@@ -1046,21 +1046,30 @@ The product does not need to protect against unauthorized access by elements of
#### 5.2.X.x **MI-SSCA**: Static source code analysis for memory errors
The manufacturer shall check all security-relevant parts of the product for memory errors using a source code analysis tool that detects at least the following types of memory errors, subject to whether each error is possible in the source code language:
All security-relevant parts of the product shall be checked for memory errors using a source code analysis tool that detects code that may produce common memory errors, such as:
* buffer overflow
* out-of-bounds
* use after free
* double free
* uninitialized variables
* dereference invalid pointer
* TBD others?
* use of uninitialized variables
* dereference of invalid pointer
All warnings, annotations, or other method of suppressing warnings from the analysis tool shall be accompanied by an explanation of why the code in question will not produce an error under reasonably foreseeable use or misuse.
The sufficiency of the source code analysis tool and the selected manner of running it shall be documented.
* Test: run a source code analysis tool on all security-relevant parts of the product
* Result: no warnings or suppression of warnings that do not have documentation showing why they are memory safe
* Output: the output of the source code analysis checker
* False negative test: for each kind of memory error in the above list, write a test program with the error, run the analysis tool on it, and show that it produces a warning for each error
All warnings, annotations, or other method of suppressing warnings from the analysis tool shall be documented with a rationale for why it does not constitute an unacceptable risk.
* Reference: TR-MISO, FIXME others
* Objective: Prevent or mitigate unauthorize memory access
* Preparation: None
* Activities: Review the documentation on why the source code analysis tool is sufficient, how it is run, the source code for the product, the output of the source code analysis tool, and the documentation for any warnings or suppression of warnings
* Verdict: Sufficiency documentation is acceptable, the method of running the tool is consistent with rationale, the output of source code analysis tool is consistent with the source code, all warnings or suppression of warnings have convincing documentation for why they are an acceptable risk => PASS, otherwise FAIL
* Evidence: The documentation on why the source code analysis tool is sufficient, how it is run, the source code for the product, the output of the source code analysis tool, and the documentation for any warnings or suppression of warnings
