang it detects if the code imports the unsafe package and points to the locations where it is used.
for c# it detects if the projects allow for unsafe blocks which is a requirement for any project that would use any form of .Net unsafe code, pointer types, and function pointers
Tests for the changes have been added (for bug fixes/features)
Which issue(s) this PR fixes
This code change addresses issue #3736 but does not close it (to be discussed)
Special notes for your reviewer
This code change and the implementation of it were discussed in scorecard community calls with @spencerschrock
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)