Codacy/Flawfinder: Document a false positive finding#1084
Conversation
|
In comments like this, it's a good idea to say which warning it's safe to ignore, just in case the tools detect a different problem here in the future. |
hoffie
force-pushed
the
issue1081-ignore-flawfinder-signalhandler
branch
from
91027fc to
3f5b198
Compare
I though my comment was already rather elaborate and |
hoffie
force-pushed
the
issue1081-ignore-flawfinder-signalhandler
branch
from
3f5b198 to
f429148
Compare
The read() from the signal handler socket triggers a Codacy/flawfinder finding: "Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20)" Investigation has shown that this is a false positive as the proper buffer size is enforced and because the input is within the same security boundary. This adds an explaining comment and a special hint at Codacy/Flawfinder to ignore the (non-)problematic line. Related: jamulussoftware#1081 Signed-off-by: Christian Hoffmann <mail@hoffmann-christian.info>
hoffie
force-pushed
the
issue1081-ignore-flawfinder-signalhandler
branch
from
f429148 to
e0e6401
Compare
|
I don't like linters/analysers that don't let you mark clearly to the linter that you've accepted the warning and don't want to hear about it again (in addition to human-readable comments). (They should be explicit markers, as close to the code as possible: |
I fully agree. I don't think it's possible with Flawfinder though. I even checked its code. |
4 participants
Add an explaining comment and a special hint at Codacy/Flawfinder to ignore the (non-)problematic line.
Special comment effectiveness has been validated here: hoffie#3
Related: #1081