Using the open source tool flawfinder (https://dwheeler.com/flawfinder/)
against the snap7 library, there are a few CWE's reported.
(See Snap7Report.txt for the signaled weaknesses)
Most worrisome of them are CWE-120 https://cwe.mitre.org/data/definitions/120.html: Buffer Overflow (as they
are the most predominant ones and can lead to a compromise of
confidentiality, integrity and availability in the system). I would just
like to bring attention to this issue, as it can pose a threat to the users
of it. --Marius
at the moment, there is a code contribution in progress to tackle (hopefully) most of these issues.
I informed Davide about it today and guess there will be an update in near future. :)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just made the test and compared the contribution with the tool you recommended: It seems that these issues haven't been reduced, but other vulnerabilities and issues have been fixed (which seems to be unseen by flawfinder).
Many lines of the isses are a warning, about easily wrongly handling functions, which isn't always a vulnerability.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
Using the open source tool flawfinder (https://dwheeler.com/flawfinder/)
against the snap7 library, there are a few CWE's reported.
(See Snap7Report.txt for the signaled weaknesses)
Most worrisome of them are CWE-120
https://cwe.mitre.org/data/definitions/120.html: Buffer Overflow (as they
are the most predominant ones and can lead to a compromise of
confidentiality, integrity and availability in the system). I would just
like to bring attention to this issue, as it can pose a threat to the users
of it. --Marius
Hi Marius,
at the moment, there is a code contribution in progress to tackle (hopefully) most of these issues.
I informed Davide about it today and guess there will be an update in near future. :)
I'm working on a new Open Source communication suite ;-) (stay tuned.....)
After, I will manage that.
Just made the test and compared the contribution with the tool you recommended: It seems that these issues haven't been reduced, but other vulnerabilities and issues have been fixed (which seems to be unseen by flawfinder).
Many lines of the isses are a warning, about easily wrongly handling functions, which isn't always a vulnerability.
Thanks for the updates, I'm tuned and enthusiastic!