CWE-477 对废弃函数的使用
Use of Obsolete Function
结构: Simple
Abstraction: Base
状态: Draft
被利用可能性: unkown
基本描述
The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.
扩展描述
As programming languages evolve, functions occasionally become obsolete due to:
Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 710 cwe_View_ID: 1000 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Other | Quality Degradation |
检测方法
Automated Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
- Binary / Bytecode Quality Analysis
- Bytecode Weakness Analysis - including disassembler + source code weakness analysis
Manual Static Analysis - Binary or Bytecode
According to SOAR, the following detection techniques may be useful:
- Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
Dynamic Analysis with Manual Results Interpretation
According to SOAR, the following detection techniques may be useful:
- Debugger
Manual Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Manual Source Code Review (not inspections)
- Focused Manual Spotcheck - Focused manual analysis of source
Automated Static Analysis - Source Code
According to SOAR, the following detection techniques may be useful:
- Source Code Quality Analyzer
- Source code Weakness Analyzer
- Context-configured Source Code Weakness Analyzer
Automated Static Analysis
According to SOAR, the following detection techniques may be useful:
- Origin Analysis
Architecture or Design Review
According to SOAR, the following detection techniques may be useful:
- Formal Methods / Correct-By-Construction
- Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
可能的缓解方案
Implementation
策略:
Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality.
Requirements
策略:
Consider seriously the security implications of using an obsolete function. Consider using alternate functions.
示例代码
例
The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0.
bad C
getpw(uid, pwdline);
for (i=0; icryptpw=strtok(pwdline, ":");
pwdline=0;
}
result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
...文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论