Defensive Reporting
In this final assignment, you find and report issues in an existing code base implementing Trudel – the convenient task manager. Trudel is a web server written in C. You might wonder what could probably go wrong? Well, let’s figure it out.
Submission tag: no tag necessary, as the assignment is done inside gitlab
Deadline: Fr 8.1.2021 23:59
Organizational
- You can achieve 48 regular points, which equals 15% of the overall grade.
- You can earn 12 additional bonus points (if you are already positive), which equals 5% of the overall grade
Specification
Note: You do not need to fully understand the specification in order to find and report issues.
Trudel allows clients to connect over the HTTP protocol and communicate with it by sending JSON requests. Trudel allows to store, edit and delete tasks. Furthermore, tags can be associated with the tasks. Trudel stores the data in a specified sqlite3 database file.
You can find the specification in form of a python server implementation of Trudel in the upstream repository in the folder spec
. By running the script ./run.sh
inside Docker you should be able to access Trudel from your host system in the browser:
- Trudel: http://127.0.0.1:5000/
- Specification: http://127.0.0.1:5000/swaggerui
- Specification: http://127.0.0.1:5000/redoc
Reporting Issues
You shall report issues that violate defensive coding principles via the Gitlab issue tracker. To do so, log into your Git repository in the browser: https://git.teaching.iaik.tugraz.at/
Here’s a non-exhaustive list of issues you can report
- Bugs & Vulnerabilities: Memory corruptions and leaks, use after free, double free, use of uninitialized memory, format string vulnerability, integer overflow …
- Violations of defensive coding principles: Hard-to-read and dangerous code, obviously bad naming, wrong use of asserts, implicit assumptions (undefined behavior, implementation-defined behavior)
- Other issues: all sorts of programming mistakes leading to
- Functional issues
- Program crash (segfault)
- Information leakage
- Errors/Warnings triggered by valgrind, asan, -Wall
- Missing documentation is not an issue you get points for
One issue can bring you up to 4 points. In order to get full points, the issue shall fulfill the following criteria:
- Be valid and unique: We won’t count duplicates. E.g., the very same issue in five different location only counts once. In this case, enumerate all five locations in one issue.
- Impact: what is the nature of this issue, what are the potential consequences? E.g., memory leak, integer overflow that leads to potential program crash, format string vulnerability that leads to arbitrary code execution …
- Be concise: Accurate issue descriptions no longer than 100 words in the Markdown preview, with direct links to relevant source code lines. E.g., if you hide a URL behind one word, it counts as one word.
- More information about Markdown is available here.
- Gitlab follow-up comments and attachments are not needed
- Propose a fix: Small fixes can be proposed in the issue description. For more complex fixes, we recommend creating a new branch per issue, committing the fix there, and linking the commit in the issue description.
Defensive Reporting: Oral Exam
-
You have to defend your points during the oral exam at the end of the semester, which is mandatory
-
During the oral exam, we ask you questions like the following:
- What is the issue?
- What is the impact and the consequences?
- What is a potential fix?
- How did you find the issue?
- …