commit: cf0023b814c2f0103086a179d5090658e83525d6
parent cdd45814275b14cbf537947dc0531518ef06d22d
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Thu, 2 May 2024 12:48:37 +0200
Drop flawfinder
Way too many false positives due to it's apparent design of simply
checking function names and basic kind of argument rather than
control flow like scan-build(1) does.
See the removed comments about access(3) and getenv(3) for examples.
Plus it also tends to spit out warnings about broken systems,
like ones with a broken implementation of getopt.
Diffstat:
14 files changed, 0 insertions(+), 31 deletions(-)
diff --git a/Makefile b/Makefile
@@ -37,7 +37,6 @@ lint: $(MAN1SO)
$(SHELLCHECK) ./configure ./test_functions.sh $(SCRIPTS)
$(MANDOC) -Tlint -Wunsupp,error,warning $(MAN1)
$(REUSE) lint --quiet
- ${FLAWFINDER} --minlevel=3 --error-level=4 .
.PHONY: clean
clean:
diff --git a/cmd/chroot.c b/cmd/chroot.c
@@ -23,7 +23,6 @@ main(int argc, char *argv[])
return 125;
}
- /* flawfinder: ignore. chdir(/) done, can't close more fds, shouldn't drop root */
if(chroot(argv[1]) < 0)
{
perror("chroot");
@@ -40,7 +39,6 @@ main(int argc, char *argv[])
errno = 0;
if(argc == 2)
{
- /* flawfinder: ignore. NULL and length are checked */
char *shell = getenv("SHELL");
if(shell == NULL) shell = "/bin/sh";
if(strnlen(shell, PATH_MAX) >= PATH_MAX)
@@ -51,13 +49,11 @@ main(int argc, char *argv[])
shell = "/bin/sh";
}
- /* flawfinder: ignore. No restrictions on commands is intended */
ret = execlp(shell, shell, "-i", NULL);
}
else
{
argv += 2;
- /* flawfinder: ignore. No restrictions on commands is intended */
ret = execvp(argv[0], argv);
}
diff --git a/cmd/env.c b/cmd/env.c
@@ -44,7 +44,6 @@ main(int argc, char *argv[])
bool flag_i = false;
char *val;
- /* flawfinder: ignore. Old implementations of getopt should fix themselves */
while((c = getopt(argc, argv, ":iu:-:")) != -1)
{
switch(c)
@@ -121,7 +120,6 @@ main(int argc, char *argv[])
assert(argv[0]);
errno = 0;
- /* flawfinder: ignore. No restrictions on commands is intended */
if(execvp(argv[0], argv) < 0)
{
fprintf(stderr, "env: execvp(\"%s\", ...): %s\n", argv[0], strerror(errno));
diff --git a/cmd/id.c b/cmd/id.c
@@ -160,7 +160,6 @@ main(int argc, char *argv[])
struct passwd pw = {.pw_uid = uid, .pw_gid = gid};
struct passwd epw = {.pw_uid = euid, .pw_gid = egid};
- /* flawfinder: ignore. Old implementations of getopt should fix themselves */
while((c = getopt(argc, argv, ":Ggunr")) != EOF)
{
switch(c)
diff --git a/cmd/nice.c b/cmd/nice.c
@@ -79,7 +79,6 @@ main(int argc, char *argv[])
assert(argv[0]);
assert(errno == 0);
- /* flawfinder: ignore. No restrictions on commands is intended */
if(execvp(argv[0], argv) < 0)
{
fprintf(stderr, "nice: execvp(\"%s\", ...): %s\n", argv[0], strerror(errno));
diff --git a/cmd/nohup.c b/cmd/nohup.c
@@ -102,7 +102,6 @@ main(int argc, char *argv[])
assert(argv[0]);
assert(errno == 0);
- /* flawfinder: ignore. No restrictions on commands is intended */
if(execvp(argv[0], argv) < 0)
{
fprintf(stderr, "nohup: execvp(\"%s\", ...): %s\n", argv[0], strerror(errno));
diff --git a/cmd/pathchk.c b/cmd/pathchk.c
@@ -123,7 +123,6 @@ main(int argc, char *argv[])
if(!opt_p)
{
assert(errno == 0);
- /* flawfinder: ignore, doesn't do any other filesystem interaction afterwards */
if(access(path, F_OK) < 0 && errno != ENOENT)
{
fprintf(stderr,
diff --git a/cmd/realpath.c b/cmd/realpath.c
@@ -23,7 +23,6 @@ static char sep = '\n';
static int
print_realpath(char *path)
{
- /* flawfinder: ignore, NULL given */
char *file = realpath(path, NULL);
if(file)
{
@@ -56,7 +55,6 @@ print_realpath(char *path)
errno = 0;
- /* flawfinder: ignore, NULL given */
char *parent = realpath(path, NULL);
if(!parent)
{
diff --git a/cmd/seq.c b/cmd/seq.c
@@ -80,7 +80,6 @@ main(int argc, char *argv[])
{
int c;
- /* flawfinder: ignore. Old implementations of getopt should fix themselves */
while((c = getopt(argc, argv, ":ws:t:")) != -1)
{
switch(c)
diff --git a/cmd/strings.c b/cmd/strings.c
@@ -27,7 +27,6 @@ print_string(char *buffer, size_t offset)
}
else
{
- /* flawfinder: ignore. opt_offset_format isn't user-provided */
ret = printf(opt_offset_format, offset, buffer);
}
@@ -107,7 +106,6 @@ int
main(int argc, char *argv[])
{
int c;
- /* flawfinder: ignore. Old implementations of getopt should fix themselves */
while((c = getopt(argc, argv, ":an:t:")) != -1)
{
switch(c)
diff --git a/cmd/test.c b/cmd/test.c
@@ -366,16 +366,12 @@ filstat(char *nm, enum token mode)
switch(mode)
{
case FILRD:
- /* flawfinder: ignore, not for using later */
return (access(nm, R_OK) == 0);
case FILWR:
- /* flawfinder: ignore, not for using later */
return (access(nm, W_OK) == 0);
case FILEX:
- /* flawfinder: ignore, not for using later */
return (access(nm, X_OK) == 0);
case FILEXIST:
- /* flawfinder: ignore, not for using later */
return (access(nm, F_OK) == 0);
case FILREG:
return S_ISREG(s.st_mode);
diff --git a/cmd/time.c b/cmd/time.c
@@ -72,7 +72,6 @@ main(int argc, char *argv[])
perror("time: fork");
return 1;
case 0:
- /* flawfinder: ignore. No restrictions on commands is intended */
execvp(argv[0], argv);
ret = 126 + (errno == ENOENT);
perror("time: execvp");
diff --git a/configure b/configure
@@ -23,7 +23,6 @@ Variables:
M4=BIN
MANDOC=BIN
SHELLCHECK=BIN
- FLAWFINDER=BIN
GCOV=BIN
CRAM=BIN
REUSE=BIN
@@ -130,7 +129,6 @@ CFLAGS="${CFLAGS:--g -O2 -DDEBUG}"
M4="${M4:-m4}"
MANDOC="${MANDOC:-mandoc}"
SHELLCHECK="${SHELLCHECK:-shellcheck}"
-FLAWFINDER="${FLAWFINDER:-flawfinder}"
CRAM="${CRAM:-cram}"
REUSE="${REUSE:-reuse}"
@@ -202,12 +200,6 @@ then
SHELLCHECK="true"
fi
-if ! check_cmd FLAWFINDER "$FLAWFINDER"
-then
- echo 'Notice: Linting depending on flawfinder disabled'
- FLAWFINDER="true"
-fi
-
if ! check_cmd CRAM "$CRAM"
then
echo "Notice: cram not found, trying prysk"
@@ -274,7 +266,6 @@ MAKE = ${MAKE}
M4 = ${M4}
MANDOC = ${MANDOC}
SHELLCHECK = ${SHELLCHECK}
-FLAWFINDER = ${FLAWFINDER}
MSGFMT = ${MSGFMT}
DBG = ${DBG}
GCOV = ${GCOV}
diff --git a/lib/consent.c b/lib/consent.c
@@ -74,7 +74,6 @@ consentf(const char *restrict fmt, ...)
assert(errno == 0);
va_start(ap, fmt);
- /* flawfinder: ignore */
int ret = vfprintf(stderr, fmt, ap);
va_end(ap);
