Re: [sqlite] Coding standard

2019-12-12 Thread Scott Robison 
On Thu, Dec 12, 2019, 11:04 PM Valentin Davydov 
wrote:

> On Thu, Dec 12, 2019 at 11:19:44AM -0500, Richard Hipp wrote:
> >
> > #define sqlite3Strlen30NN(C) (strlen(C)&0x3fff)
> >
> > The tool does not provide any details beyond "Use of strlen".
>
> So why not just #define sqlite3Strlen30NN(C) (strnlen(C,0x3fff))
>

strnlen is not in the standard library. It is available on many platforms
but is not standard.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Valentin Davydov 
On Thu, Dec 12, 2019 at 11:19:44AM -0500, Richard Hipp wrote:
> 
> #define sqlite3Strlen30NN(C) (strlen(C)&0x3fff)
> 
> The tool does not provide any details beyond "Use of strlen".

So why not just #define sqlite3Strlen30NN(C) (strnlen(C,0x3fff)) ?
From the point of view of program logic it looks similar (at least for 
me), but shifts security burden from you to authors of libc. And of course
this should calm static analyzers anxious about strlen(), sprintf() etc.

Valentin Davydov.

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Mike King 
Now, just for giggles here's the regex. It's for a simple SQL like Where
clause query language. Hopefully it makes sense :) According to my work
colleagues I am considered weird for enjoying writing a regex and they're
certainly more fun than waiting for the election result ;) (This was for a
personal project)

Cheers,

Mike

// setup the regex for tokenising the query.
//
// i.   \G means match at the start of where the previous match finished
//
// ii.  We used named groups (?<> with names that match the TokenTypes
enum so we can tell which command has been matched
//  (except for Whitespace which when we find it we move onto the next
token)
//
// iii. The token this returns removes any separators e.g. [] for fields,
"" for string, ## for datetime. (also in a string "" indicates a double
quote)
//
// iv.  The keywords below are in descending size order so that tokens such
as NotIn don't get confused with Not or In etc. (EndOfString is the shortest
//  as it is the end of string so it's empty).
//
// v.   As well as supporting the operators <, >, >=, <=, =, <> we also
support the alternatives GT, LT, GE, LE, EQ, NE, == and !=
string pattern = $@"\G(
(?$)|
(?\s+)|
(\#(?[^\#]*)\#)|
(\[(?[^\]]*)\])|

(?({Regex.Escape(CultureInfo.CurrentCulture.NumberFormat.PositiveSign)}|{Regex.Escape(CultureInfo.CurrentCulture.NumberFormat.NegativeSign)})?\d*{Regex.Escape(CultureInfo.CurrentCulture.NumberFormat.NumberDecimalSeparator)}?\d+)|
(""(?([^""]|)*)"")|
(?Not\s*Like)|
(?Between)|
(?Not\s*In)|
(?Empty)|
(?{Regex.Escape(bool.FalseString)})|
(?Like)|
(?{Regex.Escape(bool.TrueString)})|
(?And)|
(?Not)|
(?Yes)|
(?EQ)|
(?==)|
(?GT)|
(?\>=)|
(?GE)|
(?In)|
(?LT)|
(?\<=)|
(?LE)|
(?\<\>)|
(?NE)|
(?!=)|
(?No)|
(?Or)|
(?Y)|
(?N)|
(?{Regex.Escape(bool.TrueString.Substring(0,
1))})|
(?{Regex.Escape(bool.FalseString.Substring(0,
1))})|
(?\))|
(?,)|
(?=)|
(?\>)|
(?\<)|
(?\())";


On Thu, 12 Dec 2019 at 20:06, Mike King  wrote:

> It was a very simple cutdown SQL (think just a where clause) and the regex
> was a multiline affair which picked out tokens using named groups. I then
> had a function that skipped whitespace tokens and returned the next token
> (group name) and the value (parsed and validated for dates and numeric
> values, strings were escaped).
>
> Secondly, my code is designed to run on many databases not just SQLite and
> I don’t have access at the level you describe from a .Net driver. So using
> something specific to one manufacturer is not a good idea nor is writing
> custom code for each database.
>
> All this was possible and I just added my experiences to show it is
> possible with a little thought.
>
> Cheers
>
>
>
> On Thu, 12 Dec 2019 at 19:29, Warren Young  wrote:
>
>> On Dec 12, 2019, at 6:08 AM, Mike King  wrote:
>> >
>> > ...I decided on a simple subset of
>> > SQL and then wrote a parser using a regex as the tokeniser.
>>
>> First, [SQL is not a regular language][1], so it probably cannot be
>> completely parsed by regexes.  Not by a single regex without surrounding
>> logic, anyway.  There’s probably valid SQL that will pass your regex but
>> give unwanted behavior.
>>
>> Second, you’re reinventing SQLite’s own authorizer, which runs based on
>> the output of SQLite’s own well-tested SQL parsing engine.  (Which uses a
>> proper parser, not a regex.)
>>
>> Security is not an area where you want to roll your own logic.  Use
>> someone else’s well-tested solution whenever you can.
>>
>>
>> [1]: https://stackoverflow.com/a/33415289/142454
>> ___
>> sqlite-users mailing list
>> sqlite-users@mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Mike King 
It was a very simple cutdown SQL (think just a where clause) and the regex
was a multiline affair which picked out tokens using named groups. I then
had a function that skipped whitespace tokens and returned the next token
(group name) and the value (parsed and validated for dates and numeric
values, strings were escaped).

Secondly, my code is designed to run on many databases not just SQLite and
I don’t have access at the level you describe from a .Net driver. So using
something specific to one manufacturer is not a good idea nor is writing
custom code for each database.

All this was possible and I just added my experiences to show it is
possible with a little thought.

Cheers



On Thu, 12 Dec 2019 at 19:29, Warren Young  wrote:

> On Dec 12, 2019, at 6:08 AM, Mike King  wrote:
> >
> > ...I decided on a simple subset of
> > SQL and then wrote a parser using a regex as the tokeniser.
>
> First, [SQL is not a regular language][1], so it probably cannot be
> completely parsed by regexes.  Not by a single regex without surrounding
> logic, anyway.  There’s probably valid SQL that will pass your regex but
> give unwanted behavior.
>
> Second, you’re reinventing SQLite’s own authorizer, which runs based on
> the output of SQLite’s own well-tested SQL parsing engine.  (Which uses a
> proper parser, not a regex.)
>
> Security is not an area where you want to roll your own logic.  Use
> someone else’s well-tested solution whenever you can.
>
>
> [1]: https://stackoverflow.com/a/33415289/142454
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Richard Hipp 
On 12/12/19, Warren Young  wrote:
> On Dec 12, 2019, at 6:08 AM, Mike King  wrote:
>>
>> ...I decided on a simple subset of
>> SQL and then wrote a parser using a regex as the tokeniser.
>
> First, [SQL is not a regular language][1], so it probably cannot be
> completely parsed by regexes.  Not by a single regex without surrounding
> logic, anyway.  There’s probably valid SQL that will pass your regex but
> give unwanted behavior.
>
> Second, you’re reinventing SQLite’s own authorizer, which runs based on the
> output of SQLite’s own well-tested SQL parsing engine.  (Which uses a proper
> parser, not a regex.)

Excellent points.  Nevertheless, I think you can make the case for
using a home-grown regexp-based language restrictor *in addition to*
the built-in SQLite authorizer.  Layers of defense.

So my advice to the Mr. King is not to take out his regexp-based
language restrictor but rather to add in an additional layer based on
the SQLite authorizer, for redundancy.  During development and
testing, there should be some means of turning each mechanism off
separately so that the other can be tested, but in deployment both
should be hard-wired on.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Warren Young 
On Dec 12, 2019, at 6:08 AM, Mike King  wrote:
> 
> ...I decided on a simple subset of
> SQL and then wrote a parser using a regex as the tokeniser.

First, [SQL is not a regular language][1], so it probably cannot be completely 
parsed by regexes.  Not by a single regex without surrounding logic, anyway.  
There’s probably valid SQL that will pass your regex but give unwanted behavior.

Second, you’re reinventing SQLite’s own authorizer, which runs based on the 
output of SQLite’s own well-tested SQL parsing engine.  (Which uses a proper 
parser, not a regex.)

Security is not an area where you want to roll your own logic.  Use someone 
else’s well-tested solution whenever you can.


[1]: https://stackoverflow.com/a/33415289/142454
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp 
On 12/12/19, Warren Young  wrote:
>
>> AND only if the struct is then copied to a separate trust domain.
>
> You mean like in copying from kernel space to user space?  Or old-style RPC?
>  Or mmap() based IPC APIs?  Or…?
>
> I wouldn’t dismiss this warning.

Copying from kernel-space to user-space is one example.  Another would
be copying an internal SQLite struct out into a file, such as a
database file, accessible to other processes.  SQLite never does
either of these things.  Database files are written byte-by-byte, and
never by copying structures.  We know this is the case because there
is no other way to make the database endian-agnostic.  So the whole
issue is moot and you can ignore all of those warnings.


-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Warren Young 
On Dec 12, 2019, at 12:12 PM, Jens Alfke  wrote:
> 
> On Dec 12, 2019, at 10:36 AM, Simon Slavin  wrote:
>> 
>> For instance CodeSonar reports every use of memset() because you /can/ leak 
>> uninitialised bits of memory using memset() 
> 
> ...by writing to a field of a struct AFTER zeroing the struct with memset

A very common practice, particularly in C, which lacks constructors.

> AND only if the struct field has padding

As a great many structs do, since it’s become passé to optimize struct layout 
for optimal byte packing.

> AND only if the compiler optimizes the write in a particular way

There must be compilers that do this, else no one would be worried about it.  
Bet on it: this rule was written after damage had occurred somewhere, probably 
multiple places, not in anticipation of future damage.

> AND only if the struct is then copied to a separate trust domain.

You mean like in copying from kernel space to user space?  Or old-style RPC?  
Or mmap() based IPC APIs?  Or…?

I wouldn’t dismiss this warning.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Jens Alfke 


> On Dec 12, 2019, at 10:36 AM, Simon Slavin  wrote:
> 
> For instance CodeSonar reports every use of memset() because you /can/ leak 
> uninitialised bits of memory using memset() (CERT C Section 3.6 DCL39-C).
> But it has no way to check whether what you're doing with memset() does 
> initialise all bits.

That seems like a silly warning to produce. Reading the CERT section in 
question*, the real  issue is caused not by memset but by writing to a field of 
a struct AFTER zeroing the struct with memset, AND only if the struct field has 
padding, AND only if the compiler optimizes the write in a particular way, AND 
only if the struct is then copied to a separate trust domain.

I don't know anything about CodeSonar, but this particular warning sounds like 
it was added only because it's easy to implement with 'grep'; whereas a useful 
warning that detects the actual situation described by CERT requires something 
on the order of valgrind or the Clang Address Sanitizer, to detect which bytes 
within the struct actually are garbage.

—Jens

* 
https://resources.sei.cmu.edu/downloads/secure-coding/assets/sei-cert-c-coding-standard-2016-v01.pdf

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] sqlite sync over network

2019-12-12 Thread Jens Alfke 


> On Dec 9, 2019, at 7:43 AM, George  wrote:
> 
> (litesync - SQLite Replication and Synchronization) 
> litesync seems to be a version of sqlite made by Ramos Bernardo from Brazil.

Interesting, but I don't see how they can make those kinds of claims without 
running into conflicts on primary keys. They say you can't use AUTOINCREMENT, 
for obvious reasons, but don't describe how else primary keys would be assigned.

The whole thing appears to be closed-source only, and from a developer I've 
never heard of, so I'd be cautious and build some software to try to evaluate 
it before you plunk down money.

—Jens
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Simon Slavin 
Thanks for the details.  Now we know what you're doing.

CodeSonar checks code for many possible faults.  This includes many things 
which are not related to the CERT C Coding Standard guidelines.  So not 
everything on the report is a violation of the standard.  You're really asking 
something about CodeSonar, not CERT.

For instance CodeSonar reports every use of memset() because you /can/ leak 
uninitialised bits of memory using memset() (CERT C Section 3.6 DCL39-C).
But it has no way to check whether what you're doing with memset() does 
initialise all bits.  And the solution CERT suggests – a substitute for 
memset() – is specific to the architecture of one class of CPUs.  Not useful 
for SQLite which has to run on pretty-much everything.

CodeSonar also assumes an insecure memory model, one where every piece of 
memory is leaked.  For instance, it assumes you're writing kernal code running 
in memory which might be leaked to a user.

I'm a poor C programmer.  (I use C only on tiny embedded devices and have never 
had a job which required me to write C code.).  I might try a tool like 
CodeSonar to catch my poor assumptions and poor techniques.  But it's not up to 
the professionalism of the SQLite devs.

If your bosses require CERT compliance, that's fine.  They're welcome to call 
in a human to check SQLite for violations, and I'm sure the SQLite devs would 
love to know anything found.  But we don't have software that good yet.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp 
On 12/12/19, Arthur Blondel  wrote:
> I'm using amalgamation version 3.30.1. and check with CodeSonar

I've never heard of CodeSonar before. It appears to be some kind of
static analysis tool that reads the source code and tries to infer
potential problems.  These tools are usually pretty weak, giving lots
of false-positives.  CodeSonar seems to fall into the general pattern.

Authur sent me a spreadsheet with 432 warnings (not 32000 as
originally mentioned).  Let's take the last one as an example.  The
information I have is:

"Use of strlen"  sqlite3.c:117554

The line of code it is concerned about is here:
https://www.sqlite.org/src/artifact/40557ebd69f4115e?ln=152

Note:  sqlite3Strlen30NN() used to be a real function, but we later
changed it into a macro for performance reasons.  The definition is:

#define sqlite3Strlen30NN(C) (strlen(C)&0x3fff)

The tool does not provide any details beyond "Use of strlen".  Perhaps
it is concerned that the input pointer zColAff is NULL.  The assert()
on the previous line show that concern to be misplaced.  But even
without the assert(), if you trace the logic in this one function, you
clearly see that there is no possible way for zColAff to be NULL.  Of
course, reasoning that through is probably beyond the limited
capabilities of CodeSonar, and so it raised the warning.

Perhaps the concern is that the zColAff string is not zero-terminated.
That case is more difficult to reason about.  If the code between
lines 135 to 149 runs, then zColAff will clearly be zero-terminated,
but what if that logic is skipped?  Who is to say that the string
initially in pTab->zColAff is zero-terminated?  Answering that
question requires a global analysis.  If you examine the rest of the
source code, you find that the *only* place where pTab->zColAff is
ever set is in this one function, and hence pTab->zColAff must always
be zero-terminated.

So any way you look at it, this is a false-positive warning.

And false-positive warnings like this are typical of static analysis
tools.  Indeed, static analysis tools have never proven helpful in
finding problems in SQLite.  SQLite uses more advanced techniques such
as 100% MC/DC testing, run-time analysis, and the latest
profile-guided fuzzing methods.  This is not to say that SQLite is
100% bug-free.  (It isn't.)  But I do claim that the kinds of bugs
that remain in SQLite are way, way beyond the ability of CodeSonar to
detect.

I have not looked at any of the other 441 warnings that Arthur sent,
as my prior experience with these things tells me that they are likely
to all be false-positives.  Time spent analyzing the other 441
warnings is time that I am not using more advanced methods that have a
much higher probability of finding real errors.  So I'm going to
ignore the rest of the CodeSonar warnings and focus on more productive
pursuits.

If anybody else wants to have a look, the list of warnings can be seen
at https://sqlite.org/tmp/codesonar_warnings.csv
-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp 
Also, please send the specific version number (the HASH) of the SQLite
you are testing, so that the line numbers in the report will align
with the code that I will be looking at.

On 12/12/19, Arthur Blondel  wrote:
> -- Forwarded message -
> From: Arthur Blondel 
> Date: Thu, Dec 12, 2019 at 12:19 PM
> Subject: Re: [sqlite] Coding standard
> To: SQLite mailing list 
>
>
> I'm using amalgamation version 3.30.1. and check with CodeSonar
> Attached the Security issues.
>
>
> On Wed, Dec 11, 2019 at 4:57 PM Richard Hipp  wrote:
>
>> On 12/11/19, Arthur Blondel  wrote:
>> > Hello,
>> > Running the CERT coding standard
>> >  on the sqlite
>> code I
>> > get up to 32000 warnings, most of them are security issues.
>>
>> These are all likely to be false-positives.  But if you will send me
>> the list, I will have a look.
>>
>>
>> > Does anyone had this problem? The CERT standard is a must for my
>> > project
>> > and I wonder if there is a solution.
>> > Thanks
>> > ___
>> > sqlite-users mailing list
>> > sqlite-users@mailinglists.sqlite.org
>> > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>> >
>>
>>
>> --
>> D. Richard Hipp
>> d...@sqlite.org
>>
>


-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Mike King 
I had to do something similar. I’m the end I decided on a simple subset of
SQL and then wrote a parser using a regex as the tokeniser. The output was
SQL. By doing it this way I could validate field names and make sure all
values were correctly formatted and escaped.

Cheers

On Thu, 12 Dec 2019 at 13:01, Richard Hipp  wrote:

> On 12/12/19, test user  wrote:
> > Hello,
> >
> > How can I secure user supplied SQL statements in a single process?
>
> See https://www.sqlite.org/security.html for an introduction.
>
> Other suggestions:
>
> (1) Run the process that is evaluating user-supplied SQL in a sandbox,
> where it can do no harm if it does malfunction.
>
> (2) Limit the SQL to verified users.  Do not allow SQL from anonymous
> robots on the internet.
>
> (3) Restrict the scope of SQL using the authorizer, if possible.
>
> (4) Always use the latest available version of SQLite with all the
> latest patches.
>
> --
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Richard Hipp 
On 12/12/19, test user  wrote:
> Hello,
>
> How can I secure user supplied SQL statements in a single process?

See https://www.sqlite.org/security.html for an introduction.

Other suggestions:

(1) Run the process that is evaluating user-supplied SQL in a sandbox,
where it can do no harm if it does malfunction.

(2) Limit the SQL to verified users.  Do not allow SQL from anonymous
robots on the internet.

(3) Restrict the scope of SQL using the authorizer, if possible.

(4) Always use the latest available version of SQLite with all the
latest patches.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread Dominique Devienne 
On Thu, Dec 12, 2019 at 1:47 PM test user 
wrote:

> How can I secure user supplied SQL statements in a single process?
>

The one mechanism SQLite has is the authorizer [1].
Whether that's good enough for you, that's for you to determine. --DD

[1] https://www.sqlite.org/c3ref/set_authorizer.html
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Securing user supplied SQL statements in a single process

2019-12-12 Thread test user 
Hello,

How can I secure user supplied SQL statements in a single process?

For example, if I had a public web service that allows users to create
their own SQL strings that I then run in a single server process, what are
the chances that they would be able to obtain general remote code execution?


I saw a security flaw a while back, and most people mentioned that “you
should not run user supplied SQL statements”.

Is there a way to do this using only SQLite (without spawning many
processes or using OS level isolation)?

Thanks
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Richard Hipp 
On 12/12/19, Arthur Blondel  wrote:
> I'm using amalgamation version 3.30.1. and check with CodeSonar
> Attached the Security issues.

This mailing list strips attachments.  Please send via private email.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Coding standard

2019-12-12 Thread Arthur Blondel 
I'm using amalgamation version 3.30.1. and check with CodeSonar
Attached the Security issues.


On Wed, Dec 11, 2019 at 4:57 PM Richard Hipp  wrote:

> On 12/11/19, Arthur Blondel  wrote:
> > Hello,
> > Running the CERT coding standard
> >  on the sqlite
> code I
> > get up to 32000 warnings, most of them are security issues.
>
> These are all likely to be false-positives.  But if you will send me
> the list, I will have a look.
>
>
> > Does anyone had this problem? The CERT standard is a must for my project
> > and I wonder if there is a solution.
> > Thanks
> > ___
> > sqlite-users mailing list
> > sqlite-users@mailinglists.sqlite.org
> > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
> >
>
>
> --
> D. Richard Hipp
> d...@sqlite.org
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users