Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: enable missing OpenSSF-recommended warnings, with fixes #12489

Closed
wants to merge 34 commits into from
Closed

build: enable missing OpenSSF-recommended warnings, with fixes #12489

wants to merge 34 commits into from

Conversation

vszakats
Copy link
Member

@vszakats vszakats commented Dec 8, 2023
edited

https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
[as of 2023-11-29]

Enable new recommended warnings (except -Wsign-conversion):

  • enable -Wformat=2 for clang (in both cmake and autotools).
  • add CURL_PRINTF() internal attribute and mark functions accepting
    printf arguments with it. This is a copy of existing
    CURL_TEMP_PRINTF() but using __printf__ to make it compatible
    with redefinting the printf symbol:
    https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94
  • fix CURL_PRINTF() and existing CURL_TEMP_PRINTF() for
    mingw-w64 and enable it on this platform.
  • enable -Wimplicit-fallthrough.
  • enable -Wtrampolines.
  • add -Wsign-conversion commented with a FIXME.
  • cmake: enable -pedantic-errors the way we do it with autotools.
    Follow-up to d5c0351 Enable and fix more GCC warnings #2747
  • lib/curl_trc.h: use CURL_FORMAT(), this also fixes it to enable format
    checks. Previously it was always disabled due to the internal printf
    macro.

Fix them:

  • fix bug where an set_ipv6_v6only() call was missed in builds with
    --disable-verbose / CURL_DISABLE_VERBOSE_STRINGS=ON.
  • add internal FALLTHROUGH() macro.
  • replace obsolete fall-through comments with FALLTHROUGH().
  • fix fallthrough markups: Delete redundant ones (showing up as
    warnings in most cases). Add missing ones. Fix indentation.
  • silence -Wformat-nonliteral warnings with llvm/clang.
  • fix one -Wformat-nonliteral warning.
  • fix new -Wformat and -Wformat-security warnings.
  • fix CURL_FORMAT_SOCKET_T value for mingw-w64. Also move its
    definition to lib/curl_setup.h allowing use in tests/server.
  • lib: fix two wrongly passed string arguments in log outputs.
    Co-authored-by: Jay Satiro
  • fix new -Wformat warnings on mingw-w64.

Closes #12489

TODO:

  • fix to enable format checks for mingw.
  • fix -Warith-conversion warnings. [other PR]
  • fix -Wsign-conversion warnings. [other PR]

@vszakats vszakats added the build label Dec 8, 2023
@vszakats vszakats changed the title enable recommended OpenSSF warnings build: enable recommended OpenSSF warnings Dec 8, 2023
bagder
bagder reviewed Dec 8, 2023
View reviewed changes
include/curl/curl.h Outdated Show resolved Hide resolved
@vszakats vszakats changed the title build: enable recommended OpenSSF warnings build: enable missing OpenSSF-recommended warnings, with fixes Dec 8, 2023
@vszakats vszakats force-pushed the openssf branch 6 times, most recently from 8467031 to 722d4c8 Compare December 9, 2023 00:16
@github-actions github-actions bot added the CI Continuous Integration label Dec 9, 2023
@vszakats
Copy link
Member Author

vszakats commented Dec 9, 2023

This is ready now.

bagder
bagder reviewed Dec 11, 2023
View reviewed changes
lib/cf-h1-proxy.c Outdated Show resolved Hide resolved
vszakats added a commit to vszakats/curl that referenced this pull request Dec 11, 2023
@vszakats
rename CURL_FALLTHROUGH -> FALLTHROUGH
ce88ada 
Ref: curl#12489 (comment)
vszakats
vszakats commented Dec 11, 2023
View reviewed changes
lib/curl_setup.h Outdated Show resolved Hide resolved
@vszakats
Copy link
Member Author

Renamed to use FALLTHROUGH();.

Is there something else to address?

vszakats added a commit to vszakats/curl that referenced this pull request Dec 14, 2023
@vszakats
rename CURL_FALLTHROUGH -> FALLTHROUGH
48ea49a 
Ref: curl#12489 (comment)
vszakats added a commit to vszakats/curl that referenced this pull request Apr 29, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
ab55a45 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Apr 29, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
b17e743 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Apr 29, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
c7a71ad 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
@vszakats vszakats mentioned this pull request Apr 29, 2024
Closed
vszakats added a commit to vszakats/curl that referenced this pull request Apr 29, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
cff3a87 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Apr 29, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
f293244 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
This was referenced Apr 29, 2024
Closed
Closed
Closed
Closed
Closed
vszakats added a commit to vszakats/curl that referenced this pull request Apr 30, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
e7dec22 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Apr 30, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
fd44565 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 5, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
8d0969c 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 5, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
a13bdc9 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 7, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
7e3cc04 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 7, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
d4c8da2 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit that referenced this pull request May 11, 2024
@vszakats
examples: fix/silence -Wsign-conversion
5b9955e 
- extend `FD_SET()` hack to all platforms (was only Cygwin).
  Warnings may also happen in other envs, e.g. OmniOS.
  Ref: https://github.com/libssh2/libssh2/actions/runs/8854199687/job/24316762831#step:3:2021

- tidy-up `CURLcode` vs `int` use.

- cast an unsigned to `long` before passing to `curl_easy_setopt()`.

Cherry-picked from #13489
Follow-up to 3829759 #12489
Closes #13501
vszakats added a commit to vszakats/curl that referenced this pull request May 11, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
fcd374c 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 11, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
7d96f74 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 12, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
c86b0a2 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 12, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
dc7d1e8 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 13, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
12933b2 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 13, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
4add1d3 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 14, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
6aca550 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request May 14, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
7e04fbc 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Jun 2, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
78379a7 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Jun 2, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
875eb92 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Jun 5, 2024
@vszakats
build: enable (non-fatal) -Wsign-conversion warnings (OpenSSF)
2b9977a 
Warn by default in all builds, but without triggering error.

Once all new warnings revealed by CI are cleared, we can drop the
`-Wno-error=sign-conversion` options in cmake/autotools.

Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
vszakats added a commit to vszakats/curl that referenced this pull request Jun 5, 2024
@vszakats
build: make -Wsign-conversion an error (OpenSSF)
788ea94 
Before this patch, cmake/autotools builds made an exception for this
warning to not cause an error.

The codebase is warning-free now, so this patch deletes this exception.

Follow-up [...]
Follow-up to3829759bd042c03225ae862062560f568ba1a231 curl#12489
Closes #xxxxx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bagder bagder bagder left review comments

Assignees
No one assigned
Labels
build CI Continuous Integration cmdline tool libcurl API tests
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vszakats @jay @bagder