Re: Coverity false positives triggered by gnulib's implementation of base64

[Kamil Dudka]

On Friday, May 10, 2019 1:34:55 PM CEST Florian Weimer wrote:
> * Kamil Dudka:
> >> For example, how do you know that the reports are false positives and not
> >> true positives?
> > 
> > I think it was obvious from my previous explanation:
> > 
> > (1) You need to check (by manual review) that the source of data is really
> > untrusted.
> > 
> > (2) You need to check (by manual review) that there is no sufficient check
> > on the data.
> > 
> > (3) You need to check (by manual review) that the sink function is really
> > vulnerable to data from untrusted source.
> > 
> > When doing step (3), I verified that Gnulib's base64_encode() can safely
> > process data from untrusted source.  Then I wanted to record this
> > information into the source code so that other users of Gnulib do not
> > need to verify this each time they run Coverity on a project that bundles
> > Gnulib's implementation of base64_encode().
> 
> Does the annotation make the base64 functions trusted in the sense that
> they now turn untrusted data into trusted data?  That would be
> undesirable in my opinion.

Nope.  The following annotation:

    /* coverity[-tainted_data_sink: arg-0] */

... does not affect data sanitization at all, as I understand it.  It only 
tells Coverity that the `in` parameter of base64_encode() is not a taint sink.

On the other hand, I do not think that Coverity tracks propagation of tainted 
data across non-trivial operations on the data (implementation of the base64 
algorithm is IMO definitely out of scope).

Kamil

> Thanks,
> Florian