<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/64027>64027</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
clang-tidy needs more granularity on "security.insecureAPI.DeprecatedOrUnsafeBufferHandling"
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
jhi
</td>
</tr>
</table>
<pre>
Hi,
clang-tidy warns about buffer (string) functions that are known insecure, like strncpy() or sprintf().
> warning: Call to function 'snprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'snprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]
That is good. What is less good is that it bundles together all the functions that have the C11 "secure" variants, the C11 Annex K ones (sprintf, vsprintf, scanf, wscanf, fscanf, fwscanf, vscanf, vwscanf, vfscanf, vfwscanf, sscanf, swscanf, vsscanf, vswscanf, swprintf, snprintf, vswprintf, vsnprintf, memcpy, memmove, strncpy, strncat, memset).
This is problematic, for various reasons:
1. the whole Annex K was not well received and has multiple issues, see e.g. https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm
2. the new interfaces are complex to use, making them in some ways more dangerous than what they claim to address
3. because of the above, the interfaces are not widely implemented, or just just partially implemented. It's hard to make clang-tidy happy when one doesn't have snprintf_s.
https://clang.llvm.org/docs/analyzer/checkers.html#security-insecureapi-deprecatedorunsafebufferhandling
But in particular I am aggravated by the inclusion of snprintf (and vsnprintf) in the list. These can be made secure without snprintf_s.
Sometimes one may use the //NOLINT but that is a big hammer, turning all the linting off for that line, and in my particular case a bit cumbersome since I have test code which uses a lot of macros (yes, I am still using C), and one of the macros uses snprintf, very knowingly, and carefully checking the bounds.
My suggestion: in clang-tidy, make it configurable which buffer functions are NOT complained about.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJycVktv67YS_jXyZhDBphM_Fl7kcY0T3HvPKdoUXRYUNZKYUKTAIa2j_vpiKMlWAnTTjU1Jw3l8881HSiJdW8RT9vCUPbysZAyN86f3Rq8KVw6nbzoTz9n6JVs_jr_KSFvfBV0O0EtvCWThYoAiVhV6yMSBgte2zsQRqmhV0M4ShEYGkB7hw7regraEKnrMxDMY_YFAwVvVDZk48D7ngTqvbajGF_kyfrb9TwrMMbaP8CyNgeCusSATe7Lz7j1oukYDSaADlA4JrAvQeXfRJUL6qsMAqkH1wfbBuzIqLEFbCA3C82YDFKQtpS9z-BU7IxVCr0MD0krjahfpa7UUu875AAZtzXa-ji3aQFzdFJmgcJGdXkNTVA2nuSjiT0plWFCSEFyVkskensY-cPjhL_R3cxH5XO3jL6_5C3YelQxY_vC_W5IVPqU2fZO2NAzgw8sS2jfOWxPUzpU5wB_To0Ea3_FDqk1zv21pkCC4GkODHlIfGvwKQyMveMUwE2JuvICL9FraQEyC2eDRWvwJ_wVnkRKX5kY-w2WxJiVtWvTXVXVb3V5ebqvFy2qxvL2m22rpYLFc2PaLXOwyx375sPjSYpv4nVatuyTqX1k_LWWYDAjDV9q_NcxkYuoUBlsZtErFOp-AZAJ6lOQsZdtpyyZPuPaNM3hFtpcj-Xs0Bjwq1BcsQdoSGknQRhN0ZxA0UcTUGkIEzOscmhC65FycM3Hu-z53Hdo7CmXufJ2J83tQm0ycSQnBBvXmfrTLxLl0ijJxtpvjbp83oR0TFGOCFnueOfSVVEhJJpRrO4M_ebAjJaxa-aFtzfYtDwO5FqGXA0HrPEIpbY2eQQiNtNAz80KDAygjdctuZFl6JBoDb3MoUMk4DhTnIIupJ_zwJZkEly7RDKA5LR5jLNnYeXiPFMafTvqgpflslQO8Bp5maKQvOZFWfiAsRLSRXTdA36Bl1id1spnYT5NzU4FPbPjci-QtN-bSTp2Y4J7FgU1YX9ATg28ysZ3l4m6WC9npu_IqF87HJBejqjezXCwyeIqB-5CKVtFID68gW5B17eWFXUAxTGAqE4mV2VXXcni2mXOLGTnOYms0hRzgrUFCUNJCgdDKWadH2eUT5x-g-c21GHSLlOBs5cAMSo5HsL7_-N_r9zcoYpi0jEBCoWtoZNsyVs8QYjperpJmtA387KoqDVzaZ7RNhOEytIV2WGKRtJrdBlCxLdAnvpK2CuF10kSkAMqVPKBaNZwlZ2JcYKBaqbxLEjiMY5jQpaCNgUiczHMmjnN8rnQi8rQxefskTeiHdPpqW5th3qikxyoyZxNBpgkbj6XPsP5_AIp1jcTazgcvn0hXFk8TinwyKGcrXUcvCzPXNl0ObkcDj9X3H2_jnEttWYL4GpHDqjxty-P2KFd42uyO6_Xm4bjdrprTVh1EUanj4Yj3x70sir3YVGq3VrsdYnF_WOmTWIvtei_E-vAgNtv8sD_c43a3ORa7clvtdtn9GlupzXVSVknlTrv7tdivjCzQULoGCZEkiT9mQvCtyJ94z10Ra8ru18xQunkJOhg8LUbaIpaTMNVeWmYEXy_S5UT8u4NaiFX05vR57msdmljkyrWZOHM6099d5907qpCJ86zj51Tk3wEAAP__6kFmqQ">