clang-tidy: clang-analyzer-security.insecureAPI.strcpy

[karel-m]

The warnings are related to src/misc/crypt/crypt_sizes.c and src/misc/crypt/crypt_constants:

src/misc/crypt/crypt_constants.c:290:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, _crypt_constants[i].name);
            ^
src/misc/crypt/crypt_constants.c:290:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, _crypt_constants[i].name);
            ^
src/misc/crypt/crypt_constants.c:292:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, ",");
            ^
src/misc/crypt/crypt_constants.c:292:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, ",");
            ^
src/misc/crypt/crypt_constants.c:296:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, number);
            ^
src/misc/crypt/crypt_constants.c:296:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, number);
            ^
src/misc/crypt/crypt_constants.c:298:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, "\n");
            ^
src/misc/crypt/crypt_constants.c:298:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, "\n");
            ^
src/misc/crypt/crypt_sizes.c:350:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, _crypt_sizes[i].name);
            ^
src/misc/crypt/crypt_sizes.c:350:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, _crypt_sizes[i].name);
            ^
src/misc/crypt/crypt_sizes.c:352:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, ",");
            ^
src/misc/crypt/crypt_sizes.c:352:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, ",");
            ^
src/misc/crypt/crypt_sizes.c:356:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, number);
            ^
src/misc/crypt/crypt_sizes.c:356:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, number);
            ^
src/misc/crypt/crypt_sizes.c:358:13: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
            strcpy(ptr, "\n");
            ^
src/misc/crypt/crypt_sizes.c:358:13: note: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119
            strcpy(ptr, "\n");
            ^

Do we want to fix this?

[sjaeckel]

should we add a build-target for clang-tidy?

[karel-m]

should we add a build-target for clang-tidy?

I do not think so. I had quite hard times to run those scans manually, making it automatic (and reliable) is too much effort that we can better invest elsewhere.