Only output CSV when using CSV option
myersg86 opened this issue · comments
Problem
Flawfinder includes plaintext error messages in CSV output, which prevents one from parsing it as CSV.
Flawfinder manpage says the --csv
option will:
Generate output in comma-separated-value (CSV) format. This is the recommended format for sending to other tools for processing. It will always generate a header row, followed by 0 or more data rows (one data row for each hit). Selecting this option automatically enables
--quiet
and --dataonly`.
However, if theres a "Parsing failed to find..." error during the flawfinder scan, this error message is included in the output between the header row and data rows.
When sending this CSV to tool other tools for processing, they fail to parse just after the header because of the error message.
Steps to reproduce
docker run -it python:3 bash
pip install flawfinder
echo $'# define SOAP_SNPRINTF_SAFE(buf, len) void)sprintf((buf)\n;' > test.h
flawfinder --csv test.h
Output:
root@python3:/# flawfinder --csv test.h
File,Line,Column,Level,Category,Name,Warning,Suggestion,Note,CWEs,Context,Fingerprint
Parsing failed to find end of parameter list; semicolon terminated it in ((buf)
;
test.h,1,45,4,buffer,sprintf,Does not check for buffer overflows (CWE-120),"Use sprintf_s, snprintf, or vsnprintf",,CWE-120,"# define SOAP_SNPRINTF_SAFE(buf, len) void)sprintf((buf)",5bc94035b35d1ac8aec5dacd2cbde0fee2867a6d9610b3c0aed514824bd0eb1c
Proposal
Flawfinder's --csv
option should only output CSV to STDOUT.
Basically flawfinder --csv . | grep ','
but native and in Python. 😅 🐍
Context
I think this has been resolved now, correct?
Version 2.0.16 has been released, and I believe that problem is now fixed, so closing. If it's NOT fixed, please reopen.
In flawfinder 2.0.18 the error messages are still mixed with the CSV output.
Could this small change fix the problem?:
(in lib/python3.6/site-packages/)
diff -cw flawfinder.py.orig flawfinder.py
*** flawfinder.py.orig 2021-07-21 14:47:55.037477771 -0400
--- flawfinder.py 2021-08-18 09:30:34.945143483 -0400
***************
*** 675,681 ****
def internal_warn(message):
! print(h(message))
# C Language Specific
--- 675,682 ----
def internal_warn(message):
! # print(h(message))
! print(h(message), file=sys.stderr)
# C Language Specific
This is the CSV output showing the problem:
File,Line,Column,DefaultLevel,Level,Category,Name,Warning,Suggestion,Note,CWEs,Context,Fingerprint,ToolVersion,RuleId,HelpUri
Parsing failed to find end of parameter list; semicolon terminated it in ((buf)
# endif
/* copy string (truncating the result, strings must not be NULL) */
#if _MSC_VER >= 1400
# define soap_strcpy(buf, len, src) (void)strncpy_s((buf), (len), (src), _TRUNCATE)
#elif defin
./claims/tools/src/tools.c,4232,9,5,5,buffer,gets,"Does not check for buffer overflows (CWE-120, CWE-20).",Use fgets() instead.,,"CWE-120, CWE-20", gets(buffer);,8574681bcf016b459efe0a123d75643927688f096b753ca762978b7c7aa81c29,2.0.18,FF1014,https://cwe.mitre.org/data/definitions/120.html