ci: Replace codeql PotentiallyDangerousFunction query with clang-tidy

The strerror() calls in test-errno-util.c are intentional so silence
clang-tidy there.

diff --git a/.clang-tidy b/.clang-tidy
index 56b7e40a289161895612c22565fa6ff3764e3704..82681fda39923a81e036309518018e10f323f613 100644 (file)
--- a/.clang-tidy
+++ b/.clang-tidy
@@ -15,6 +15,7 @@ Checks: '
     bugprone-suspicious-string-compare,
     bugprone-swapped-arguments,
     bugprone-tautological-type-limits,
+    bugprone-unsafe-functions,
     bugprone-unused-return-value,
     misc-header-include-cycle,
     misc-include-cleaner,
@@ -50,6 +51,23 @@ CheckOptions:
     varlink-io\.systemd\..*;
     varlink-idl-common\.h;
     unistd\.h
+'
+  bugprone-unsafe-functions.ReportDefaultFunctions: false
+  bugprone-unsafe-functions.CustomFunctions: '
+    ^fgets$,read_line(),is potentially dangerous;
+    ^strtok$,extract_first_word(),is potentially dangerous;
+    ^strsep$,extract_first_word(),is potentially dangerous;
+    ^dup$,fcntl() with F_DUPFD_CLOEXEC,is potentially dangerous;
+    ^htonl$,htobe32(),is confusing;
+    ^htons$,htobe16(),is confusing;
+    ^ntohl$,be32toh(),is confusing;
+    ^ntohs$,be16toh(),is confusing;
+    ^strerror$,STRERROR() or printf %m,is not thread-safe;
+    ^accept$,accept4(),is not O_CLOEXEC-safe;
+    ^dirname$,path_extract_directory(),is icky;
+    ^basename$,path_extract_filename(),is icky;
+    ^setmntent$,libmount_parse_fstab(),libmount parser should be used instead;
+    ^getmntent$,mnt_table_next_fs(),libmount parser should be used instead
 '
   misc-header-include-cycle.IgnoredFilesList: 'glib-2.0'
 WarningsAsErrors: '*'

diff --git a/.github/codeql-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql
deleted file mode 100644 (file)
index abd3f87..0000000
--- a/.github/codeql-queries/PotentiallyDangerousFunction.ql
+++ /dev/null
@@ -1,68 +0,0 @@
-/**
- * vi: sw=2 ts=2 et syntax=ql:
- *
- * Borrowed from
- * https://github.com/Semmle/ql/blob/master/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
- *
- * @name Use of potentially dangerous function
- * @description Certain standard library functions are dangerous to call.
- * @id cpp/potentially-dangerous-function
- * @kind problem
- * @problem.severity error
- * @precision high
- * @tags reliability
- *       security
- */
-import cpp
-
-predicate potentiallyDangerousFunction(Function f, string message) {
-  (
-    f.getQualifiedName() = "fgets" and
-    message = "Call to fgets() is potentially dangerous. Use read_line() instead."
-  ) or (
-    f.getQualifiedName() = "strtok" and
-    message = "Call to strtok() is potentially dangerous. Use extract_first_word() instead."
-  ) or (
-    f.getQualifiedName() = "strsep" and
-    message = "Call to strsep() is potentially dangerous. Use extract_first_word() instead."
-  ) or (
-    f.getQualifiedName() = "dup" and
-    message = "Call to dup() is potentially dangerous. Use fcntl(fd, FD_DUPFD_CLOEXEC, 3) instead."
-  ) or (
-    f.getQualifiedName() = "htonl" and
-    message = "Call to htonl() is confusing. Use htobe32() instead."
-  ) or (
-    f.getQualifiedName() = "htons" and
-    message = "Call to htons() is confusing. Use htobe16() instead."
-  ) or (
-    f.getQualifiedName() = "ntohl" and
-    message = "Call to ntohl() is confusing. Use be32toh() instead."
-  ) or (
-    f.getQualifiedName() = "ntohs" and
-    message = "Call to ntohs() is confusing. Use be16toh() instead."
-  ) or (
-    f.getQualifiedName() = "strerror" and
-    message = "Call to strerror() is not thread-safe. Use printf()'s %m format string or STRERROR() instead."
-  ) or (
-    f.getQualifiedName() = "accept" and
-    message = "Call to accept() is not O_CLOEXEC-safe. Use accept4() instead."
-  ) or (
-    f.getQualifiedName() = "dirname" and
-    message = "Call dirname() is icky. Use path_extract_directory() instead."
-  ) or (
-    f.getQualifiedName() = "basename" and
-    message = "Call basename() is icky. Use path_extract_filename() instead."
-  ) or (
-    f.getQualifiedName() = "setmntent" and
-    message = "Libmount parser is used instead, specifically libmount_parse_fstab()."
-  ) or (
-    f.getQualifiedName() = "getmntent" and
-    message = "Libmount parser is used instead, specifically mnt_table_next_fs()."
-  )
-}
-
-from FunctionCall call, Function target, string message
-where
-  call.getTarget() = target and
-  potentiallyDangerousFunction(target, message)
-select call, message

diff --git a/src/test/test-errno-util.c b/src/test/test-errno-util.c
index 9eb729c2e4ba3868041f5c156fba00fa2ccb7679..30a47cbcdeef49679189a7215fe289f47c5514e3 100644 (file)
--- a/src/test/test-errno-util.c
+++ b/src/test/test-errno-util.c
@@ -6,10 +6,11 @@
 
 TEST(strerror_not_threadsafe) {
         /* Just check that strerror really is not thread-safe. */
-        log_info("strerror(%d) → %s", 200, strerror(200));
-        log_info("strerror(%d) → %s", 201, strerror(201));
-        log_info("strerror(%d) → %s", INT_MAX, strerror(INT_MAX));
+        log_info("strerror(%d) → %s", 200, strerror(200));              /* NOLINT(bugprone-unsafe-functions) */
+        log_info("strerror(%d) → %s", 201, strerror(201));              /* NOLINT(bugprone-unsafe-functions) */
+        log_info("strerror(%d) → %s", INT_MAX, strerror(INT_MAX));      /* NOLINT(bugprone-unsafe-functions) */
 
+        /* NOLINTNEXTLINE(bugprone-unsafe-functions) */
         log_info("strerror(%d), strerror(%d) → %p, %p", 200, 201, strerror(200), strerror(201));
 
         /* This call is not allowed, because the first returned string becomes invalid when