Conversation

Notices

1. Embed this notice
   Greg K-H (gregkh@social.kernel.org)'s status on Saturday, 16-Nov-2024 16:38:42 JST Greg K-H
   Dear lazyweb,
   
   For the usbutils project, developers have helpfully set up a bunch of github actions to help with build tests and the like, and it also includes github's "security scanning" toolsets. Unfortunately the output of such tools is pretty useless and unhelpful to a fault.
   
   Example, this "result": https://github.com/gregkh/usbutils/security/code-scanning/2291
   which claims "short global name" yet there is no such actual global variable `i` in the codebase at all.
   
   Because of stuff like this, the tools "claim" there are 63 "security" issues in the usbutils project. Since when did using single character names become a security issue, even if we were doing that, but ok...
   
   So, how to turn this off, or better yet, fix the test to not report issues that are actually in the tests themselves?
   • MortSinyx likes this.
   • Embed this notice
     Greg K-H (gregkh@social.kernel.org)'s status on Saturday, 16-Nov-2024 16:48:05 JST Greg K-H

     in reply to

     As it turns out that “code scanning” isn’t public, here’s the error message that github is putting up saying that meson temp build files are security problems:

     build/meson-private/tmpzhj7u8eq/testfile.c:2 Test Poor global variable name 'i'. Prefer longer, descriptive names for globals (eg. kMyGlobalConstant, not foo). Rule ID cpp/short-global-name Description This rule finds global variables which have a name of length three characters or less. It is particularly important to use descriptive names for global variables. Use of a clear naming convention for global variables helps document their use, avoids pollution of the namespace and reduces the risk of shadowing with local variables.
   • Embed this notice
     Greg K-H (gregkh@social.kernel.org)'s status on Saturday, 16-Nov-2024 19:47:44 JST Greg K-H

     in reply to

     • Emil Velikov
     @xexaxo Yes, thank you! And thanks for the PR, I'll go merge that now and see how it goes.
   • Embed this notice
     Emil Velikov (xexaxo@fosstodon.org)'s status on Saturday, 16-Nov-2024 19:47:45 JST Emil Velikov

     in reply to

     @gregkh something like the filter out section should help perhaps https://github.com/rauc/rauc/blob/master/.github/workflows/codeql.yml

   • Embed this notice
     Greg K-H (gregkh@social.kernel.org)'s status on Saturday, 16-Nov-2024 23:59:27 JST Greg K-H

     in reply to

     • Emil Velikov
     To followup up on this, @xexaxo sent a pull request to get rid of these "code in the meson temp files are security issues" false-warnings: https://github.com/gregkh/usbutils/pull/211
     
     Many thanks for this, now to whittle down the other pointless `switch case is too big` and `FIXME is left in a comment` warnings that are left so that if anything "real" ever shows up, it will actually be noticed...