[Interest] Klocwork CWE warnings in Qt5
Ramakanth Kesireddy
rama.kesi at gmail.com
Mon Jul 20 09:20:54 CEST 2020
Thanks for your email.
We did review the klocwork warnings and found to be ignored.
However, if we need to submit any fixes in future, can we submit as part of
Qt bug report for the findings through Klocwork?
Best Regards,
Ramakanth
On Mon, 20 Jul, 2020, 00:18 Thiago Macieira, <thiago.macieira at intel.com>
wrote:
> On Sunday, 19 July 2020 09:35:20 PDT Ramakanth Kesireddy wrote:
> > Hi,
> >
> > There are 5 different CWEs of the below type thrown by Klocwork as
> warnings
> > in the below mentioned condition in findNext():-
> >
> > https://code.woboq.org/qt5/include/qt/QtCore/qiterator.h.html#144
> > inline bool findNext(const T &t) \
> > { while (const_iterator(n = i) != c->constEnd()) if (*i++ == t)
> return
> > true; return false; } \
>
> > CWE-480:Use of Incorrect Operator
> > http://cwe.mitre.org/data/definitions/480.html
>
> The use of i++ is intentional and correct.
>
> > CWE-481:Assigning instead of Comparing
> > http://cwe.mitre.org/data/definitions/481.html
>
> The assignment of n = i is intentional and correct.
>
> > EXP45-C. Do not perform assignments in selection statements
> > https://www.securecoding.cert.org/confluence/x/nYFtAg
>
> Yes, the code quality is poor. That's what happens when you want to write
> short code in macros.
>
> > Please let me know if the assignment expression in conditional statements
> > in findNext() could be ignored?
>
> You decided to run a code scanning / static analysis tool on Qt. Please
> get
> your own senior engineers to review the results. If your engineers are
> uncertain, please post a detailed question (not like this email) on the
> exact
> issue and how the code should be fixed.
>
> And please submit the fixes you've needed to make.
>
> Qt is being scanned by a number of tools, including Coverity's public
> scanning
> of open source tools. Known issues are being fixed as quickly as possible.
> The
> latest releases (5.15) have all the fixes.
>
> --
> Thiago Macieira - thiago.macieira (AT) intel.com
> Software Architect - Intel System Software Products
>
>
>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20200720/2b67ae0b/attachment.html>
More information about the Interest
mailing list