Recommendations
FIO01-A. Prefer functions that do not rely on file names for identification
FIO02-A. Canonicalize file names originating from untrusted sources
FIO03-A. Do not make assumptions about fopen() and file creation
FIO04-A. Detect and handle input output errors
FIO05-A. Identify files using multiple file attributes
FIO06-A. Create files with appropriate access permissions
Rules
FIO30-C. Exclude user input from format strings
FIO32-C. Do not assume file names generated with tmpnam() remain unique
FIO33-C. Detect and handle input output errors resulting in undefined behavior
FIO34-C. Use int to capture the return value of character IO functions
FIO35-C. Use feof() and ferror() to detect end-of-file and file errors
FI036-C. Don't assume a newline character is read
FI037-C. Don't assume character data has been read
FI038-C. Do not use a copy of a FILE object for IO
FI039-C. Create temporary files securely
Risk Assessment Summary
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO01-A |
3 (high) |
2 (likely) |
1 (high) |
P6 |
L2 |
FIO02-A |
3 (high) |
1 (unlikely) |
1 (high) |
P3 |
L3 |
FIO03-A |
3 (high) |
2 (probable) |
1 (high) |
P6 |
L2 |
FIO04-A |
2 (medium) |
2 (probable) |
1 (high) |
P4 |
L3 |
EXP01-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
FIO06-A |
2 (medium) |
1 (unlikely) |
2 (medium) |
P4 |
L3 |
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO30-C |
3 (high) |
3 (probable) |
3 (low) |
P27 |
L1 |
FIO32-C |
3 (high) |
2 (probable) |
1 (medium) |
P6 |
L2 |
FIO33-C |
1 (low) |
1 (low) |
3 (medium) |
P3 |
L3 |
FIO34-C |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
PRE33-C |
1 (low) |
1 (unlikely) |
2 (medium) |
P2 |
L3 |
EXP01-A |
1 (low) |
1 (unlikely) |
3 (low) |
P3 |
L3 |
FIO38-C |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |