On Friday, May 10, 2019 1:34:55 PM CEST Florian Weimer wrote:
> * Kamil Dudka:
> >> For example, how do you know that the reports are false positives and not
> >> true positives?
> >
> > I think it was obvious from my previous explanation:
> >
> > (1) You need to check (by manual review) that the source of data is really
> > untrusted.
> >
> > (2) You need to check (by manual review) that there is no sufficient check
> > on the data.
> >
> > (3) You need to check (by manual review) that the sink function is really
> > vulnerable to data from untrusted source.
> >
> > When doing step (3), I verified that Gnulib's base64_encode() can safely
> > process data from untrusted source. Then I wanted to record this
> > information into the source code so that other users of Gnulib do not
> > need to verify this each time they run Coverity on a project that bundles
> > Gnulib's implementation of base64_encode().
>
> Does the annotation make the base64 functions trusted in the sense that
> they now turn untrusted data into trusted data? That would be
> undesirable in my opinion.
Nope. The following annotation:
/* coverity[-tainted_data_sink: arg-0] */
... does not affect data sanitization at all, as I understand it. It only
tells Coverity that the `in` parameter of base64_encode() is not a taint sink.
On the other hand, I do not think that Coverity tracks propagation of tainted
data across non-trivial operations on the data (implementation of the base64
algorithm is IMO definitely out of scope).
Kamil
> Thanks,
> Florian
