CWE-561 死代码
Dead Code
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
The software contains dead code, which can never be executed.
扩展描述
Dead code is source code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 1164 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 1164 cwe_View_ID: 699 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Other | Quality Degradation | Dead code that results from code that can never be executed is an indication of problems with the source code that needs to be fixed and is an indication of poor quality. |
| Other | Reduce Maintainability |
检测方法
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
- Formal Methods / Correct-By-Construction
- Attack Modeling
Automated Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
- Binary / Bytecode Quality Analysis
- Compare binary / bytecode to application permission manifest
Dynamic Analysis with Manual Results Interpretation
According to SOAR, the following detection techniques may be useful:
- Automated Monitored Execution
Automated Static Analysis
According to SOAR, the following detection techniques may be useful:
- Permission Manifest Analysis
Automated Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Source Code Quality Analyzer
- Warning Flags
- Source code Weakness Analyzer
- Context-configured Source Code Weakness Analyzer
Dynamic Analysis with Automated Results Interpretation
According to SOAR, the following detection techniques may be useful:
- Web Application Scanner
- Web Services Scanner
- Database Scanners
Manual Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Manual Source Code Review (not inspections)
- Focused Manual Spotcheck - Focused manual analysis of source
可能的缓解方案
Implementation
策略:
Remove dead code before deploying the application.
Testing
策略:
Use a static analysis tool to spot dead code.
示例代码
例
The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null, while on the only path where s can be assigned a non-null value there is a return statement.
bad C++
if (b) {
return;
}
if (s != null) {
}
例
In the following class, two private methods call each other, but since neither one is ever invoked from anywhere else, they are both dead code.
bad Java
}
private void doTweedledumb() {
}
public static void main(String[] args) {
}
}
(In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.)
例
The field named glue is not used in the following class. The author of the class has accidentally put quotes around the field name, transforming it into a string constant.
bad Java
public String getGlue() {
}
}
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| CERT C Secure Coding | MSC07-C | Detect and remove dead code | |
| SEI CERT Perl Coding Standard | MSC00-PL | Exact | Detect and remove dead code |
| Software Fault Patterns | SFP2 | Unused Entities | |
| OMG ASCMM | ASCMM-MNT-20 |
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论