Flawfinder 1.31 & Ruby 2.2.x-master

on ruby, static analysis, infosec

Ruby is one of the most popular pogramming languages in production use for a variety of systems and applications; most notably, we see wide adoption in web application development with the Ruby on Rails framework and DevOps tooling with the likes of Puppet and Chef.

The Ruby language, compared to other languages used to build and deliver web applications, has a comparitively small list of disclosed exploits on the CVE (Common Vulnerabilities and Exposures) list.

For reference, here is a list of historical CVE disclosures to date for a handful of languages/platforms used to develop web applications:

  1. Python: 23
  2. Ruby: 45
  3. PHP: 409
  4. Oracle JRE: 413

Here is the result of running Flawfinder 1.31, with the default rules in the Homebrew distribution, against the master branch of the current Ruby 2.2.x source code:

ANALYSIS SUMMARY:

Hits = 636  
Lines analyzed = 197285 in approximately 3.93 seconds (50139 lines/second)  
Physical Source Lines of Code (SLOC) = 141537  
Hits@level = [0]   0 [1] 246 [2] 288 [3]  35 [4]  52 [5]  15  
Hits@level+ = [0+] 636 [1+] 636 [2+] 390 [3+] 102 [4+]  67 [5+]  15  
Hits/KSLOC@level+ = [0+] 4.49352 [1+] 4.49352 [2+] 2.75546 [3+] 0.72066 [4+] 0.473374 [5+] 0.105979  
Minimum risk level = 1  
Not every hit is necessarily a security vulnerability.  
There may be other security vulnerabilities; review your code!  
See 'Secure Programming for Linux and Unix HOWTO'  
(http://www.dwheeler.com/secure-programs) for more information.

These results, at first glance, may prove interesting: 

./addr2line.c:449:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  misused).
./addr2line.c:450:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  misused).
./addr2line.c:723:  [4] (buffer) strcpy:
  Does not check for buffer overflows when copying to destination (CWE-120).
  Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
  misused).

For the complete test results, see this Paste.

Simply scanning the Ruby source of this particular implementation of Ruby with a single static analysis tool should be considered a preliminary exercise for more research.