如何启用clang静态分析器的"alpha.security.taint检查“检查器

Question

我正在尝试在其文档(跳棋)中显示的一些示例上执行clang静态分析器(版本3.8)。

我创建了一个小型C程序，如下所示：

// note: requires alpha.security.taint check turned on.
void test() {
    char s[] = "abc";
    int x = getchar();
    char c = s[x]; // warn: index is tainted
}

我正在执行以下命令来分析上面的代码：

/usr/lib/llvm-3.8/bin/scan-build -enable-checker alpha.security.taint.TaintPropagation clang -c example.c

上面的命令生成以下错误报告：

scan-build: Using '/usr/lib/llvm-3.8/bin/clang' for static analysis
example.c:5:8: warning: Value stored to 'c' during its initialization is never read
char c = s[x]; // warn: index is tainted
   ^   ~~~~
1 warning generated.
scan-build: 1 bug found.
scan-build: Run 'scan-view /tmp/scan-build-2018-04-09-143549-15413-1' to examine bug reports.

我原以为clang会在第5行抱怨缓冲区溢出和缓冲区下溢，但似乎没有执行污染分析。

请有人建议如何启用"alpha.security.taint“检查吗？

Answer 1

若要在使用受污染的数组索引时获得警告，必须启用alpha.security.ArrayBoundV2和alpha.security.taint.TaintPropagation。

$ ~/bld/llvm-project/build/bin/scan-build -enable-checker \
    alpha.security.taint.TaintPropagation,alpha.security.ArrayBoundV2 \
    gcc -c taint2.c
scan-build: Using '/home/scott/bld/llvm-project/build/bin/clang-9' for static analysis
taint2.c:6:10: warning: Value stored to 'c' during its initialization is never read
    char c = s[x]; // warn: index is tainted
         ^   ~~~~
taint2.c:6:14: warning: Out of bound memory access (index is tainted)
    char c = s[x]; // warn: index is tainted
             ^~~~
2 warnings generated.
scan-build: 2 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2019-09-11-204837-97704-1' to examine bug reports.

TaintPropagation检查器本身会报告一些事情，例如，将受污染的数据传递给system()。它还导出受污染的信息，供其他检查人员使用。

(我主要是通过查看源代码来发现这些信息的，其次是通过尝试和错误发现的。文档没有多大帮助。)