We are using sonarQube 10.4.
we are getting a finding from sonarqube that seem to me a false positive:
sonar give a finding in the line password[strcspn(password, “\n”)] = ‘\0’
out of bound memory access (indez is tainted)
I can’t understand why:for me this code can’t cause the buffer overflow
Thank you for this report. I confirm that it is indeed a false positive, and I created a ticket to work on it: CPP-5829, which you can refer to to track our progress.
Here is what is going wrong with our analyzer in this case:
As you can see in the bug report, analyzer assumes that a malicious user can control “myFile” (taint origin) and through that the value stored in password and the return value of strcspn (taint propagation). This attacker-controlled value is then used as an index to a memory buffer password, which theoretically could cause out-of-bound memory access.
However, in this particular case, fgets guarantees a null terminator somewhere within password, so strcspn(password, ...) return value is bound by sizeof(password) and cannot cause out-of-bound memory access.
Our analyzer does not model fgets and strcspn accurately enough to recover the condition above and loses the upper bound on the accessed index.