[Interest] Klocwork CWE warnings in Qt5
Thiago Macieira
thiago.macieira at intel.com
Sun Jul 19 20:39:30 CEST 2020
On Sunday, 19 July 2020 09:35:20 PDT Ramakanth Kesireddy wrote:
> Hi,
>
> There are 5 different CWEs of the below type thrown by Klocwork as warnings
> in the below mentioned condition in findNext():-
>
> https://code.woboq.org/qt5/include/qt/QtCore/qiterator.h.html#144
> inline bool findNext(const T &t) \
> { while (const_iterator(n = i) != c->constEnd()) if (*i++ == t) return
> true; return false; } \
> CWE-480:Use of Incorrect Operator
> http://cwe.mitre.org/data/definitions/480.html
The use of i++ is intentional and correct.
> CWE-481:Assigning instead of Comparing
> http://cwe.mitre.org/data/definitions/481.html
The assignment of n = i is intentional and correct.
> EXP45-C. Do not perform assignments in selection statements
> https://www.securecoding.cert.org/confluence/x/nYFtAg
Yes, the code quality is poor. That's what happens when you want to write
short code in macros.
> Please let me know if the assignment expression in conditional statements
> in findNext() could be ignored?
You decided to run a code scanning / static analysis tool on Qt. Please get
your own senior engineers to review the results. If your engineers are
uncertain, please post a detailed question (not like this email) on the exact
issue and how the code should be fixed.
And please submit the fixes you've needed to make.
Qt is being scanned by a number of tools, including Coverity's public scanning
of open source tools. Known issues are being fixed as quickly as possible. The
latest releases (5.15) have all the fixes.
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel System Software Products
More information about the Interest
mailing list