lint:c
Passed Started
by
@mhanak
Miroslav Hanak
1Running with gitlab-runner 15.4.0 (43b2dc3d)2 on ci-01.labs.nic.cz vsgruxRs4Using Docker executor with image registry.nic.cz/turris/sentinel/minipot:debian ...5Authenticating with credentials from job payload (GitLab Registry)6Pulling docker image registry.nic.cz/turris/sentinel/minipot:debian ...7Using docker image sha256:5b23ba0ef68016d9787bacc600792a58cfa3e76700b1e69fb9d3fb8d96f17e06 for registry.nic.cz/turris/sentinel/minipot:debian with digest registry.nic.cz/turris/sentinel/minipot@sha256:ba03174212232fd8d805a25eb2dba23e23b2e3b6d84a373456c5d7ea691d9e3f ...9Running on runner-vsgruxrs-project-595-concurrent-4 via ci-01...11Fetching changes...12Reinitialized existing Git repository in /builds/turris/sentinel/minipot/.git/13Checking out 15e08bf7 as dev...14Removing gl-sast-report.json15Skipping Git submodules setup17Using docker image sha256:5b23ba0ef68016d9787bacc600792a58cfa3e76700b1e69fb9d3fb8d96f17e06 for registry.nic.cz/turris/sentinel/minipot:debian with digest registry.nic.cz/turris/sentinel/minipot@sha256:ba03174212232fd8d805a25eb2dba23e23b2e3b6d84a373456c5d7ea691d9e3f ...18$ ./bootstrap19libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, '.aux'.20libtoolize: linking file '.aux/ltmain.sh'21libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, '.m4'.22libtoolize: linking file '.m4/libtool.m4'23libtoolize: linking file '.m4/ltoptions.m4'24libtoolize: linking file '.m4/ltsugar.m4'25libtoolize: linking file '.m4/ltversion.m4'26libtoolize: linking file '.m4/lt~obsolete.m4'27configure.ac:14: installing '.aux/ar-lib'28configure.ac:12: installing '.aux/compile'29configure.ac:15: installing '.aux/config.guess'30configure.ac:15: installing '.aux/config.sub'31configure.ac:5: installing '.aux/install-sh'32configure.ac:5: installing '.aux/missing'33configure.ac:49: installing '.aux/tap-driver.sh'34Makefile.am: installing '.aux/depcomp'35parallel-tests: installing '.aux/test-driver'36$ ./configure --enable-linters $CONFIGURE_LINT37checking for a BSD-compatible install... /usr/bin/install -c38checking whether build environment is sane... yes39checking for a race-free mkdir -p... /bin/mkdir -p40checking for gawk... no41checking for mawk... mawk42checking whether make sets $(MAKE)... yes43checking whether make supports nested variables... yes44checking whether make supports nested variables... (cached) yes45checking for gcc... gcc46checking whether the C compiler works... yes47checking for C compiler default output file name... a.out48checking for suffix of executables... 49checking whether we are cross compiling... no50checking for suffix of object files... o51checking whether the compiler supports GNU C... yes52checking whether gcc accepts -g... yes53checking for gcc option to enable C11 features... none needed54checking whether gcc understands -c and -o together... yes55checking whether make supports the include directive... yes (GNU style)56checking dependency style of gcc... gcc357checking for stdio.h... yes58checking for stdlib.h... yes59checking for string.h... yes60checking for inttypes.h... yes61checking for stdint.h... yes62checking for strings.h... yes63checking for sys/stat.h... yes64checking for sys/types.h... yes65checking for unistd.h... yes66checking for wchar.h... yes67checking for minix/config.h... no68checking whether it is safe to define __EXTENSIONS__... yes69checking whether _XOPEN_SOURCE should be defined... no70checking for ar... ar71checking the archiver (ar) interface... ar72checking build system type... x86_64-pc-linux-gnu73checking host system type... x86_64-pc-linux-gnu74checking how to print strings... printf75checking for a sed that does not truncate output... /bin/sed76checking for grep that handles long lines and -e... /bin/grep77checking for egrep... /bin/grep -E78checking for fgrep... /bin/grep -F79checking for ld used by gcc... /usr/bin/ld80checking if the linker (/usr/bin/ld) is GNU ld... yes81checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B82checking the name lister (/usr/bin/nm -B) interface... BSD nm83checking whether ln -s works... yes84checking the maximum length of command line arguments... 157286485checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop86checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop87checking for /usr/bin/ld option to reload object files... -r88checking for file... file89checking for objdump... objdump90checking how to recognize dependent libraries... pass_all91checking for dlltool... no92checking how to associate runtime and link libraries... printf %s\n93checking for archiver @FILE support... @94checking for strip... strip95checking for ranlib... ranlib96checking command to parse /usr/bin/nm -B output from gcc object... ok97checking for sysroot... no98checking for a working dd... /bin/dd99checking how to truncate binary pipes... /bin/dd bs=4096 count=1100checking for mt... no101checking if : is a manifest tool... no102checking for dlfcn.h... yes103checking for objdir... .libs104checking if gcc supports -fno-rtti -fno-exceptions... no105checking for gcc option to produce PIC... -fPIC -DPIC106checking if gcc PIC flag -fPIC -DPIC works... yes107checking if gcc static flag -static works... yes108checking if gcc supports -c -o file.o... yes109checking if gcc supports -c -o file.o... (cached) yes110checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes111checking whether -lc should be explicitly linked in... no112checking dynamic linker characteristics... GNU/Linux ld.so113checking how to hardcode library paths into programs... immediate114checking whether stripping libraries is possible... yes115checking if libtool supports shared libraries... yes116checking whether to build shared libraries... yes117checking whether to build static libraries... yes118checking whether C compiler accepts -std=c11... yes119checking for pkg-config... /usr/bin/pkg-config120checking pkg-config is at least version 0.9.0... yes121checking for libczmq... yes122checking for msgpack... yes123checking for libevent... yes124checking for libconfig... yes125checking for base64c... yes126checking for logc >= 0.4.0 logc_argp logc_config... yes127checking for libczmq_logc... yes128checking for libevent_logc... yes129checking for gperf... /usr/bin/gperf130checking for valgrind... valgrind131checking for Valgrind tool memcheck... yes132checking for Valgrind tool helgrind... yes133checking for Valgrind tool drd... yes134checking for Valgrind tool sgcheck... no135checking for cppcheck... /usr/bin/cppcheck136checking for flawfinder... /usr/bin/flawfinder137checking whether to build with code coverage support... no138checking that generated files are newer than configure... done139configure: creating ./config.status140config.status: creating Makefile141config.status: creating libsentinel_minipot/sentinel_minipot.pc142config.status: executing depfiles commands143config.status: executing libtool commands144$ make lint145 CPPCHECK lint-cppcheck146Checking http/http_minipot.c ...1471/39 files checked 2% done148Checking http/http_minipot.h ...1492/39 files checked 3% done150Checking http/http_minipot_config.c ...1513/39 files checked 6% done152Checking http/http_minipot_config.h ...1534/39 files checked 7% done154Checking http/http_minipot_session.c ...1555/39 files checked 11% done156Checking http/http_minipot_session.h ...1576/39 files checked 13% done158Checking http/http_minipot_session_process.c ...1597/39 files checked 30% done160Checking http/http_minipot_session_process.h ...1618/39 files checked 30% done162Checking http/http_minipot_session_report.c ...1639/39 files checked 34% done164Checking http/http_minipot_session_report.h ...16510/39 files checked 35% done166Checking http/http_minipot_session_respond.c ...16711/39 files checked 39% done168Checking http/http_minipot_session_respond.h ...16912/39 files checked 40% done170Checking http/http_minipot_session_utils.c ...17113/39 files checked 43% done172Checking http/http_minipot_session_utils.h ...17314/39 files checked 45% done174Checking http/log.c ...17515/39 files checked 45% done176Checking http/log.h ...17716/39 files checked 46% done178Checking include/minipot.h ...17917/39 files checked 48% done180Checking include/minipot_argp.h ...18118/39 files checked 48% done182Checking include/minipot_config.h ...18319/39 files checked 49% done184Checking include/minipot_config_load.h ...18520/39 files checked 50% done186Checking include/minipot_fork.h ...18721/39 files checked 51% done188Checking include/minipot_log.h ...18922/39 files checked 51% done190Checking include/minipot_pipe_handler.h ...19123/39 files checked 52% done192Checking include/minipot_sentinel_msg_packer.h ...19324/39 files checked 55% done194Checking include/minipot_session.h ...19525/39 files checked 57% done196Checking include/minipot_utils.h ...19726/39 files checked 60% done198Checking include/minipot_zmq_sender.h ...19927/39 files checked 61% done200Checking libsentinel_minipot/log.c ...20128/39 files checked 62% done202Checking libsentinel_minipot/log.h ...20329/39 files checked 62% done204Checking libsentinel_minipot/minipot.c ...20530/39 files checked 67% done206Checking libsentinel_minipot/minipot_argp.c ...20731/39 files checked 69% done208Checking libsentinel_minipot/minipot_config.c ...20932/39 files checked 71% done210Checking libsentinel_minipot/minipot_config_load.c ...21133/39 files checked 76% done212Checking libsentinel_minipot/minipot_fork.c ...21334/39 files checked 78% done214Checking libsentinel_minipot/minipot_pipe_handler.c ...21535/39 files checked 84% done216Checking libsentinel_minipot/minipot_sentinel_msg_packer.c ...21736/39 files checked 88% done218Checking libsentinel_minipot/minipot_session.c ...21937/39 files checked 91% done220Checking libsentinel_minipot/minipot_utils.c ...22138/39 files checked 97% done222Checking libsentinel_minipot/minipot_zmq_sender.c ...22339/39 files checked 100% done224 FLAWFIND lint-flawfinder225Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.226Number of rules (primarily dangerous function names) in C/C++ ruleset: 222227Examining libsentinel_minipot/log.h228Examining libsentinel_minipot/log.c229Examining libsentinel_minipot/minipot_argp.c230Examining libsentinel_minipot/minipot_config_load.c231Examining libsentinel_minipot/minipot_config.c232Examining libsentinel_minipot/minipot_fork.c233Examining libsentinel_minipot/minipot_pipe_handler.c234Examining libsentinel_minipot/minipot_sentinel_msg_packer.c235Examining libsentinel_minipot/minipot_session.c236Examining libsentinel_minipot/minipot_utils.c237Examining libsentinel_minipot/minipot_zmq_sender.c238Examining libsentinel_minipot/minipot.c239Examining include/minipot_argp.h240Examining include/minipot_config_load.h241Examining include/minipot_config.h242Examining include/minipot_fork.h243Examining include/minipot_log.h244Examining include/minipot_pipe_handler.h245Examining include/minipot_sentinel_msg_packer.h246Examining include/minipot_session.h247Examining include/minipot_utils.h248Examining include/minipot_zmq_sender.h249Examining include/minipot.h250Examining http/http_minipot_config.c251Examining http/http_minipot_config.h252Examining http/http_minipot.c253Examining http/http_minipot.h254Examining http/http_minipot_session.c255Examining http/http_minipot_session.h256Examining http/http_minipot_session_process.c257Examining http/http_minipot_session_process.h258Examining http/http_minipot_session_respond.c259Examining http/http_minipot_session_respond.h260Examining http/http_minipot_session_report.c261Examining http/http_minipot_session_report.h262Examining http/http_minipot_session_utils.c263Examining http/http_minipot_session_utils.h264Examining http/log.h265Examining http/log.c266FINAL RESULTS:267libsentinel_minipot/minipot.c:52: [3] (misc) chroot:268 chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22).269 Make sure the program immediately chdir("/"), closes file descriptors, and270 drops root privileges, and that all necessary files (and no more!) are in271 the new root.272http/http_minipot_session_process.c:206: [2] (buffer) memcpy:273 Does not check for buffer overflows when copying to destination (CWE-120).274 Make sure destination can always hold the source data.275http/http_minipot_session_process.c:220: [2] (buffer) memcpy:276 Does not check for buffer overflows when copying to destination (CWE-120).277 Make sure destination can always hold the source data.278http/http_minipot_session_process.c:319: [2] (buffer) memcpy:279 Does not check for buffer overflows when copying to destination (CWE-120).280 Make sure destination can always hold the source data.281http/http_minipot_session_process.c:321: [2] (buffer) memcpy:282 Does not check for buffer overflows when copying to destination (CWE-120).283 Make sure destination can always hold the source data.284http/http_minipot_session_process.c:336: [2] (buffer) memcpy:285 Does not check for buffer overflows when copying to destination (CWE-120).286 Make sure destination can always hold the source data.287include/minipot_session.h:11: [2] (buffer) char:288 Statically-sized arrays can be improperly restricted, leading to potential289 overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use290 functions that limit length, or ensure that the size is larger than the291 maximum possible length.292libsentinel_minipot/minipot_pipe_handler.c:55: [2] (buffer) memcpy:293 Does not check for buffer overflows when copying to destination (CWE-120).294 Make sure destination can always hold the source data.295http/http_minipot_session_process.c:19: [1] (buffer) strlen:296 Does not handle strings that are not \0-terminated; if given one it may297 perform an over-read (it could cause a crash if unprotected) (CWE-126).298http/http_minipot_session_report.c:56: [1] (buffer) strlen:299 Does not handle strings that are not \0-terminated; if given one it may300 perform an over-read (it could cause a crash if unprotected) (CWE-126).301http/http_minipot_session_report.c:57: [1] (buffer) strlen:302 Does not handle strings that are not \0-terminated; if given one it may303 perform an over-read (it could cause a crash if unprotected) (CWE-126).304http/http_minipot_session_report.c:58: [1] (buffer) strlen:305 Does not handle strings that are not \0-terminated; if given one it may306 perform an over-read (it could cause a crash if unprotected) (CWE-126).307http/http_minipot_session_report.c:59: [1] (buffer) strlen:308 Does not handle strings that are not \0-terminated; if given one it may309 perform an over-read (it could cause a crash if unprotected) (CWE-126).310http/http_minipot_session_report.c:61: [1] (buffer) strlen:311 Does not handle strings that are not \0-terminated; if given one it may312 perform an over-read (it could cause a crash if unprotected) (CWE-126).313http/http_minipot_session_report.c:82: [1] (buffer) strlen:314 Does not handle strings that are not \0-terminated; if given one it may315 perform an over-read (it could cause a crash if unprotected) (CWE-126).316http/http_minipot_session_report.c:83: [1] (buffer) strlen:317 Does not handle strings that are not \0-terminated; if given one it may318 perform an over-read (it could cause a crash if unprotected) (CWE-126).319http/http_minipot_session_report.c:85: [1] (buffer) strlen:320 Does not handle strings that are not \0-terminated; if given one it may321 perform an over-read (it could cause a crash if unprotected) (CWE-126).322http/http_minipot_session_respond.c:34: [1] (buffer) strlen:323 Does not handle strings that are not \0-terminated; if given one it may324 perform an over-read (it could cause a crash if unprotected) (CWE-126).325http/http_minipot_session_respond.c:45: [1] (buffer) strlen:326 Does not handle strings that are not \0-terminated; if given one it may327 perform an over-read (it could cause a crash if unprotected) (CWE-126).328http/http_minipot_session_respond.c:56: [1] (buffer) strlen:329 Does not handle strings that are not \0-terminated; if given one it may330 perform an over-read (it could cause a crash if unprotected) (CWE-126).331http/http_minipot_session_utils.c:26: [1] (buffer) strlen:332 Does not handle strings that are not \0-terminated; if given one it may333 perform an over-read (it could cause a crash if unprotected) (CWE-126).334libsentinel_minipot/minipot_pipe_handler.c:106: [1] (buffer) read:335 Check buffer boundaries if used in a loop including recursive loops336 (CWE-120, CWE-20).337libsentinel_minipot/minipot_sentinel_msg_packer.c:36: [1] (buffer) strlen:338 Does not handle strings that are not \0-terminated; if given one it may339 perform an over-read (it could cause a crash if unprotected) (CWE-126).340libsentinel_minipot/minipot_sentinel_msg_packer.c:40: [1] (buffer) strlen:341 Does not handle strings that are not \0-terminated; if given one it may342 perform an over-read (it could cause a crash if unprotected) (CWE-126).343libsentinel_minipot/minipot_sentinel_msg_packer.c:44: [1] (buffer) strlen:344 Does not handle strings that are not \0-terminated; if given one it may345 perform an over-read (it could cause a crash if unprotected) (CWE-126).346libsentinel_minipot/minipot_sentinel_msg_packer.c:70: [1] (buffer) strlen:347 Does not handle strings that are not \0-terminated; if given one it may348 perform an over-read (it could cause a crash if unprotected) (CWE-126).349libsentinel_minipot/minipot_sentinel_msg_packer.c:71: [1] (buffer) strlen:350 Does not handle strings that are not \0-terminated; if given one it may351 perform an over-read (it could cause a crash if unprotected) (CWE-126).352ANALYSIS SUMMARY:353Hits = 27354Lines analyzed = 2653 in approximately 0.04 seconds (68296 lines/second)355Physical Source Lines of Code (SLOC) = 2092356Hits@level = [0] 8 [1] 19 [2] 7 [3] 1 [4] 0 [5] 0357Hits@level+ = [0+] 35 [1+] 27 [2+] 8 [3+] 1 [4+] 0 [5+] 0358Hits/KSLOC@level+ = [0+] 16.7304 [1+] 12.9063 [2+] 3.82409 [3+] 0.478011 [4+] 0 [5+] 0359Minimum risk level = 1360Not every hit is necessarily a security vulnerability.361You can inhibit a report by adding a comment in this form:362// flawfinder: ignore363Make *sure* it's a false positive!364You can use the option --neverignore to show these.365There may be other security vulnerabilities; review your code!366See 'Secure Programming HOWTO'367(https://dwheeler.com/secure-programs) for more information.369Job succeeded