Troubleshooting Scans with Complex Functions

 
0 Likes

During a Fortify Static Code Analyzer scan, the Dataflow Analyzer might encounter a function for which it cannot complete the analysis and reports the following message:

Function <name> is too complex for <analyzer> analysis and will be skipped (<identifier>)
where:

  • <name> is the name of the source code function
  • <analyzer> is the name of the analyzer
  • <identifier> is the type of complexity, which is one of the following:
  • l: Too many distinct locations
  • m: Out of memory
  • s: Stack size too small
  • t: Analysis taking too much time
  • v: Function visits exceed the limit
    .

The depth of analysis Fortify Static Code Analyzer performs sometimes depends on the available resources. Fortify Static Code Analyzer uses a complexity metric to trade off these resources against the number of vulnerabilities that it can find. Sometimes, this means giving up on a particular function when Fortify Static Code Analyzer does not have enough resources available. This is normally when you see the "Function too complex" messages

When you see this message, it does not necessarily mean that Fortify Static Code Analyzer completely ignored the function in the program. For example, the Dataflow Analyzer typically visits a function many times before completing the analysis, and might not have run into this complexity limit in the previous visits. In this case, the results include everything learned from the previous visits.

You can control the "give up" point using Fortify Static Code Analyzer properties called limiters. Different analyzers have different limiters.

This section contains the following topics:

  • Dataflow Analyzer Limiters
  • Control Flow and Null Pointer Analyzer Limiters

Dataflow Analyzer Limiters

There are three types of complexity identifiers for the Dataflow Analyzer:

  1. l: Too many distinct locations
  2. m: Out of memory
  3. s: Stack size too small
  4. v: Function visits exceed the limit


To resolve the issue identified by s, increase the stack size for by setting -Xss to a value greater than 16 MB.

To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.

To resolve the complexity identifier of l, you can adjust the following limiters in the Fortify Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the command line.

Property Name Default Value

com.fortify.sca.
limiters.MaxTaintDefForVar

1000

com.fortify.sca.
limiters.MaxTaintDefForVarAbort

4000

com.fortify.sca.
limiters.MaxFieldDepth

4


The MaxTaintDefForVar limiter is a dimensionless value expressing the complexity of a function, while MaxTaintDefForVarAbort is the upper bound for it. Use the MaxFieldDepth limiter to measure the precision when the Dataflow Analyzer analyzes any given object. Fortify Static Code Analyzer always tries to analyze objects at the highest precision possible.

If a given function exceeds the MaxTaintDefForVar limit at a given precision, the Dataflow Analyzer analyzes that function with lower precision (by reducing the MaxFieldDepth limiter). When you reduce the precision, it reduces the complexity of the analysis. When the precision cannot be reduced any further, Fortify Static Code Analyzer then proceeds with analysis at the lowest precision until either it finishes, or the complexity exceeds the MaxTaintDefForVarAbort limiter. In other words, Fortify Static Code Analyzer tries harder at the lowest precision to get at least some results from the function. If Fortify Static Code Analyzer reaches the MaxTaintDefForVarAbort limiter, it gives up on the function entirely and you get the "Function too complex" warning.

To resolve the complexity identifier of v, you can adjust the property com.fortify.sca.limiters.MaxFunctionVisits. This property sets the maximum number of times the taint propagation analyzer visits functions. The default is 50.

Control Flow and Null Pointer Analyzer Limiters


There are two types of complexity identifiers for both Control Flow and Null Pointer analyzers:

  1. m: Out of memory
  2. t: Analysis taking too much time


Due to the way that the Dataflow Analyzer handles function complexity, it does not take an indefinite amount of time. Control Flow and Null Pointer analyzers, however, can take an exceptionally long time when analyzing complex functions. Therefore, Fortify Static Code Analyzer provides a way to abort the analysis when this happens, and then you get the "Function too complex" message with a complexity identifier of t.

To change the maximum amount of time these analyzers spend to analyze functions, you can adjust the following property values in the Fortify Static Code Analyzer property file <sca_install_dir>/Core/config/fortify-sca.properties or on the command line.

Property Name

Description

Default Value

com.fortify.sca.

CtrlflowMaxFunctionTime

Sets the time limit (in milliseconds) for Control Flow analysis on a single function. 600000 (10 minutes)

com.fortify.sca.

NullPtrMaxFunctionTime

Sets the time limit (in milliseconds) for Null Pointer analysis on a single function. 300000 (5 minutes)


To resolve the complexity identifier of m, increase the physical memory for Fortify Static Code Analyzer.

Note: If you increase these limiters or time settings, it makes the analysis of complex functions take longer. It is difficult to characterize the exact performance implications of a particular value for the limiters/time, because it depends on the specific function in question. If you never want to see the "Function too complex" warning, you can set the limiters/time to an extremely high value, however it can cause unacceptable scan time.

Labels:

Support Tip
Comment List
Related
Recommended