Only output CSV when using CSV option

Question

Only output CSV when using CSV option

myersg86 opened this issue 3 years ago · comments

Problem

Flawfinder includes plaintext error messages in CSV output, which prevents one from parsing it as CSV.

Flawfinder manpage says the --csv option will:

Generate output in comma-separated-value (CSV) format. This is the recommended format for sending to other tools for processing. It will always generate a header row, followed by 0 or more data rows (one data row for each hit). Selecting this option automatically enables --quiet and --dataonly`.

However, if theres a "Parsing failed to find..." error during the flawfinder scan, this error message is included in the output between the header row and data rows.

When sending this CSV to tool other tools for processing, they fail to parse just after the header because of the error message.

Steps to reproduce

docker run -it python:3 bash
pip install flawfinder
echo $'# define SOAP_SNPRINTF_SAFE(buf, len) void)sprintf((buf)\n;' > test.h
flawfinder --csv test.h

Output:

root@python3:/# flawfinder --csv test.h
File,Line,Column,Level,Category,Name,Warning,Suggestion,Note,CWEs,Context,Fingerprint
Parsing failed to find end of parameter list; semicolon terminated it in ((buf)
;

test.h,1,45,4,buffer,sprintf,Does not check for buffer overflows (CWE-120),"Use sprintf_s, snprintf, or vsnprintf",,CWE-120,"#  define SOAP_SNPRINTF_SAFE(buf, len) void)sprintf((buf)",5bc94035b35d1ac8aec5dacd2cbde0fee2867a6d9610b3c0aed514824bd0eb1c

Proposal

Flawfinder's --csv option should only output CSV to STDOUT.

Basically flawfinder --csv . | grep ',' but native and in Python. 😅 🐍

Context

David A. Wheeler · Answer 1 · Mon May 31 2021 01:37:03 GMT+0800 (China Standard Time)

I think this has been resolved now, correct?

David A. Wheeler · Answer 2 · Tue Jun 01 2021 03:49:47 GMT+0800 (China Standard Time)

Version 2.0.16 has been released, and I believe that problem is now fixed, so closing. If it's NOT fixed, please reopen.

pbderr · Answer 3 · Wed Aug 18 2021 21:34:13 GMT+0800 (China Standard Time)

In flawfinder 2.0.18 the error messages are still mixed with the CSV output.
Could this small change fix the problem?:
(in lib/python3.6/site-packages/)
diff -cw flawfinder.py.orig flawfinder.py
*** flawfinder.py.orig 2021-07-21 14:47:55.037477771 -0400
--- flawfinder.py 2021-08-18 09:30:34.945143483 -0400
***************
*** 675,681 ****

def internal_warn(message):
! print(h(message))

# C Language Specific
--- 675,682 ----

def internal_warn(message):
! # print(h(message))
! print(h(message), file=sys.stderr)

# C Language Specific

This is the CSV output showing the problem:

File,Line,Column,DefaultLevel,Level,Category,Name,Warning,Suggestion,Note,CWEs,Context,Fingerprint,ToolVersion,RuleId,HelpUri
Parsing failed to find end of parameter list; semicolon terminated it in ((buf)
# endif

/* copy string (truncating the result, strings must not be NULL) */
#if _MSC_VER >= 1400
# define soap_strcpy(buf, len, src) (void)strncpy_s((buf), (len), (src), _TRUNCATE)
#elif defin
./claims/tools/src/tools.c,4232,9,5,5,buffer,gets,"Does not check for buffer overflows (CWE-120, CWE-20).",Use fgets() instead.,,"CWE-120, CWE-20", gets(buffer);,8574681bcf016b459efe0a123d75643927688f096b753ca762978b7c7aa81c29,2.0.18,FF1014,https://cwe.mitre.org/data/definitions/120.html