feat: static checking for common bug patterns

[tomtau]

Summary

It'd be good to add GH Action that would statically check for common bug patterns -- e.g. https://github.com/github/codeql-action

Problem Definition

There are a few bugs that resurfaced a few times in Cosmos SDK -- off the top of my head, I can think of:

1. non-determinism through iterating over Go maps
2. using hardcoded constants instead of values from application configs (e.g. fix bech32 prefix in evidence #8461 fix validator address prefix #9212 )

It would be good to capture these sorts of bug patterns in static analysis tools, so that it's less likely to re-introduce them.

Related:

• fix: upgrade non-determinism #10188
• Create or integrate linter to check time.Now use #10329

Proposal

Add CodeQL Github Action pipeline: https://github.com/github/codeql-action
and write a few custom CodeQL queries to capture common bugs from the past: https://codeql.github.com/docs/codeql-language-guides/codeql-for-go/

---

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[tomtau]

one simple query to detect iterations over maps:

/**
 * @name Iteration over map 
 * @kind problem
 * @description Iteration over map is non-deterministic and could cause issues in consensus-critical code.
 * @problem.severity warning
 * @tags correctness
 * @precision low
 * @security-severity medium
 * @id go/example/map-iteration
 */

import go

from RangeStmt loop
where loop.getDomain().getType() instanceof MapType
select loop, "Iteration over map"

In Cosmos SDK, there are 59 cases: https://lgtm.com/query/5686749966483880627/ -- FYI @ryanchristo @robert-zaremba -- it may be good to go over them to check they are harmless.

I guess that query could be added to CI as it is, but alternatively, we can also refine it for a higher precision: https://codeql.github.com/docs/codeql-language-guides/modeling-data-flow-in-go-libraries/

The more precise query would be something like: find all iterations over map which are one of these options:

1. they get to be executed on ABCI consensus-related methods (beginblock, DeliverTx, ...)
2. they write to a field or a variable that gets read on ABCI consensus-related methods and they were not sorted
   ...

[tac0turtle]

cc @odeke-em

[tomtau]

besides map iteration, I guess it'd be good to have queries to scan for other sources of non-determinism -- as with https://forum.cosmos.network/t/cosmos-sdk-vulnerability-retrospective-security-advisory-jackfruit-october-12-2021/5349 -- time.Now()

[tomtau]

I tried to exclude test and telemetry usage of time.Now():

/**
 * @name Calling the system time
 * @description Calling the system time is non-deterministic and could cause issues in consensus-critical code.
 * @kind problem
 * @problem.severity warning
 * @id go/system-time
 * @tags correctness
 */

import go

predicate isIrrelevantPackage(string packageName) {
  packageName = "cli" or packageName = "main" or packageName = "testutil"
}

from CallExpr call
where
  call.getTarget().getQualifiedName() = "time.Now" and
  // TODO: uncomment if ignoring string formatting is desired
  // not (
  //   call.getParent().(CallExpr).getTarget().getQualifiedName() =
  //     "github.com/cosmos/cosmos-sdk/types.FormatTimeBytes" or
  //   call.getParent*().(CallExpr).getTarget().getQualifiedName().matches("fmt.Sprintf")
  // ) and
  not call.getEnclosingFunction().getName().matches("Test%") and
  call.getLocation().getFile().getBaseName() != "test_helpers.go" and
  not isIrrelevantPackage(call.getLocation().getFile().getPackageName()) and
  not exists(DataFlow::CallNode telemetryCall |
    telemetryCall
        .getExpr()
        .(CallExpr)
        .getTarget()
        .getQualifiedName()
        .matches("github.com/cosmos/cosmos-sdk/telemetry%")
  |
    DataFlow::localFlow(DataFlow::exprNode(call), telemetryCall.getAnArgument())
  )
select call, "Calling the system time"

There are 5 results in the current master: https://lgtm.com/query/1044813113192157603/ including that problem in authz

[tomtau]

There are no results in the current master:

/**
 * @name Directly using the bech32 constants
 * @description Bech32 constants are hardcoded to Gaia defaults; the external applications would need to use `GetConfig().GetBech32...` functions instead of constants
 * @kind problem
 * @problem.severity warning
 * @id go/bech-32-constant
 * @tags correctness
 */

import go

from ConstantName cn
where
  cn.toString().matches("Bech32%") and
  cn.getLocation().getFile().getPackageName() != "types"
select cn, "Directly using the bech32 constants"

but I verified that running this query locally on a DB built from SDK v0.41.4, it'll have 33 findings.

[tomtau]

In some SDK projects, floating point operations were parts of bugs, so it may be good to flag them too:

/**
 * @name Floating point arithmetic
 * @kind problem
 * @description Floating point operations are not associative and may lead to surprising situations: https://en.wikipedia.org/wiki/Floating-point_arithmetic#Accuracy_problems
 * @problem.severity recommendation
 * @tags correctness
 * @precision low
 * @security-severity low
 * @id go/floating-point-arithmetic
 */

import go

from ArithmeticBinaryExpr e
where
  (
    e.getLeftOperand().getType() instanceof FloatType or
    e.getRightOperand().getType() instanceof FloatType
  ) and
  e.getLocation().getFile().getPackageName() != "simulation"
select e, "Floating point arithmetic"

[tomtau]

I tried to collect all the queries in this repo: https://github.com/crypto-com/cosmos-sdk-codeql

[robert-zaremba]

Thanks for the issue. Anything in client, cli and tests can be ignored. This is definitely needed and please feel free to create a PR. It seams that all / most of them are false positives. As Bez noted in the chat, we will need some statement to ignore that false positives.

PS: this is related to : #10329

[odeke-em]

We've got unreleased code in a private repo (collabo between Informal Systems * Orijtech Inc) that has a static analyzer/pass that'll detect when maps are being iterated over with values and enforce keys must be iterated upon then perhaps sorted. Kindly cc-ing @ebuchman