How to figure out if defects are in your code or third-party code

Welcome to Mayhem Tips and Tricks series! Our goal is to help you learn about the best features of Mayhem in small bite-size chunks. Today, we will explain where the defects found by Mayhem are, in your code or in third-party code.

Modern software applications have many dependencies; those dependencies may have other dependencies. Given that your application may use significant amounts of third-party code, you might be wondering how to determine if a defect discovered by Mayhem exists in your codebase or a third-party’s codebase that your application merely uses. Fortunately, when Mayhem finds a fault, it produces a “Backtrace” that can provide clues about where the defect is.

For example, imagine that you’re analyzing an application that depends on the ntfs-3g (GitHub - tuxera/ntfs-3g: NTFS-3G Safe Read/Write NTFS Driver) package. You want to know if the defects you find are in your application or ntfs-3g. Where should you look?

In Mayhem’s web interface, you can view the details of a defect by clicking on the defect listed in the “Target Defect ID” column on the run page.

The defect details page includes a short description of the defect, including its Common Weakness Enumeration (CWE) ID, example test cases that trigger the defect, and of course, an example backtrace.

The backtrace provides contextual details about the defect, such as the function name and source code location if available. By examining the backtrace, you can determine where the fault lies. We can see that an out-of-bounds read occurs in the libntfs-3g library, which indicates the presence of a bug in this version of the ntfs-3g package! For this example, all of the software analyzed was open-source, but imagine a scenario where your application uses the libntfs-3g library; your application could be vulnerable to the out-of-bounds read defect, even if your code was perfect.

In conclusion, Mayhem provides backtraces for the defects it discovers, which can help you determine whether or not the issue is in your code or a dependency.

We hope that you found this Tips and Tricks article helpful.