# This file was generated from template 'codesonar\presets\disa_3r10.conf.in' # # enables warning classes related to the DISA Application Security and # Development STIG Version 3, Release 10 (January 23, 2015) # # This part of this file was generated from 'cso_wcmanifest.py' # # At least one of the classes enabled by this preset requires unnormalized C ASTs RETAIN_UNNORMALIZED_C_AST = Yes # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Addition Overflow of Allocation Size" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Addition Overflow of Size" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Buffer Overrun" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Buffer Underrun" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Cast Alters Value" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Coercion Alters Value" # DISA-3r10:V-16810: The designer will ensure the application does not allow command injection. # DISA-3r10:V-6164: The designer will ensure the application validates all input. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Command Injection" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Dangerous Include File Name" # DISA-3r10:V-16815: The designer will ensure the application is not vulnerable to race conditions. WARNING_FILTER += allow class="Data Race" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Division By Zero" # DISA-3r10:V-6135: The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner. # DISA-3r10:V-6136: The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Encryption without Padding" # DISA-3r10:V-16804: The designer will ensure the application does not rely solely on a resource name to control access to a resource. # DISA-3r10:V-16815: The designer will ensure the application is not vulnerable to race conditions. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="File System Race Condition" # DISA-3r10:V-16809: The designer will ensure the application does not contain format string vulnerabilities. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Format String" # DISA-3r10:V-16809: The designer will ensure the application does not contain format string vulnerabilities. # DISA-3r10:V-6164: The designer will ensure the application validates all input. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Format String Injection" # DISA-3r10:V-6156: The designer will ensure the application does not contain embedded authentication data. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Hardcoded Authentication" # DISA-3r10:V-16804: The designer will ensure the application does not rely solely on a resource name to control access to a resource. WARNING_FILTER += allow class="Hardcoded DNS Name" # DISA-3r10:V-6166: The designer will ensure the application is not subject to error handling vulnerabilities. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Ignored Return Value" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Inappropriate Character Arithmetic" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Integer Overflow of Allocation Size" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. # DISA-3r10:V-6164: The designer will ensure the application validates all input. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="LDAP Injection" # DISA-3r10:V-16810: The designer will ensure the application does not allow command injection. # DISA-3r10:V-6164: The designer will ensure the application validates all input. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Library Injection" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Multiplication Overflow of Allocation Size" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Multiplication Overflow of Size" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Negative Shift Amount" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="No Space For Null Terminator" # DISA-3r10:V-16796: The designer will ensure the application transmits account passwords in an approved encrypted format. # DISA-3r10:V-16797: The designer will ensure the application stores account passwords in an approved encrypted format. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Plaintext Storage of Password" # DISA-3r10:V-16796: The designer will ensure the application transmits account passwords in an approved encrypted format. # DISA-3r10:V-16797: The designer will ensure the application stores account passwords in an approved encrypted format. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Plaintext Transmission of Password" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Risky Integer Promotion" # DISA-3r10:V-16807: The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database. # DISA-3r10:V-6164: The designer will ensure the application validates all input. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="SQL Injection" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Subtraction Underflow of Allocation Size" # DISA-3r10:V-16808: The designer will ensure the application is not vulnerable to integer arithmetic issues. WARNING_FILTER += allow class="Subtraction Underflow of Size" # DISA-3r10:V-6164: The designer will ensure the application validates all input. WARNING_FILTER += allow class="Tainted Allocation Size" # DISA-3r10:V-6164: The designer will ensure the application validates all input. # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Tainted Buffer Access" # DISA-3r10:V-6164: The designer will ensure the application validates all input. WARNING_FILTER += allow class="Tainted Configuration Setting" # DISA-3r10:V-16804: The designer will ensure the application does not rely solely on a resource name to control access to a resource. # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Tainted Filename" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. # DISA-3r10:V-6164: The designer will ensure the application validates all input. WARNING_FILTER += allow class="Tainted Network Address" # DISA-3r10:V-6164: The designer will ensure the application validates all input. WARNING_FILTER += allow class="Tainted Write" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Unreachable Call" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Unreachable Computation" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Unreachable Conditional" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. WARNING_FILTER += allow class="Unreachable Control Flow" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. # This check is enabled by default for the language(s) C, C++ # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Unreachable Data Flow" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Unreasonable Size Argument" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. WARNING_FILTER += allow class="Unused Label" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. WARNING_FILTER += allow class="Unused Macro" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. WARNING_FILTER += allow class="Unused Parameter" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. WARNING_FILTER += allow class="Unused Tag" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. WARNING_FILTER += allow class="Unused Type" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Unused Value" # DISA-3r10:V-6149: The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products. WARNING_FILTER += allow class="Unused Variable" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of AfxLoadLibrary" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of CoLoadLibrary" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of CreateProcess" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of LoadLibrary" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of LoadModule" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of MoveFile" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of OemToAnsi" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of OemToChar" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of SHCreateProcessAsUserW" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of ShellExecute" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of StrCatChainW" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of WinExec" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of _exec" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of _spawn" # DISA-3r10:V-6135: The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner. # DISA-3r10:V-6137: The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Use of crypt" # DISA-3r10:V-16810: The designer will ensure the application does not allow command injection. # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of execlp" # DISA-3r10:V-16810: The designer will ensure the application does not allow command injection. # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of execvp" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of getopt" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of getpass" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. # This check is enabled by default for the language(s) C, C++, x86, x86_64 # It may remain in effect even if the following line is commented out. WARNING_FILTER += allow class="Use of gets" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of getwd" # DISA-3r10:V-16793: The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data. WARNING_FILTER += allow class="Use of memset" # DISA-3r10:V-16810: The designer will ensure the application does not allow command injection. # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of popen" # DISA-3r10:V-6137: The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. WARNING_FILTER += allow class="Use of rand" # DISA-3r10:V-6137: The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. WARNING_FILTER += allow class="Use of rand48 Function" # DISA-3r10:V-6137: The designer will ensure the application uses the Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality. WARNING_FILTER += allow class="Use of random" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of realpath" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of recvmsg" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strcat" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strchr" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strcmp" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strcoll" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strcpy" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strcspn" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strlen" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strpbrk" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strrchr" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strspn" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strstr" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strtok" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of strtrns" # DISA-3r10:V-6165: The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language. WARNING_FILTER += allow class="Use of syslog" # DISA-3r10:V-16810: The designer will ensure the application does not allow command injection. # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of system" # DISA-3r10:V-6157: The designer will ensure the application does not contain invalid URL or path references. WARNING_FILTER += allow class="Use of t_open"