Skip to content

OpenSSF Best Practices Badge: 4 Analysis criteria incorrectly self-reported as "Met" #49

Description

@hbgit

Summary

An audit of the current CI/CD static and dynamic analysis setup found that 4 criteria in the OpenSSF Best Practices Badge "Analysis" section are not actually satisfied, despite docs/migration/1.5-openssf-badge.md claiming the section is 8/8 (100%). Full evidence trail is in TODO.md. This issue tracks fixing the underlying problems (and, once fixed, correcting the badge profile at bestpractices.dev).

Two of the four are MUST-level criteria — meaning the project cannot honestly claim a "Passing" badge until they're addressed.


1. static_analysis_fixed (MUST) — Not Met

All medium and higher severity exploitable vulnerabilities discovered with static code analysis MUST be fixed in a timely way after they are confirmed.

Findings from cppcheck/clang-tidy, confirmed in docs/migration-schedule.md since 2026-06-14 (~3 weeks), still present in code today:

  • CWE-119 buffer overflow (strcpy)modules/frontend/map2check.cpp:93,102,111
  • Off-by-one / OOB writemodules/backend/library/lib/BTree.c:274-276
  • Dangling pointer to local VLAmodules/backend/library/lib/NonDetGeneratorKlee.c:41,47
  • Shift UB / uninitialized variablesNonDetGeneratorLibFuzzy.c:103, AllocationLog.c:56, NonDetLog.c:70, ContainerBTree.c:23

All 12 items in docs/migration-schedule.md Phase 2.0 remain unchecked (☐), including the 5 flagged by the project itself as priority.

2. dynamic_analysis_fixed (MUST) — Not Met

All medium and higher severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed.

  • UBSan confirms the BTree.c:276 off-by-one at runtime in BTreeTest/ContainerBTreeTest — a real out-of-bounds write, not theoretical.
  • ASan confirms memory leaks in AllocationLogTest (lines 75, 87) and AllocationLog.c:89.
  • CI is deliberately tuned to hide both (UBSAN_OPTIONS=halt_on_error=0, ASAN_OPTIONS=detect_leaks=0 in .github/workflows/ci.yml, sanitizer-tests job) instead of fixing them.

(Tracked in detail, with a suggested code fix, in a dedicated issue: "Fix confirmed out-of-bounds write in BTree.c:276 (UBSan) and unfreed test allocations in AllocationLogTest".)

3. dynamic_analysis_unsafe (SUGGESTED) — Not Met

If the software includes a memory-unsafe language, at least one dynamic tool (e.g., a fuzzer) MUST be routinely used in combination with a mechanism to detect memory safety problems.

  • LibFuzzer is explicitly disabled (-DSKIP_LIB_FUZZER=ON) in all 3 CI jobs, including sanitizer-tests — ASan only runs against the 7 fixed unit tests, never against fuzzer-generated input.
  • NonDetGeneratorLibFuzzy.c is Map2Check's own product feature (fuzzing the user's analyzed C programs) — not self-fuzzing of Map2Check's own codebase.
  • No fuzz harness, corpus, or OSS-Fuzz integration exists for Map2Check's own source.
  • The planned self-fuzzing effort (AFL++, docs/migration-schedule.md Phase 3, items 3.1.1–3.1.4) hasn't started.

4. dynamic_analysis_enable_assertions (SUGGESTED) — Met in form only

Use a dynamic-analysis configuration that enables many assertions.

  • CI never sets CMAKE_BUILD_TYPE=Release/MinSizeRel, so -DNDEBUG is never injected — assertions would fire if present.
  • But assert() / BOOST_ASSERT() occur 0 times anywhere in modules/ — there's nothing to actually enable. .clang-tidy is pre-configured to recognize these macros, but the project doesn't use them.

Action items

  • Fix the 4 code-level findings under static_analysis_fixed (see also Phase 2.0 in docs/migration-schedule.md).
  • Fix the BTree.c off-by-one and AllocationLogTest leaks (dedicated issue), then flip halt_on_error=1 / detect_leaks=1 in ci.yml.
  • Decide on and schedule a self-fuzzing approach for Map2Check's own codebase (LibFuzzer harness re-enabled in sanitizer-tests, or bring forward the AFL++ Phase 3 work) to close dynamic_analysis_unsafe.
  • Either introduce real assert()/BOOST_ASSERT() usage where it adds defensive value, or stop counting dynamic_analysis_enable_assertions as meaningfully satisfied.
  • Once the above land, correct the bestpractices.dev badge profile (currently claims Analysis 8/8 — should reflect actual state until fixed).

References

  • TODO.md — full evidence for each finding
  • docs/migration-schedule.md (Phase 2.0 — Code Health; Phase 3 — AFL++)
  • docs/migration/1.5-openssf-badge.md (self-reported badge status)
  • .github/workflows/ci.yml (static-analysis, sanitizer-tests jobs)

Metadata

Metadata

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions