Extend sink analyser for more cwe

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>

src/fuzz_introspector/analyses/data/cwe_data.py

@@ -0,0 +1,121 @@
+# Copyright 2023 Fuzz Introspector Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SINK_FUNCTION = {
+    'CWE79': {
+        'c-cpp': [
+            ('', 'system'),
+            ('', 'execl'),
+            ('', 'execlp'),
+            ('', 'execle'),
+            ('', 'execv'),
+            ('', 'execvp'),
+            ('', 'execve'),
+            ('', 'wordexp'),
+            ('', 'popen'),
+        ],
+        'python': [
+            ('<builtin>', 'exec'), ('<builtin>', 'eval'),
+            ('subprocess', 'call'), ('subprocess', 'run'),
+            ('subprocess', 'Popen'), ('subprocess', 'check_output'),
+            ('os', 'system'), ('os', 'popen'), ('os', 'spawn'),
+            ('os', 'spawnl'), ('os', 'spawnle'), ('os', 'spawnlp'),
+            ('os', 'spawnlpe'), ('os', 'spawnv'), ('os', 'spawnvp'),
+            ('os', 'spawnve'), ('os', 'spawnvpe'), ('os', 'exec'),
+            ('os', 'execl'), ('os', 'execle'), ('os', 'execlp'),
+            ('os', 'execlpe'), ('os', 'execv'), ('os', 'execve'),
+            ('os', 'execvp'), ('os', 'execlpe'),
+            ('asyncio', 'create_subprocess_shell'),
+            ('asyncio', 'create_subprocess_exec'), ('asyncio', 'run'),
+            ('asyncio', 'sleep'), ('logging.config', 'listen'),
+            ('code.InteractiveInterpreter', 'runsource'),
+            ('code.InteractiveInterpreter', 'runcode'),
+            ('code.InteractiveInterpreter', 'write'),
+            ('code.InteractiveConsole', 'push'),
+            ('code.InteractiveConsole', 'interact'),
+            ('code.InteractiveConsole', 'raw_input'), ('code', 'interact'),
+            ('code', 'compile_command')
+        ],
+        'jvm': [
+            ('java.lang.Runtime', 'exec'),
+            ('javax.xml.xpath.XPath', 'compile'),
+            ('javax.xml.xpath.XPath', 'evaluate'), ('java.lang.Thread', 'run'),
+            ('java.lang.Runnable', 'run'),
+            ('java.util.concurrent.Executor', 'execute'),
+            ('java.util.concurrent.Callable', 'call'),
+            ('java.lang.System', 'console'), ('java.lang.System', 'load'),
+            ('java.lang.System', 'loadLibrary'),
+            ('java.lang.System', 'mapLibraryName'),
+            ('java.lang.System', 'runFinalization'),
+            ('java.lang.System', 'setErr'), ('java.lang.System', 'setIn'),
+            ('java.lang.System', 'setOut'),
+            ('java.lang.System', 'setProperties'),
+            ('java.lang.System', 'setProperty'),
+            ('java.lang.System', 'setSecurityManager'),
+            ('java.lang.ProcessBuilder', 'directory'),
+            ('java.lang.ProcessBuilder', 'inheritIO'),
+            ('java.lang.ProcessBuilder', 'command'),
+            ('java.lang.ProcessBuilder', 'redirectError'),
+            ('java.lang.ProcessBuilder', 'redirectErrorStream'),
+            ('java.lang.ProcessBuilder', 'redirectInput'),
+            ('java.lang.ProcessBuilder', 'redirectOutput'),
+            ('java.lang.ProcessBuilder', 'start')
+        ]
+    },
+    'CWE78': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE787': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE89': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE416': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE20': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE125': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE22': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE352': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+    'CWE434': {
+        'c-cpp': [],
+        'python': [],
+        'java': []
+    },
+}

src/fuzz_introspector/analyses/sinks_analyser.py

@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-"""Analysis plugin for introspection sink functions of interest"""
+"""Analysis plugin for introspection sink functions of interest for different CWE"""
 
 import json
 import logging
@@ -23,68 +23,16 @@
 from fuzz_introspector import (analysis, code_coverage, cfg_load, html_helpers,
                                json_report, utils)
 
+from fuzz_introspector.analyses.data import (cwe_data)
+
 from fuzz_introspector.datatypes import (project_profile, fuzzer_profile,
                                          function_profile)
 
 logger = logging.getLogger(name=__name__)
 
-# Common sink functions / methods for different language implementation
-SINK_FUNCTION = {
-    'c-cpp': [
-        ('', 'system'),
-        ('', 'execl'),
-        ('', 'execlp'),
-        ('', 'execle'),
-        ('', 'execv'),
-        ('', 'execvp'),
-        ('', 'execve'),
-        ('', 'wordexp'),
-        ('', 'popen'),
-    ],
-    'python': [('<builtin>', 'exec'), ('<builtin>', 'eval'),
-               ('subprocess', 'call'), ('subprocess', 'run'),
-               ('subprocess', 'Popen'), ('subprocess', 'check_output'),
-               ('os', 'system'), ('os', 'popen'), ('os', 'spawn'),
-               ('os', 'spawnl'), ('os', 'spawnle'), ('os', 'spawnlp'),
-               ('os', 'spawnlpe'), ('os', 'spawnv'), ('os', 'spawnvp'),
-               ('os', 'spawnve'), ('os', 'spawnvpe'), ('os', 'exec'),
-               ('os', 'execl'), ('os', 'execle'), ('os', 'execlp'),
-               ('os', 'execlpe'), ('os', 'execv'), ('os', 'execve'),
-               ('os', 'execvp'), ('os', 'execlpe'),
-               ('asyncio', 'create_subprocess_shell'),
-               ('asyncio', 'create_subprocess_exec'), ('asyncio', 'run'),
-               ('asyncio', 'sleep'), ('logging.config', 'listen'),
-               ('code.InteractiveInterpreter', 'runsource'),
-               ('code.InteractiveInterpreter', 'runcode'),
-               ('code.InteractiveInterpreter', 'write'),
-               ('code.InteractiveConsole', 'push'),
-               ('code.InteractiveConsole', 'interact'),
-               ('code.InteractiveConsole', 'raw_input'), ('code', 'interact'),
-               ('code', 'compile_command')],
-    'jvm': [('java.lang.Runtime', 'exec'),
-            ('javax.xml.xpath.XPath', 'compile'),
-            ('javax.xml.xpath.XPath', 'evaluate'), ('java.lang.Thread', 'run'),
-            ('java.lang.Runnable', 'run'),
-            ('java.util.concurrent.Executor', 'execute'),
-            ('java.util.concurrent.Callable', 'call'),
-            ('java.lang.System', 'console'), ('java.lang.System', 'load'),
-            ('java.lang.System', 'loadLibrary'),
-            ('java.lang.System', 'mapLibraryName'),
-            ('java.lang.System', 'runFinalization'),
-            ('java.lang.System', 'setErr'), ('java.lang.System', 'setIn'),
-            ('java.lang.System', 'setOut'),
-            ('java.lang.System', 'setProperties'),
-            ('java.lang.System', 'setProperty'),
-            ('java.lang.System', 'setSecurityManager'),
-            ('java.lang.ProcessBuilder', 'directory'),
-            ('java.lang.ProcessBuilder', 'inheritIO'),
-            ('java.lang.ProcessBuilder', 'command'),
-            ('java.lang.ProcessBuilder', 'redirectError'),
-            ('java.lang.ProcessBuilder', 'redirectErrorStream'),
-            ('java.lang.ProcessBuilder', 'redirectInput'),
-            ('java.lang.ProcessBuilder', 'redirectOutput'),
-            ('java.lang.ProcessBuilder', 'start')]
-}
+# List of sink functions for different CWE
+SINK_FUNCTION = cwe_data.SINK_FUNCTION
+ALL_CWE = list(SINK_FUNCTION)
 
 
 class SinkCoverageAnalyser(analysis.AnalysisInterface):
@@ -114,7 +62,7 @@ class SinkCoverageAnalyser(analysis.AnalysisInterface):
 
     def __init__(self) -> None:
         self.json_string_result = "[]"
-        #        self.display_html = False
+        self.display_html = False
         self.display_html = True
         self.index = 0
 
@@ -248,7 +196,7 @@ def _map_function_callsite(
 
     def _filter_function_list(
             self, functions: List[function_profile.FunctionProfile],
-            target_lang: str) -> List[function_profile.FunctionProfile]:
+            target_lang: str, target_cwe: str) -> List[function_profile.FunctionProfile]:
         """
         Filter out target list of functions which are considered
         as sinks for separate langauge which is the major
@@ -278,7 +226,7 @@ def _filter_function_list(
                 continue
 
             # Add the function profile to the result list if it matches one of the target
-            if (package, func_name) in SINK_FUNCTION[target_lang]:
+            if (package, func_name) in SINK_FUNCTION[target_cwe][target_lang]:
                 function_list.append(fd)
 
         return function_list
@@ -510,7 +458,7 @@ def _retrieve_content_rows(
         html_string = ""
         json_list = []
 
-        for fd in self._filter_function_list(functions, target_lang):
+        for fd in self._filter_function_list(functions, target_lang, 'CWE79'):
             json_dict: Dict[str, Any] = {}
             parent_list, parent_name_list = proj_profile.get_direct_parent_list(
                 fd)