1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
|
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2013 David Malcolm <dmalcolm@redhat.com>
Copyright 2013 Red Hat, Inc.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA
-->
<grammar xmlns="http://relaxng.org/ns/structure/1.0"
datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
<start>
<!-- Results from the invocation of an analysis tool -->
<element name="analysis">
<ref name="metadata-element"/>
<element name="results">
<zeroOrMore>
<choice>
<ref name="issue-element"/>
<ref name="failure-element"/>
<ref name="info-element"/>
</choice>
</zeroOrMore>
</element>
<optional>
<ref name="custom-fields-element"/>
</optional>
</element>
</start>
<define name="metadata-element">
<element name="metadata">
<element name="generator">
<attribute name="name"/>
<optional>
<attribute name="version"/>
</optional>
</element>
<!-- "sut" = "Software Under Test" -->
<optional>
<element name="sut">
<choice>
<element name="source-rpm">
<attribute name="name"/>
<attribute name="version"/>
<attribute name="release"/>
<attribute name="build-arch"/>
</element>
<!-- Debian SUT entries -->
<element name="debian-source">
<!-- Report for a Debian source package -->
<attribute name="name"/>
<attribute name="version"/>
<optional>
<!-- This entry is optional because Debian packages may be
`native' (e.g. no local version, since local and
upstream are the same). -->
<attribute name="release"/>
</optional>
<!-- No build arch; source is arch indep. -->
</element>
<element name="debian-binary">
<!-- Report for a Debian .deb package -->
<attribute name="name"/>
<attribute name="version"/>
<optional>
<attribute name="release"/>
</optional>
<attribute name="build-arch"/>
<!-- Valid entries include `amd64', `kfreebsd-amd64', `armhf',
`hurd-i386', among others for Debian. -->
</element>
<!-- What other options should we have? -->
</choice>
</element>
</optional>
<optional>
<ref name="file-element"/>
</optional>
<optional>
<element name="stats">
<!-- actual time taken to run the analysis, in seconds -->
<attribute name="wall-clock-time">
<data type="float"/>
</attribute>
</element>
</optional>
</element>
</define>
<!--
Definitions of the various kinds of result follow:
<issue>
<failure>
<info>
-->
<!-- A report about a possible problem -->
<define name="issue-element">
<element name="issue">
<optional>
<!-- The Common Weakness Enumeration ID
(see http://cwe.mitre.org/index.html )
e.g. "131" representing CWE-131
aka "Incorrect Calculation of Buffer Size"
http://cwe.mitre.org/data/definitions/131.html
-->
<attribute name="cwe">
<data type="integer"/>
</attribute>
</optional>
<optional>
<!--
Each static analysis tool potentially has multiple tests,
with its own IDs for its own tests.
Capture those that do here, as free-form strings:
-->
<attribute name="test-id"/>
</optional>
<optional>
<!--
Each static analysis tool potentially can report a "severity",
which may be of use for filtering.
The precise strings are likely to vary from tool to tool.
To avoid data-transfer issues, support storing it as an optional
freeform string here.
See:
http://lists.fedoraproject.org/pipermail/firehose-devel/2013-February/000001.html
-->
<attribute name="severity"/>
</optional>
<!-- A message summarizing the problem -->
<ref name="message-element"/>
<!-- Additional descriptive details
This might support some simple markup at some point
(as might <message>) -->
<optional>
<element name="notes"><text/></element>
</optional>
<!-- Where is the problem? -->
<ref name="location-element"/>
<optional>
<!-- How can the problem occur? -->
<element name="trace">
<oneOrMore>
<element name="state">
<ref name="location-element"/>
<optional>
<element name="notes"><text/></element>
</optional>
<!-- optionally we can supply key-value pairs -->
<zeroOrMore>
<element name="annotation">
<element name="key"><text/></element>
<element name="value"><text/></element>
</element>
</zeroOrMore>
</element>
</oneOrMore>
</element>
</optional>
<!--
A given tool/testid may have additional key/value pairs that it
may be useful to capture:
-->
<optional>
<ref name="custom-fields-element"/>
</optional>
</element>
</define>
<!--
A report about a failed analysis.
If any of these are present then we don't have full coverage.
For some analyzers this is an all-or-nothing affair: we either
get issues reported, or a failure happens (e.g. a segfault of the
analysis tool).
Other analyzers may be more fine-grained: able to report some issues,
but choke on some subset of the code under analysis. For example
cpychecker runs once per function, and any unhandled Python exceptions
only affect one function.
-->
<define name="failure-element">
<element name="failure">
<optional>
<!--
Each static analysis tool potentially can identify types of way
that it can fail.
Capture those that do here, as (optional) free-form strings:
-->
<attribute name="failure-id"/>
</optional>
<optional>
<!--
Some analysis tools may be able to annotate a failure report by
providing the location *within the software-under-test* that
broke them.
For example, gcc-python-plugin has a gcc.set_location() method
which can be used by a code analysis script to record what
location is being analyzed, so that if unhandled Python exception
happens, it is reported at that location. This is invaluable
when debugging analysis failures.
-->
<ref name="location-element"/>
</optional>
<optional>
<!-- summary of the failure -->
<ref name="message-element"/>
</optional>
<!--
Every type of failure seems to have its own kinds of data that
are worth capturing:
* stdout/stderr/returncode for a failed subprocess
* traceback for an unhandled Python exception
* verbose extra information about a cppcheck failure
etc.
Hence allow a <failure> to optionally contain extra key/value
pairs, based on the failure-id.
-->
<optional>
<ref name="custom-fields-element"/>
</optional>
</element>
</define>
<!--
Sometimes you may want a tool to report other kinds of information
about the software-under-test that isn't a problem as such, e.g.
code metrics, copyright/license info, cross-referencing information
etc, hence the <info> element:
-->
<define name="info-element">
<element name="info">
<optional>
<!--
An optional free-form string identifying the kind of information
being reported:
-->
<attribute name="info-id"/>
</optional>
<optional>
<ref name="location-element"/>
</optional>
<optional>
<ref name="message-element"/>
</optional>
<optional>
<ref name="custom-fields-element"/>
</optional>
</element>
</define>
<!-- ...end of result definitions. Various supporting elements follow: -->
<!--
Summary text aimed at a developer. This is required for an <issue>,
but is also can (optionally) be provided by a <failure> or <info>
-->
<define name="message-element">
<element name="message"><text/></element>
</define>
<define name="location-element">
<!-- A particular source code location -->
<element name="location">
<ref name="file-element"/>
<!--
Ideally, every analyzer would tell us in which function each
problem was discovered, given that function names are less
likely to change than line numbers.
Unfortunately many don't - and we should patch these in each
upstream analyzer as we go.
Also, a problem can occur in global scope (e.g. lack of NULL
termination in an array-initializer for a global, such as in
this checker:
http://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html#verification-of-pymethoddef-tables
(although arguably there *is* a relevant function there: the
location of the code that uses that data)
-->
<optional>
<element name="function">
<attribute name="name"/>
</element>
</optional>
<!-- We can refer to either a location, or a range of locations
within the file: -->
<choice>
<ref name="point-element"/>
<element name="range">
<!-- start of range: -->
<ref name="point-element"/>
<!-- end of range: -->
<ref name="point-element"/>
</element>
</choice>
</element>
</define>
<define name="file-element">
<element name="file">
<!--
What filename was given by the analyzer?
This is typically the one supplied to it on the command line,
which might be absolute or relative.
Examples:
- "foo.c"
- "./src/foo.c"
- "/home/david/libfoo-1.0/src/foo.c"
-->
<attribute name="given-path"/>
<!--
Optionally, record the absolute path of the file,
to help deal with collating results from a build that changes
working directory (e.g. recursive make)
-->
<optional>
<attribute name="absolute-path"/>
</optional>
<optional>
<element name="hash">
<attribute name="alg"/>
<attribute name="hexdigest"/>
</element>
</optional>
</element>
</define>
<define name="point-element">
<element name="point">
<attribute name="line"/>
<attribute name="column"/>
</element>
</define>
<!--
A big escape-hatch in the schema: support for arbitrary, ordered
key/value pairs for roundtripping data specific to a particular
situation. e.g. debugging attributes for a particular failure
-->
<define name="custom-fields-element">
<element name="custom-fields">
<zeroOrMore>
<choice>
<element name="str-field">
<attribute name="name"/>
<text/>
</element>
<element name="int-field">
<attribute name="name"/>
<data type="integer"/>
</element>
</choice>
</zeroOrMore>
</element>
</define>
</grammar>
|
