sqc 0.4.13

Software Code Quality - CERT C compliance checker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

//! API10-C: APIs should have security options enabled by default
//!
//! APIs with security-related options should be secure by default. This prevents
//! developers from unknowingly using insecure configurations. This rule detects
//! APIs that require explicit opt-in for security features (insecure by default)
//! rather than requiring explicit opt-out (secure by default).
//!
//! Noncompliant pattern:
//!   - TLS_VALIDATE_HOST     (must enable validation)
//!   - TLS_DISABLE_V1_0      (must disable old protocol)
//!
//! Compliant pattern:
//!   - TLS_DISABLE_HOST_VALIDATION  (must disable validation, secure by default)
//!   - TLS_ENABLE_V1_0              (must enable old protocol, secure by default)

use crate::manifest::{RuleCategory, Severity};
use crate::rules::{CertRule, RuleViolation};
use crate::utility::cert_c::ast_utils::get_node_text;
use tree_sitter::Node;

pub struct Api10C;

impl CertRule for Api10C {
    fn rule_id(&self) -> &'static str {
        "API10-C"
    }

    fn description(&self) -> &'static str {
        "APIs should have security options enabled by default"
    }

    fn severity(&self) -> Severity {
        Severity::Medium
    }

    fn category(&self) -> RuleCategory {
        RuleCategory::Recommendation
    }

    fn cert_id(&self) -> &'static str {
        "API10-C"
    }

    fn check(&self, node: &Node, source: &str) -> Vec<RuleViolation> {
        let mut violations = Vec::new();
        self.check_node(node, source, &mut violations);
        violations
    }
}

impl Api10C {
    fn check_node(&self, node: &Node, source: &str, violations: &mut Vec<RuleViolation>) {
        // Check for insecure-by-default #define patterns
        if node.kind() == "preproc_def" {
            self.check_define(node, source, violations);
        }

        // Recurse through children
        for i in 0..node.child_count() {
            if let Some(child) = node.child(i) {
                self.check_node(&child, source, violations);
            }
        }
    }

    fn check_define(&self, node: &Node, source: &str, violations: &mut Vec<RuleViolation>) {
        // Get the macro name
        if let Some(name_node) = node.child_by_field_name("name") {
            let macro_name = get_node_text(&name_node, source);

            // Check for insecure-by-default patterns (security requires opt-in)
            let insecure_patterns = [
                "TLS_VALIDATE_HOST", // Must enable validation (insecure by default)
                "TLS_DISABLE_V1_0",  // Must disable old TLS (insecure by default)
                "TLS_DISABLE_V1_1",  // Must disable old TLS (insecure by default)
                "VALIDATE_",         // Generic validation opt-in pattern
                "ENABLE_SECURITY",   // Generic security opt-in pattern
                "DISABLE_INSECURE",  // Generic insecure opt-out pattern
            ];

            for pattern in &insecure_patterns {
                if macro_name.contains(pattern) {
                    let start_point = node.start_position();
                    let _define_text = get_node_text(node, source);

                    violations.push(RuleViolation {
                        rule_id: self.rule_id().to_string(),
                        severity: Severity::Medium,
                        message: format!(
                            "API option '{}' requires explicit opt-in for security (insecure by default). \
                             Security features should be enabled by default, requiring explicit opt-out.",
                            macro_name
                        ),
                        file_path: String::new(),
                        line: start_point.row + 1,
                        column: start_point.column + 1,
                        suggestion: Some(
                            "Rename to require explicit opt-out of security (e.g., 'DISABLE_HOST_VALIDATION' \
                             instead of 'VALIDATE_HOST', 'ENABLE_V1_0' instead of 'DISABLE_V1_0')"
                                .to_string(),
                        ),
                        ..Default::default()
                    });

                    break; // Only report once per define
                }
            }
        }
    }
}