audit: add new homebrew/core audits

[jonchang]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

These homebrew/core audits check for:

• make check
• # tag "xxx" comments from external taps
• build.with? implying the presence of options

[MikeMcQuaid]

Fantastic work here 👏. A few suggested changes but up to you.

[jonchang]

Merging since tests are 🍏 . Thanks for the review @MikeMcQuaid!

[fxcoudert]

We're seeing this in Homebrew/homebrew-core#48770:

 ==> brew audit p11-kit --online
 ==> FAILED
 Error: 1 problem in 1 formula detected
 p11-kit:
   * C: 43: col 5: Formulae in homebrew/core should not run build-time checks

But build-time checks are allowed in security software (unless we have changed our position on that). Should that audit be only for new formulas?

[jonchang]

I didn’t know we had that policy. Two options that I can think of:

• new formulae only
• add a list to exclude formulae from this check

I slightly prefer the latter. Thoughts?

[fxcoudert]

I'm generally against broad strokes of audit for things that we can have good reasons to ignore. And white lists need to be maintained, and new formulas added, etc. I like the "new formula" because once a maintainer decides that it's a valid use, then it's done. Simple.

If you go with a whitelist, I'd say exclude:

• Some bignum libraries (gmp mpfr), which are used in several places, regularly trigger miscompilations that we're happy to see before they hit us in unexpected places.
• Security / crypto software