Warning Categories

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.0p0 Hot Tips

CONFIDENTIAL

CodeSecure Inc

Warning Categories

Categories are associated with warning classes through the Categories property. They provide additional classification information for a warning.

Standard Category Kinds
Category Properties
Close and Broad Mappings
Viewing
Assigning
Searching
Filtering Warnings by Category
More Information

Standard Category Kinds ("Taxonomies")

The following table describes the kinds of categories that are associated with the warning classes shipped with CodeSonar. Users that are implementing custom checks can choose which categories to associate with those warnings, including categories beyond those listed here.

Category Type	Taxonomy Name	Category Naming Scheme
Mnemonics	CodeSonar	string	string is a CodeSonar-assigned identifier that concisely expresses features of the warning class.
CWE IDs	CWE	CWE:num	num is a "Weakness ID" in the Common Weakness Enumeration.
MISRA C rules	MisraC2023	MisraC2023:topic.num	topic.num is a rule number in the MISRA C:2023 Guidelines.
	MisraC2023	MisraC2023:D.topic.num	topic.num is a directive number in the MISRA C:2023 Guidelines.
	Misra2012	Misra2012:topic.num	topic.num is a rule number in the MISRA C:2012 Guidelines.
	Misra2012	Misra2012:D.topic.num	topic.num is a directive number in the MISRA C:2012 Guidelines.
	Misra2004	Misra2004:topic.num	topic.num is a rule number in the MISRA C:2004 Guidelines.
MISRA C++ rules	MisraC++2023	MisraC++2023:topic.num.num	topic.num.num is a rule number in the MISRA C++:2023 Guidelines.
MISRA C++ rules	MisraC++2008	MisraC++2008:topic-num-num	topic-num-num is a rule number in the MISRA C++:2008 Guidelines.
AUTOSAR Rules	AUTOSARC++14	AUTOSARC++14:num	num is a rule number in the AUTOSAR AP Release 18-10 Guidelines.
OWASP Top 10 Lists	OWASP-2021	OWASP-2021:Anum	Anum is an identifier from the OWASP Top 10 2021.
OWASP Top 10 Lists	OWASP-2017	OWASP-2017:Anum	Anum is an identifier from the OWASP Top Ten 2017.
JSF++ guidelines	JSF++	JSF++:num	num is a guideline number in the Joint Strike Fighter Air Vehicle C++ Coding Standards.
Power of Ten Rules	POW10	POW10:num	num is a rule number in the Power of Ten rule set.
JPL Rules	JPL	JPL:num	num is a rule number in the JPL Institutional Coding Standard for the C Programming Language.
ISO/IEC TS 17961 Rules	TS17961	TS17961:num-name	num is a rule number from ISO/IEC TS 17961 "C Secure Coding Rules Technical Specification", and name is the short name of that rule.
CERT Rules and Recommendations	CERT-C	CERT-C:name	name is a rule or recommendation identifier in the SEI CERT C Coding Standard.
	CERT-CPP	CERT-CPP:name	name is a rule or recommendation identifier in the SEI CERT C++ Coding Standard.
	CERT-Java	CERT-Java:name	name is a rule or recommendation identifier in the SEI CERT Oracle Coding Standard for Java.
DISA STIGs	DISA-6r1	DISA-6r1:id	id is a Finding ID from the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) Version 6, release 1 (STIG release date June 5, 2024).
	DISA-5r3	DISA-5r3:id	id is a Finding ID from the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) Version 5, release 3 (STIG release date July 26, 2023).
	DISA-4r3	DISA-4r3:id	id is a Finding ID from the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) Version 4, release 3 (STIG release date April 28, 2017).
	DISA3r10	DISA-3r10:id	id is a Finding ID from the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) Version 3, release 10 (STIG release date January 23, 2015).
Third-party analyzers	Clippy	Clippy:id	[Rust warning classes only] Applied to warnings imported from Clippy-generated SARIF files. A warning class is mapped to Clippy:id if the corresponding SARIF rule has "id":"id".
	detekt	detekt:setname.rulename	[Kotlin warning classes only] Applied to warnings imported from detekt-generated SARIF files. A warning class is mapped to detekt:setname.rulename if the corresponding SARIF rule has "id":"detekt.setname.rulename".
	ESLint	ESLint:id	[JavaScript warning classes only] Applied to warnings imported from ESLint-generated SARIF files when the corresponding SARIF rule is determined to originate from a built-in ESLint rule. A warning class is mapped to ESLint:id if the corresponding SARIF rule has "id":"id".
	Pylint	Pylint:id	[Python warning classes only] Applied to warnings imported from Pylint-generated SARIF files. A warning class is mapped to Pylint:id if the corresponding SARIF rule has "id":"id".
	Staticcheck	Staticcheck:checkid	[Go warning classes only] Applied to warnings imported from Staticcheck-generated SARIF files. A warning class is mapped to Staticcheck:checkid if the corresponding SARIF rule has "id":"checkid".
	typescript-eslint	typescript-eslint:id	[TypeScript warning classes only] Applied to warnings imported from ESLint-generated SARIF files when the corresponding SARIF rule is determined to originate from typescript-eslint. A warning class is mapped to typescript-eslint:id if the corresponding SARIF rule has "id":"id".
BSI Rules	BSI	BSI:name	name is the name of a rule from the Department of Homeland Security Build Security In initiative.

Category Properties

The CodeSonar hub stores the following information about each warning category encountered in analysis results.

The full list of properties is (in alphabetical order): ID | Name | Taxonomy

Property ( Search Language Field Name, if any)	Description
ID ( id )	A unique numerical identifier for the category.
Name ( name )	The name of the category, for example "ALLOC.LEAK" or "MisraC2023:21.25". Naming schemes for built-in warning categories are described in the table above.
Taxonomy ( taxonomy )	The taxonomy that the category belongs to, for example "MisraC2023" or "CERT-C". Taxonomy names for built-in warning categories are listed in the table above.

Close and Broad Mappings

Each CodeSonar warning class has exactly one mnemonic. For the remaining category kinds, we provide both a close mapping and a broad mapping between classes and categories.

close mapping	The close mapping for a given warning class and category kind is the set of categories of that kind that most closely match the class (if any). These are the categories that appear in the Categories field for the class. Unless otherwise specified, category correspondences discussed in this manual are close correspondences: that is, correspondences with respect to close mappings.
broad mapping	The broad mapping for a given warning class and category kind combines categories from four sources: The close mapping for the class. Other categories of that kind that are related to the class in a meaningful way, but not eligible for the close mapping. Usually this indicates a substantial overlap between category and warning class, but overlap that cannot be characterized as a subset or superset relationship. If the category kind is hierarchical (of the current category taxonomies, only CWE has this property): for all categories from sources 1 and 2, all ancestors in the taxonomy hierarchy. In a small number of cases, all descendants of a hierarchical category source 1 or 2 are also applicable to the class. In these cases the descendants are also added to the broad mapping.

close mapping

The close mapping for a given warning class and category kind is the set of categories of that kind that most closely match the class (if any). These are the categories that appear in the Categories field for the class.

Unless otherwise specified, category correspondences discussed in this manual are close correspondences: that is, correspondences with respect to close mappings.

broad mapping

The broad mapping for a given warning class and category kind combines categories from four sources:

The close mapping for the class.
Other categories of that kind that are related to the class in a meaningful way, but not eligible for the close mapping. Usually this indicates a substantial overlap between category and warning class, but overlap that cannot be characterized as a subset or superset relationship.
If the category kind is hierarchical (of the current category taxonomies, only CWE has this property): for all categories from sources 1 and 2, all ancestors in the taxonomy hierarchy.
In a small number of cases, all descendants of a hierarchical category source 1 or 2 are also applicable to the class. In these cases the descendants are also added to the broad mapping.

Viewing A Warning's Categories

There are several ways to view the categories associated with a given warning.

Web GUI	There are several page types that allow you to view warning categories in the web GUI.
Warning class documentation	The manual page for each warning class lists the categories associated with that class.
Tables	You can view tables of warning classes by category in this manual, and in CSV files.

Viewing warning categories in the web GUI

Several GUI pages contain information about warnings and their associated categories. All of these pages offer warning category filtering, so you can display only the categories that you are interested in.

Warning Report	The warning details include a Categories entry. Each category listed for the warning is linked to documentation. Mnemonics link to the warning class documentation in this manual. CWE IDs link to the ID documentation on the CWE website. MISRA C rule numbers link to the Checks for MISRA C Standards page in this manual. MISRA C++ rule numbers link to the Checks for MISRA C++ standards page in this manual. AUTOSAR rule numbers link to the AUTOSAR Checks page in this manual. OWASP-2017 rule numbers link to the OWASP Top 10 Application Security Risks - 2017 summary page on the OWASP website. OWASP-2021 rule numbers link to the OWASP Top 10 2021 summary page on the OWASP website. Power of Ten rule numbers link to the rule documentation on the Power of Ten website. JPL coding rule numbers link to the JPL Checks page in this manual. DISA STIG identifiers link to the DISA STIG Checks page in this manual. ISO/IEC TS 17961 rule names link to the ISO/IEC TS 17961 Checks page in this manual. SEI CERT rule and recommendation identifiers link to the CERT Checks page in this manual. BSI rule names link to the BSI Rules page in this manual.
Analysis Page: Warnings Tab	The table of warnings has an optional Categories column.
Warning Search Results	The table of results has an optional Categories column.

Tables of warning classes by category

We provide tables by category for individual category types, both in this manual and in CSV files.

Table By Category (broad mapping, if applicable)	CSV
Mnemonic Hierarchy	CodeSonar-mapping.csv
CWE (CWE broad)	CWE-mapping.csv (CWE-mapping-broad.csv)
MisraC2023 (MisraC2023 broad)	MisraC2023-mapping.csv (MisraC2023-mapping-broad.csv)
Misra2012 (Misra2012 broad)	Misra2012-mapping.csv (Misra2012-mapping-broad.csv)
Misra2004 (Misra2004 broad)	Misra2004-mapping.csv (Misra2004-mapping-broad.csv)
MisraC++2023 (MisraC++2023 broad)	MisraC++2023-mapping.csv (MisraC++2023-mapping-broad.csv)
MisraC++2008 (MisraC++2008 broad)	MisraC++2008-mapping.csv (MisraC++2008-mapping-broad.csv)
AUTOSARC++14 (AUTOSARC++14 broad )	AUTOSARC++14-mapping.csv (AUTOSARC++14-mapping-broad.csv)
OWASP-2017 (OWASP-2017 broad )	OWASP-2017-mapping.csv (OWASP-2017-mapping-broad.csv)
JSF++ (JSF++ broad )	JSF++-mapping.csv (jsf++-mapping-broad.csv)
POW10 (POW10 broad )	POW10-mapping.csv (POW10-mapping-broad.csv)
JPL (JPL broad )	JPL-mapping.csv (JPL-mapping-broad.csv )
TS17961 (TS17961 broad)	TS17961-mapping.csv (TS17961-mapping-broad.csv )
CERT-C (CERT-C broad )	CERT-C-mapping.csv (CERT-C-mapping-broad.csv )
CERT-CPP (CERT-CPP broad)	CERT-CPP-mapping.csv (CERT-CPP-mapping-broad.csv )
CERT-Java (CERT-Java broad )	CERT-Java-mapping.csv (CERT-Java-mapping-broad.csv )
DISA-5r3 (DISA-5r3 broad )	DISA-5r3-mapping.csv (DISA-5r3-mapping-broad.csv )
DISA-4r3 (DISA-4r3 broad )	DISA-4r3-mapping.csv (DISA-4r3-mapping-broad.csv )
DISA-3r10 (DISA-3r10 broad )	DISA-3r10-mapping.csv (DISA-3r10-mapping-broad.csv )
BSI	BSI-mapping.csv

Assigning Categories for Custom Classes

If you are implementing custom warning checks, it is often useful to associate categories with the warnings that your checks issue. Doing so ensures that searches for specific categories will find the appropriate custom warnings. In addition, the CodeSonar GUI will automatically generate appropriate links to CWE warning ID documentation (for categories of the form CWE:num) and Power of Ten rule documentation (for categories of the form POW10:num).

You are not restricted to the categories listed above. CodeSonar will parse any semicolon-delimited "categories" string you provide. To add your own categories (for example, for in-house coding rules):

Decide on a naming scheme for your categories. For example, you might decide that each in-house coding rule will be associated with a category of the form HouseRule:num.
Include the appropriate category in the categories list for each warning, as described in the table below.

The following table lists the available mechanisms for associating categories with warnings.

Plug-In API	Specify the desired categories when you define a new warning class. The categories will be associated with all warnings of that class.
Extension API	Specify the desired categories when you set a warning trigger, using csonar_trigger_m(). The categories will be associated with all warnings issued by that trigger.
Configuration File	Use BAD_FUNCTION_CATEGORIES to set the categories for a warning check defined with the other BAD_FUNCTION_* configuration file parameters.

Searching by Category

The CodeSonar search functionality includes support for searching by category (with respect to close mappings).

simple search

Perform a full text search for the category name (mnemonic, "CWE:num", or "POW10:num"). This will search all warning fields, not just the categories, so unwanted matches are possible (although rare, given the form of the names).

Examples:

Search string	Finds
CWE:710	All warnings whose categories include CWE:710 (plus any other warnings that happen to contain the string CWE:710).
CWE:710 or CWE:120	All warnings whose categories include CWE:710 or CWE:120 (plus any other warnings that happen to contain either of those strings).
POW10	All warnings associated with a Power of Ten rule (plus any other warnings that happen to contain the string POW10).
-POW10	All warnings not associated with a Power of Ten rule (and not otherwise containing the string POW10).

warning search language

Use the categories field-name to specify conditions.

Examples:

Search string	Finds
categories:"CWE:710"	All warnings whose categories include CWE:710 .
categories:"cwe:710" categories:"cwe:120"	All warnings whose categories include CWE:710 or CWE:120 .
categories:POW10	All warnings associated with a Power of Ten rule.
-categories:POW10	All warnings not associated with a Power of Ten rule.

advanced search

Specify your search conditions in the Category field of the search form.

Filtering Warnings by Category

Use WARNING_FILTER patterns in the project configuration file to specify actions to be carried out on warnings whose categories satisfy some condition. Note that WARNING_FILTER rules involving categories will usually use the ":" (substring) matcher rather than "=" (exact match).

For example:

# discard all warnings whose categories include CWE:710
WARNING_FILTER += discard categories:"CWE:710" 

# set the priority of warnings whose categories include POW10:2 to 4
WARNING_FILTER += priority:=4 categories:"POW10:2" 

# enable all Power of Ten checks
WARNING_FILTER += allow categories:"POW10"

More Information

Warning Category Search Language