Remove cppcheck suppressions with line numbers in test/cppcheck_suppressions.txt #3134
Conversation
…y should be avoidded by RVO
|
I implemented two of the three trivial sonarcloud suggestions in commit 869e369. I actually did the third one as well, about using C++17 structured binding, but I couldn't include it in the PR. It triggers a cppcheck false positive in the version included in Ubuntu 22.04 (cppcheck 2.7.1). This seems to be addressed in cppcheck 2.8 (see here & here). |
|
Quick question, is it necessary to run PS: I originally asked this in a comment in PR #3132 but I'm moving it here, where it's more on topic. |
In my development branches I ended up creating a separate cppcheck workflow to execute it only once: cppcheck:
runs-on: [ubuntu-22.04]
steps:
- name: Setup Dependencies
run: |
sudo apt-get update -y -qq
sudo apt-get install -y cppcheck
- uses: actions/checkout@v4
with:
submodules: true
- name: build.sh
run: ./build.sh
- name: configure
run: ./configure
- name: check-static
run: make check-staticIf there are no differences in the source code analyzed in each Linux configuration (is this related to the configurations that enable parser generation?), I guess that step could be removed from the Linux builds and replaced with this workflow. This would improve overall execution time. BTW, updating the version of the checkout action to v4 would remove most of the annotations in the builds (I think only a warning about using sprintf on macOS builds would remain). |
I found how to add a step to build the latest version of cppcheck (2.14.0) in a couple other repositories, which follow the instructions to build with GNU make: - name: Build cppcheck 2.14 # https://github.com/LessRekkless/Community-Patch-DLL/blob/788f2d67fae77be5f59fb10dc585e4a0a7871419/.github/workflows/cppcheck.yml#L24C1-L34C27
run: |
cd /tmp
git clone https://github.com/danmar/cppcheck.git
cd cppcheck
git checkout 2.14.0
sudo make MATCHCOMPILER=yes FILESDIR=/usr/share/cppcheck HAVE_RULES=yes CXXFLAGS="-O2 -DNDEBUG -Wall -Wno-sign-compare -Wno-unused-function" install
cd /tmp
sudo rm -rf /tmp/cppcheck
sudo ldconfigI configured my development branch to run cppcheck using this version and it takes more time to execute (about 20 minutes) and reports a larger number of warnings than the current version. Most of them are recommendations to use declare variables/arguments as const (a few of which are performance improvements by avoiding copies of std::string objects). I've implemented the recommended updates in order to pass the |
eduar-hte
force-pushed
the
inline-cppcheck-suppressions
branch
2 times, most recently
from
2f808f6 to
fbe0d1a
Compare
|
Hi @eduar-hte, many thanks again for this awesome work!
If there could be removed, would you mind to remove them? Or is there any reason why haven't you removed them yet?
Right, I think we should merge them first and then - probably you should pick up those modifications - this PR. I'm going to answer the other comments. |
Well, this is also a very useful modification, but as I wrote at your other PR, it would be fine to split the commits by features. I mean if you work on a feature what does something, don't mix that with other features. Now you restructured the suppression lists (again: this is great!), but this commit does not connect the main feature. Could you revert that commit? |
No, I don't think so. In fact, I think we must reorganize the whole CI workflow of the library. The issues with that:
As you can see, it's time to reorganize the workflow :)
Thanks. |
yes, totally agree.
Thanks for letting know that. Please don't send any related PR until we don't merge this one at least :) |
I already did! :-)
I agree, if and when this PR is approved, I'd have to rebase the Windows port PR (#3132) to sync with these changes. |
may be we can take a look to Github's "official" cppcheck-action.
Nice catch!
Just one question again: this is an awesome work, but please walk on the way step by step :) If we can merge the "clean and pure" suppression fix, then we can focusing the next one, namely add the newr version of And one more thing (again): would you like to join to us on the Slack channel? ( |
I didn't include that change here because it wouldn't work until cppcheck is upgraded, as it'd introduce additional warnings that would require suppressions, so I thought it was not worth it. |
I see. I think we can get this PR to be just the move to using inline cppcheck suppressions to remove all the entries with line numbers in PS: The sonarcloud reported issues actually look like cppcheck warnings that it didn't happen to detect. |
Sorry, may be I was confused (and I'm still that), but These suppressions still presented in the mentioned file - now are they removable?
Sounds good! |
Oh, I only meant entries that have references to line numbers, those that require people to review and adjust I didn't review suppressions for whole files because they don't trigger this issue (of having to update line numbers). I also assumed that they had too many suppressions and the decision was made not to bother with a one-by-one approach, and ignore them altogether. In the scope of this PR, I left only three entries with line numbers because they're already going away in other PRs, and making them inline would just introduce conflicts. Though I guess these changes will require merge work on those PRs as well, so I could go ahead and inline them if we want to clear them all out when this PR is approved. |
You don't need to move there - as I know locally you can revert any commit and then push the current state, then Github removes that commit from PR too. May be you can take a look to b872f11 too, I think that's a similar commit (you can send that in a separate PR or part of a PR next time).
Under this PR there are two SonarCloud notices:
I'm sure we can mark these SonarCloud issues as false positive. |
ah, thanks, now it's clear!
This makes sense, thanks.
Okay, this question is clear for me, thank you. |
Hmm... If I could push back a little in this case. The change is about addressing the memory leak reported by cppcheck, which currently has a suppression with line number (and which I actually had to update when I made the example compile on Windows for PR #3132). This being an example, I think there is little risk in actually fixing the leak. Additionally, the alternative looks worse, that is, an example with a memory leak and an inline cppcheck suppression flagging it! :-) |
Yes, I saw it too when I was trying to run a newer version of cppcheck in my development branch's workflow. However, I decided against introducing an action to do this because then you'd have to maintain both the configuration to run cppcheck in the build configuration (which you can also use when downloading the repository and building the library yourself) and the one for the CI workflow. I didn't look into it in detail, but it also meant that I'd have to learn about the cppcheck parameters and see if they were supported and how they'd map into the action. Additionally, it seems that the action relies on a Docker file, so you depend on that project to be updated. For example, it's currently at 2.12.1, while I was able to just use the current release 2.14. So instead of having three dependencies (GitHub action, Docker file & cppcheck project), it seems simpler to depend on the source itself, given it's simple enough. |
eduar-hte
force-pushed
the
inline-cppcheck-suppressions
branch
from
fbe0d1a to
95ce3a7
Compare
|
As discussed, I rolled back the additional changes for the issues reported by cppcheck 2.14.0 I worked on during the weekend, and left those specifically related to removing suppressions entries with line numbers in I kept the other changes in a separate branch in my fork so that I can create a PR when this one is merged, as most of the changes are simple enough (add some const qualifiers, add missing override specifiers, and remove unnecessary overrides -as cppcheck detects when the base class implementation is the same-). |
- These were initially not included in these changes, as they were other PRs (owasp-modsecurity#3104 & owasp-modsecurity#3132) that address them.
In the end I removed these suppressions with line numbers in |
eduar-hte
changed the title
Oh, those were the ones I initially fixed in commit 869e369 (see comment), and ended up rolling back with the rest of the changes (triggered by trying to address the third one as well, which required upgrading cppcheck). I'll add them again, no worries. |
|
|
Notice that SonarCloud still reports 3 issues, but now the three are about using structured binding. |
Oh my bad, really sorry. I didn't realize that.
Many thanks. Seems like it's done. I wait for CI will finished and merge this PR. |
Yes, I see. Anyway, next time... 😃 |
|
Thanks @eduar-hte, this was a huge step. |
The goal of this PR is to smooth out the process of updating libModSecurity v3 by avoiding the need to update
test/cppcheck_suppressions.txtdue to line number changes when doing work unrelated to the suppressions.Additionally, inlining the suppressions also help removing the suppressions when the code where they're present is refactored/removed. Notice that a number of suppressions currently present in
test/cppcheck_suppressions.txtseem to reference issues no longer present in the code and that could be removed.The changes in this PR remove almost (*) all the current suppressions that have a line number reference at this time (commit 07e5a70):
(*) Three suppressions with line numbers remain after these changes because one is removed in the context of PR #3132 and two are removed in PR #3104.