[clang] [clang][analyzer] Add AllowWithoutC11 option to DeprecatedOrUnsafeBuf… (PR #168704)

[Endre Fülöp via cfe-commits]

================
@@ -1785,6 +1768,13 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C)
    strncpy(buf, "a", 1); // warn
  }
 
+The ``AllowWithoutC11`` option allows reporting warnings for these functions even when not compiling with C11 standard. These functions are deprecated in C11, but may still be problematic in earlier C standards.
+
+To enable this option, use:
+``-analyzer-config security.insecureAPI.DeprecatedOrUnsafeBufferHandling:AllowWithoutC11=true``.
+
+By default, this option is set to *false*.
+
----------------
gamesh411 wrote:

I agree that the naming is probably better if we use the "reporting when" pattern for the flag name. I'll go with your suggestion.
I have 2 minor concerns with making this on by default. One is the potential new finding that the users will find surprising. This is a lesser issue when compared to the next. Looking at the public opinion shows that Annex K and these _s suffix variants are under scrutiny and not widely implemented.
So if we want to move in this direction, I have a suggestion of making this checker enabled not based on the detection of the C11 standard, but rather the availability of the macro symbol `__STDC_LIB_EXT1__`, as these warnings are only actionable when this is the case.
@steakhal What is your opinion?

https://github.com/llvm/llvm-project/pull/168704