Add additional CERT risk assessment tags

Author: lcartey

rule_packages/c/Banned.json

@@ -13,7 +13,12 @@
           "severity": "error",
           "short_name": "DoNotCallSystem",
           "tags": [
-            "security"
+            "security",
+            "external/cert/severity/high",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p12",
+            "external/cert/level/l1"
           ]
         }
       ],

rule_packages/c/Concurrency1.json

@@ -15,7 +15,12 @@
           "shared_implementation_short_name": "GuardAccessToBitFields",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p8",
+            "external/cert/level/l2"
           ]
         }
       ],
@@ -35,7 +40,12 @@
           "short_name": "RaceConditionsWhenUsingLibraryFunctions",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/high",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ]
         }
       ],
@@ -55,7 +65,12 @@
           "short_name": "DoNotCallSignalInMultithreadedProgram",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/low",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/low",
+            "external/cert/priority/p6",
+            "external/cert/level/l2"
           ],
           "implementation_scope": {
             "description": "This implementation does not consider threads created function pointers."

rule_packages/c/Concurrency2.json

@@ -15,7 +15,12 @@
           "shared_implementation_short_name": "PreventDeadlockByLockingInPredefinedOrder",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/low",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ]
         }
       ],
@@ -36,7 +41,12 @@
           "shared_implementation_short_name": "WrapSpuriousFunctionInLoop",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/low",
+            "external/cert/likelihood/unlikely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p2",
+            "external/cert/level/l3"
           ]
         }
       ],

rule_packages/c/Concurrency3.json

@@ -15,7 +15,12 @@
           "shared_implementation_short_name": "DoNotAllowAMutexToGoOutOfScopeWhileLocked",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/high",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "This implementation does not allow for thread synchronization to be performed in subroutines. All synchronization must be performed within the context of the other thread management functions."
@@ -31,7 +36,12 @@
           "shared_implementation_short_name": "DoNotDestroyAMutexWhileItIsLocked",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/high",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ]
         }
       ],
@@ -52,7 +62,12 @@
           "shared_implementation_short_name": "PreserveSafetyWhenUsingConditionVariables",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/low",
+            "external/cert/likelihood/unlikely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p2",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "This implementation does not attempt to identify unique condition variables and instead advocates for the usage of `cnd_broadcast`."
@@ -75,7 +90,12 @@
           "short_name": "WrapFunctionsThatCanFailSpuriouslyInLoop",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/low",
+            "external/cert/likelihood/unlikely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p2",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "This implementation does not attempt to identify a relationship between the condition variable and the atomic operation."

rule_packages/c/Concurrency4.json

@@ -14,7 +14,12 @@
           "short_name": "CleanUpThreadSpecificStorage",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/unlikely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "This query does not attempt to ensure that the deallocation function in fact deallocates memory and instead assumes the contract is valid. Additionally, this query requires that all `tss_create` calls are bookended by calls to `tss_delete`, even if a thread is not created."
@@ -37,7 +42,13 @@
           "short_name": "AppropriateThreadObjectStorageDurations",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/recommendation/con34-c",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/high",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "This query does not consider Windows implementations or OpenMP implementations. This query is primarily about excluding cases wherein the storage duration of a variable is appropriate. As such, this query is not concerned if the appropriate synchronization mechanisms are used, such as sequencing calls to `thrd_join` and `free`. An audit query is supplied to handle some of those cases."
@@ -53,7 +64,13 @@
           "tags": [
             "external/cert/audit",
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/recommendation/con34-c",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/high",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ]
         }
       ],

rule_packages/c/Concurrency5.json

@@ -15,7 +15,12 @@
           "shared_implementation_short_name": "JoinOrDetachThreadOnlyOnce",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/low",
+            "external/cert/likelihood/likely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p6",
+            "external/cert/level/l2"
           ],
           "implementation_scope": {
             "description": "This query considers problematic usages of join and detach irrespective of the execution of the program and other synchronization and interprocess communication mechanisms that may be used."
@@ -38,7 +43,12 @@
           "short_name": "AtomicVariableTwiceInExpression",
           "tags": [
             "correctness",
-            "concurrency"
+            "concurrency",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p8",
+            "external/cert/level/l2"
           ]
         }
       ],

rule_packages/c/Contracts.json

@@ -13,7 +13,12 @@
           "severity": "error",
           "short_name": "DoNotViolateInLineLinkageConstraints",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/low",
+            "external/cert/likelihood/unlikely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p2",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "This query only considers the constraints related to inline extern functions."

rule_packages/c/Contracts1.json

@@ -14,7 +14,12 @@
           "short_name": "DoNotModifyTheReturnValueOfCertainFunctions",
           "shared_implementation_short_name": "ConstLikeReturnValue",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/low",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ]
         }
       ],
@@ -33,7 +38,12 @@
           "severity": "error",
           "short_name": "EnvPointerIsInvalidAfterCertainOperations",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/low",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "The rule is enforced in the context of a single function."

rule_packages/c/Contracts2.json

@@ -13,7 +13,12 @@
           "severity": "error",
           "short_name": "ExitHandlersMustReturnNormally",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/likely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p12",
+            "external/cert/level/l1"
           ]
         }
       ],
@@ -33,7 +38,12 @@
           "short_name": "DoNotStorePointersReturnedByEnvFunctions",
           "shared_implementation_short_name": "InvalidatedEnvStringPointers",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/low",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ]
         },
         {
@@ -45,7 +55,12 @@
           "short_name": "DoNotStorePointersReturnedByEnvironmentFunWarn",
           "shared_implementation_short_name": "InvalidatedEnvStringPointersWarn",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/low",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p4",
+            "external/cert/level/l3"
           ]
         }
       ],

rule_packages/c/Contracts4.json

@@ -13,7 +13,12 @@
           "severity": "error",
           "short_name": "SetlocaleMightSetErrno",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p8",
+            "external/cert/level/l2"
           ]
         },
         {
@@ -24,7 +29,12 @@
           "severity": "error",
           "short_name": "ErrnoReadBeforeReturn",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p8",
+            "external/cert/level/l2"
           ]
         },
         {
@@ -35,7 +45,12 @@
           "severity": "error",
           "short_name": "FunctionCallBeforeErrnoCheck",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p8",
+            "external/cert/level/l2"
           ]
         },
         {
@@ -46,7 +61,12 @@
           "severity": "error",
           "short_name": "ErrnoNotSetToZero",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/medium",
+            "external/cert/likelihood/probable",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p8",
+            "external/cert/level/l2"
           ]
         }
       ],

rule_packages/c/Contracts5.json

@@ -13,7 +13,12 @@
           "severity": "error",
           "short_name": "DoNotRelyOnIndeterminateValuesOfErrno",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/low",
+            "external/cert/likelihood/unlikely",
+            "external/cert/remediation-cost/low",
+            "external/cert/priority/p3",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "The rule is enforced in the context of a single function."
@@ -35,7 +40,12 @@
           "severity": "error",
           "short_name": "DetectAndHandleStandardLibraryErrors",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/high",
+            "external/cert/likelihood/likely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p18",
+            "external/cert/level/l1"
           ],
           "implementation_scope": {
             "description": "The rule is enforced in the context of a single function."

rule_packages/c/Contracts6.json

@@ -13,7 +13,12 @@
           "severity": "error",
           "short_name": "DoNotModifyConstantObjects",
           "tags": [
-            "correctness"
+            "correctness",
+            "external/cert/severity/low",
+            "external/cert/likelihood/unlikely",
+            "external/cert/remediation-cost/medium",
+            "external/cert/priority/p2",
+            "external/cert/level/l3"
           ],
           "implementation_scope": {
             "description": "The implementation does not consider pointer aliasing via multiple indirection."