CVE-2022-35026 The commit 617837b contained a segmentation violation.

When cloning the project and performing a code analysis, the team found a code block that was not fully typechecked: If the cloned project was opened in Visual Studio, the team found that the code analysis would not be executed by default. The team did some digging and discovered that the reason for this was because Visual Studio was set to not “blame” the team for this issue. To fix this, the team simply needed to change the setting in the Visual Studio Code settings.

Detecting and preventing style issues with tools

Style issues are an inevitability of software development. Even with a team of experienced developers, there will be differences in coding style and complexity. To prevent these issues from arising, some teams use tools to help detect these problems and provide solutions for them.
One tool the team uses is Microsoft Visual Studio Code. VS Code has built-in code analysis that helps developers identify potential style issues in their codebase so they can fix them before committing the code to a repository. This is done by adding “blame” comments on select lines throughout the project, which reference the offending line number in order to show where the problem lies.
The team also uses multiple other tools such as Stylecop and Prettier. These tools both help enforce formatting guidelines in order to make it easier for developers to maintain consistent styles within their codebase and avoid any potential style clash after merging different repositories together into one application. In this case, VS Code was being used to detect violations of style guidelines and then produce specific “blame” comments on selected lines of a cloned project that would contain information about the line number of the violation and how it could be fixed with a simple "blame" comment or reformat operation.

Check functionality of your CI environment

It's easy to be tired of this whole testing and automating process, but let's not forget that it actually helps us! This is especially true if you have a continuous integration environment. A continuous integration environment allows you to test your code continuously and provide feedback to the developers so they can fix bugs before your code gets released. It also provides a much safer place for checking for security vulnerabilities as well as potential issues your team may not know about.
To ensure that the CI environment is running smoothly, it's important to make sure everything is working properly. One helpful tool the team utilizes is a code analyzer like SonarQube. SonarQube allows the team to see what types of errors are occurring in their codebase as well as any potential vulnerabilities that might be present in their project.

Finding New Issues with Find-A-Vulnerability

In the traditional life cycle of a project, vulnerabilities are found, made public, and then fixed. But in the world of open source software, this method doesn’t work. Open source software is constantly being updated and changed by multiple people. In order to keep up with the changes that occur in open source software, additional code analysis must be performed on every project. If a team is not performing additional code analysis when it finds a vulnerability, then it could be missed and left as an unnoticed vulnerability for future users of the project.

Configure Code Analysis for your Code Annotation Process

When your team starts to use code annotation and you want to start analyzing your code, teams need to be careful that they configure the right code analysis settings. When you are setting up a new project, Code Analysis is not enabled by default. You can configure this setting in the Team Settings inside the Visual Studio Code settings. To change this setting, you would simply go into team settings and set the value for "Enable Code Analysis" to true.
This configuration will allow Visual Studio Code to take advantage of its understanding of your project’s source code and apply the proper analysis routines when it opens your project. This helps with overall analysis quality as well.
** Pick Your Project **
To help make this easier, we have created a quick tip on how to configure your specific projects for customizing their Code Analysis settings: https://docs.microsoft.com/en-us/visualstudio/ide/code-analysis-configuration#team-settings

When only the best will do: Always use the highest quality automation software

The team found that this issue was caused by the interpreter not being able to load the project correctly. The team also discovered that it would be more efficient to use a higher quality language such as Python or JavaScript instead of C++.
As a result, the team decided that it would be in their best interest to create a Python version of this project.

Timeline

Published on: 09/22/2022 17:15:00 UTC
Last modified on: 09/23/2022 03:03:00 UTC

References

• https://drive.google.com/file/d/13A5FLmr3NiQZMNUpd9ir3owrnbn5lZbO/view?usp=sharing
• https://github.com/Cvjark/Poc/blob/main/otfcc/CVE-2022-35026.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-35026