futogergely added a comment.

In D91000#3225369 <https://reviews.llvm.org/D91000#3225369>, @balazske wrote:

> The functions `asctime` and `asctime_r` are discouraged according to CERT 
> MSC33-C rule. These could be added to this check as well. There is a clang SA 
> checker `SecuritySyntaxChecker` that contains other obsolete functions (and 
> the whole check looks like it can be done in clang-tidy).

The inclusion of CERT MSC33-C rule seems to be straightforward: check for 
asctime and asctime_r, and suggest asctime_s if Annex K is available, otherwise 
suggest strftime.

security.insecureAPI: the following functions could be added to the checker: 
bcmp, bcopy, bzero, getpw, mktemp, vfork, and if arc4random is available: 
drand48, erand48, jrand48, lcong48, lrand48, mrand48, nrand48, random, rand_r.
I think for now it is enough to issue a warning of using these functions, and 
not suggest a replacement. Should we add an option to the checker to also check 
for these functions?


CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D91000/new/

https://reviews.llvm.org/D91000

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to