Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Uncontrolled Format String - Checkmarx issue

by Rishi2Monk (Novice)
on Dec 27, 2022 at 11:37 UTC ( [id://11149115]=perlquestion: print w/replies, xml ) Need Help??

Rishi2Monk has asked for the wisdom of the Perl Monks concerning the following question:

Why the checkmarx throws uncontrolled format string error with the below code? Can someone please explain and share the solution?

open (STAT, "<", "$file") while ( $content = <STAT> ) { : $errcnt = $total - $content; } : printf RPT " Number of Rejected Records : $errcnt\n";

Replies are listed 'Best First'.
Re: Uncontrolled Format String - Checkmarx issue
by haukex (Archbishop) on Dec 27, 2022 at 11:41 UTC

    I don't know about checkmarx, but I suspect the line should either be:

    print RPT " Number of Rejected Records : $errcnt\n"; # - or - printf RPT " Number of Rejected Records : %s\n", $errcnt;

    By the way, you should check your opens for errors, see "open" Best Practices, and also I suggest you chomp $content before using it as a number, as that's cleaner.

      Thanks for your reply. After changing the print/printf it worked for some cases. But the code is still throwing an error Uncontrolled Format String. I tried multiple ways but none are helpful. Kindly help me to understand what might be wrong in formatting.

      printf RPT "  Error rate                   : %3.2f%%\n\n", $err_rate;

        Maybe now is a good time to take a step back and look at what you are trying to do here.

        You are asking us about errors that a tool by some other vendor raises. We are not that vendor nor do we have more access than you to the vendor.

        Maybe you can talk to the vendor about the documentation of their error message and the description what code causes the error to be raised.

        Once you understand what in the code causes the Checkmarx error to be raised with your code, you can ask how to best rewrite your code so it avoids the issue.

        I agree with everything that Corion and marto have written. Checkmarx is giving you the error, so Checkmarx also needs to tell you how to fix it.

        As I indicated, above I was only guessing what the problem might be, and in this case I can also only guess that maybe Checkmarx wants you to confirm that $err_rate really does contain a float. But Perl is notoriously hard to parse, so I have no idea what code the tool would accept for that check, so again, you'd have to look at the Checkmarx documentation or ask them. And if Corion is right that %% is the problem, then the tool is giving you a false positive (which proves my point), and you need to talk to Checkmarx support.

Re: Uncontrolled Format String - Checkmarx issue
by hippo (Bishop) on Dec 27, 2022 at 11:54 UTC

    Your code doesn't compile. Try terminating your open statement with a semi-colon. If this isn't your actual code then there's little point in us analysing the rest of it.


    🦛

      hippo Sorry I missed to add the semicolon while copying the original code.

        Even if we add in that semi-colon, your code still doesn't compile.

        $ cat 11149115.pl open (STAT, "<", "$file"); while ( $content = <STAT> ) { : $errcnt = $total - $content; } : printf RPT " Number of Rejected Records : $errcnt\n"; $ perl -cw 11149115.pl syntax error at 11149115.pl line 3, near ":" syntax error at 11149115.pl line 7, near ":" 11149115.pl had compilation errors. $

        Just paste your actual code into the node so our time isn't wasted fixing things you've broken in the copy only. And when you've done that, download the code from the node and try to compile and run it yourself just to be sure.


        🦛

Re: Uncontrolled Format String - Checkmarx issue
by karlgoethebier (Abbot) on Dec 28, 2022 at 12:34 UTC
    «…the checkmarx…»

    Which Checkmarx product are you actually using? And by the way: Here is their documentation for everything - just in case you didn't know that yet. It actually looks pretty good. Unlike their intrusive website.

    «The Crux of the Biscuit is the Apostrophe»

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://11149115]
Approved by haukex
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2024-04-15 03:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found