OWASP: how to use Cppcheck output 如何閱讀cppcheck output 以改進代碼安全性

本文主要是介绍OWASP: how to use Cppcheck output 如何閱讀cppcheck output 以改進代碼安全性，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

How to install cppcheck

1. Download Windows 64-bit (No XP support) Installer, and install

2. new project
   The project file requires a larger storage space; it is recommended not to save it on the C drive.
   File -> Open Project File…

3. save outupt to xml

How to read output xml

as .XML

https://codebeautify.org/xmlviewer

open in excel

I recommend using this method, and the results can be arranged by column."

Description

column name	info	example
version version2	cppcheck version	2.14.1
id	type of error	invalidscanf
severity	as name	warning, error, performance, style…
msg	the error log	fscanf() without field width limits can crash with huge input data.
verbose	revise sugestion	fscanf() without field width limits can crash with huge input data. Add a field width specifier to fix this problem.
sincedate	date to scan by cpppcheck	2024/08/28
file0	on which file	xxx.c xxx.cpp
cwe	The CWE entry that this error violates	119
file	same as file0	N/A
line	the source code line	408
info	other advise	Parameter ‘args’ can be declared as pointer to const

Using cppcheck, a static analysis tool for C/C++ code, can help identify issues that may align with some of the vulnerabilities highlighted in the OWASP Top 10. However, cppcheck alone cannot guarantee that your code will fully comply with OWASP standards, as OWASP covers a broad range of web application security concerns that might require additional tools or manual code review.

Relationship between CWE and OWASP

The CWE (Common Weakness Enumeration) and OWASP Top 10 are both critical resources in the field of cybersecurity, but they do not have a strict one-to-one correspondence.

Instead, the OWASP Top 10 represents a list of the most critical security risks to web applications, while CWE is a broader catalog of software weaknesses. Each OWASP Top 10 entry may map to multiple CWEs, and vice versa.

Here’s a general idea of how some of the OWASP Top 10 categories might map to CWEs:

Injection (OWASP A1)

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-89: SQL Injection

Broken Authentication (OWASP A2)

CWE-287: Improper Authentication
CWE-384: Session Fixation

Sensitive Data Exposure (OWASP A3)

CWE-311: Missing Encryption of Sensitive Data
CWE-319: Cleartext Transmission of Sensitive Information

XML External Entities (XXE) (OWASP A4)

CWE-611: Improper Restriction of XML External Entity Reference

Broken Access Control (OWASP A5)

CWE-284: Improper Access Control
CWE-285: Improper Authorization

Security Misconfiguration (OWASP A6)

CWE-16: Configuration
CWE-220: Sensitive Data Under Protected

Cross-Site Scripting (XSS) (OWASP A7)

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Insecure Deserialization (OWASP A8)

CWE-502: Deserialization of Untrusted Data

Using Components with Known Vulnerabilities (OWASP A9)

CWE-1104: Use of Unmaintained Third-Party Components
CWE-494: Download of Code Without Integrity Check

Insufficient Logging & Monitoring (OWASP A10)

CWE-778: Insufficient Logging
CWE-223: Omission of Security-relevant Information

While there is some overlap, each OWASP Top 10 category could relate to multiple CWEs, and each CWE could apply to different aspects of multiple OWASP Top 10 categories. Therefore, it’s more accurate to say that there are many-to-many relationships between these two resources.

这篇关于OWASP: how to use Cppcheck output 如何閱讀cppcheck output 以改進代碼安全性的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---