A18-0-1
: Consider more than just the file name when identifying use of C standard libraries
#7
Labels
Difficulty-Medium
A false positive or false negative report which is expected to take 1-5 days effort to address
false positive/false negative
An issue related to observed false positives or false negatives.
Impact-Medium
user-report
Issue reported by an end user of CodeQL Coding Standards
Affected rules
A18-0-1
Description
The query for this rule reports any use of headers with file names the same as a prohibited C standard library header. This can cause false positives if the included file is not from a C standard library implementation but just happens to have the same name as a C standard library header.
There's no certain way to determine whether an include is of a C Standard Library header file, because the files themselves are not universally distinguishable, so we will need to consider some heuristics for identification.
As an initial idea, we could only report cases where:
#include
specifies no file path (e.g.filename = i.getIncludeText().substring(1, i.getIncludeText().length() - 2)
)not exists(i.getIncludedFile().getRelativePath())
Example
The text was updated successfully, but these errors were encountered: