Custom rules and Microsoft banned functions

gabriel.linero · October 14, 2024, 7:50am

The documentation includes general guidance on adding coding rules, including which languages support adding custom rules, and general guidance on how to go about it.
If the docs don’t answer your question, please tell us:

What language are you writing rules for? C/C++
What have you tried, and what’s your challenge / stumbling block

Please share the relevant code snippet, along with any error messages you’re encountering:

The goal we want to achieve is to make sure that Microsoft banned functions are not used or at least alerted when being in use.
Reference from Microsoft and other sources:

List of functions banned by GitHub
Microsoft

Looking at the specific functions individually I can extract different rules in SonarQube that can be able to detect its usage.
However, I am thinking on a more friendly way of looking at that.
Would it be better to create custom rules? Is there a way to track all of them at the same time and make sure the ruleset detects that?

Here is what I found looking at the most critical functions.
SonarQube has built in rules for detecting usage of banned functions as you can see below:
#strcpy
Using “strcpy” or “wcscpy” is security-sensitive
#strcat
Using “strcat” or “wcscat” is security-sensitive
#strncpy
Using “strncpy” or “wcsncpy” is security-sensitive
#strncat
Using “strncat” or “wcsncat” is security-sensitive
#strtok
Non reentrant function ‘strtok’ called. For threadsafe applications it is recommended to use the reentrant replacement function ‘strtok_r’
#sprintf
“sprintf” should not be used
#vsprintf
vsprintf
#gmtime
Non reentrant function ‘gmtime’ called. For threadsafe applications it is recommended to use the reentrant replacement function ‘gmtime_r’
#localtime
Non reentrant function ‘localtime’ called. For threadsafe applications it is recommended to use the reentrant replacement function ‘localtime_r’
#ctime
“” should not be used
#ctime_r
Obsolete function ‘ctime_r’ called. It is recommended to use the function ‘strftime’ instead
#asctime
Obsolete POSIX functions should not be used
#asctime_r
Obsolete function ‘asctime_r’ called. It is recommended to use the function ‘strftime’ instead

JolyLoic · October 15, 2024, 9:13pm

Hi @gabriel.linero,

Thank you for sharing those links with us. As you said, we don’t have direct coverage for those banned functions, even if the most common ones are banned by one rule or another.

We’ll consider the list of functions you mentioned, and will probably come up with one of two solutions:

A dedicated rule to cover those functions,
A generic rule that you could customize to define any set of banned functions.

Would you have a preference for one of those options?

Either way, since we don’t provide custom rules for C or C++, both solutions will require a new version of the analyzer. You could use generic issue reports, but it is not a lightweight task.

Hope this helps!

gabriel.linero · October 16, 2024, 6:24am

Hi Loic. Thanks for the reply!
We have considered the external issue import but yeah, it is not a simple task.

Regarding a possible future solution for such kind of detections, either a dedicated rule or a customisable one could do but I guess that something more maintainable and ad-hoc in case there are specific cases would be having a generic rule that can be customised.
I understand that will need to be considered to be included in a future release but it is great that it will be considered.
For now on, we can live with the “scattered” detection and otherwise look at the generic issue reports.
Thanks!