New Rule to detect String Format Vulnerabilities

c/lang/security/string-format.c

@@ -0,0 +1,33 @@
+#include  <stdio.h>
+#include <stdlib.h>
+
+void f0(char *var)
+{
+	// ok: string-format
+	printf("%s\n", argv[1]);
+
+	// ruleid: string-format
+	printf(argv[1]);
+}
+
+void f1(FILE *fd, char *var) {
+  // ok: string-format
+  fprintf(fd, "%s\n", var);
+
+  // ruleid: string-format
+  fprintf(fd, var);
+}
+
+void f2(char *var) {
+  char *buf = (char *)malloc(100);
+
+  // ok: string-format
+  sprintf(buf, "%s\n", var);
+  // ok: string-format
+  snprintf(buf, 100, "%s\n", var);
+
+  // ruleid: string-format
+  sprintf(buf, var);
+  // ruleid: string-format
+  snprintf(buf, 100, var);
+}

c/lang/security/string-format.yaml

@@ -0,0 +1,39 @@
+rules:
+- id: string-format
+  message: >-
+    Usage of `printf` function family without providing a format string can lead to format string vulnerabilities.
+    Prefer the usage of `puts` family of functions or provide a format string to mitigate this issue. 
+  metadata:
+    cwe:
+    - 'CWE-134: Use of Externally-Controlled Format String'
+    references:
+    - https://owasp.org/www-community/attacks/Format_string_attack
+    category: security
+    technology:
+    - c
+    confidence: MEDIUM
+    subcategory:
+    - vuln
+    likelihood: MEDIUM
+    impact: HIGH
+  languages: [c]
+  severity: ERROR
+  patterns:
+  - pattern-either:
+      - patterns:
+        - pattern: printf(...)
+        - pattern-not: printf("$FMT", ...)
+      - patterns:
+        - pattern: $FUN($FD, ...)
+        - pattern-not: $FUN($FD, "$FMT", ...)
+        - metavariable-pattern:
+            metavariable: $FUN
+            pattern-either:
+              - pattern: fprintf
+              - pattern: dprintf
+      - patterns:
+        - pattern: sprintf($BUF, ...)
+        - pattern-not: sprintf($BUF, "$FMT", ...) 
+      - patterns:
+        - pattern: snprintf($BUF, $SIZE, ...)
+        - pattern-not: snprintf($BUF, $SIZE, "$FMT", ...)