Skip to content

Rails Backend: Vulnerability fingerprints are compared across different fingerprint types effectively leading to FNs

Summary

In tracking calculator we support the addition of new algorithms we can use for the purpose of Vulnerability Tracking -- the generated fingerprints should only be compared if they belong to the same type, conversely we should not compare fingerprints of different types as they cannot be compared in a meaninful way. At the moment we compare vulnerability fingerprints across different types.

This comparison can lead to a situation where new vulnerabilities are falsely ignored because their fingerprint match with another vulnerability of the same type.

Steps to reproduce

Add the sample below as a file test.cpp to a GitLab project with SAST enabled.

#include <iostream>
#include <cstring>

int test() {
    char x[20];
    char y[20];
    int i = 10;

    // test
    memcpy(x, y, i); // detected
    memcpy(y, "2100{", 2); // detected
    //memcpy(x, "2100{", 2);
    //memcpy(y, "2100{", 2);
    memcpy(x, "2100{", 2); // not detected
    memcpy(y, "2100{", 2); // not detected
    memcpy(y, "2100{", 2); // detected
    if (true) {
        memcpy(y, "2100{", 2); // detected
    }
    memcpy(y, "2100{", 2); // not detected
    memcpy(y, "2100{", 2); // detected
    return 0;
}

Looking at the gl-sast-report.json, test.cpp:14 scope_offset hash clashes with test.cpp:20 scope_offset_compressed and test.cpp:15 clashes with test.cpp:21 scope_offset_compressed.

{
  "location": {
    "file": "test.cpp",
    "start_line": 14
  },
  "signatures": [
    {
      "algorithm": "scope_offset",
      "value": "test.cpp|test()[0]:10"
    }
  ]
}
{
  "location": {
    "file": "test.cpp",
    "start_line": 15
  },
  "signatures": [
    {
      "algorithm": "scope_offset",
      "value": "test.cpp|test()[0]:11"
    }
  ]
}
{
  "location": {
    "file": "test.cpp",
    "start_line": 20
  },
  "signatures": [
    {
      "algorithm": "scope_offset_compressed",
      "value": "test.cpp|test()[0]:10"
    }
  ]
}
{
  "location": {
    "file": "test.cpp",
    "start_line": 21
  },
  "signatures": [
    {
      "algorithm": "scope_offset_compressed",
      "value": "test.cpp|test()[0]:11"
    },
  ]
}

Example Project

https://gitlab.com/julianthome/cpptest4

What is the current bug behavior?

Falsely ignoring new vulnerabilities.

What is the expected correct behavior?

All newly added vulnerabilities should be correctly reported.

Possible fixes

Change the backend logic to only compare fingerprints when they belong to the same type.

Edited by Julian Thome