You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using cli11 v2.2.0 in one of the projects I am working on. Running Klocwork for static analysis of the project, we observe some issues reported by the tool. Most of the issues are false positives, but a few are easy to fix.:
# 438: 'num' is used uninitialized in this function. Also there is one similar error on line 997.
CLI11-2.2.0/include/CLI/Validators.hpp:979 | operator()()
Code: UNINIT.STACK.MUST | Severity: Critical (1) | State: Existing | Status: Analyze | Taxonomy: C and C++ | Owner: >unowned
# 268: Class 'Formatter' defines a copy constructor, but no assignment operator
CLI11-2.2.0/include/CLI/FormatterFwd.hpp:116 | FormatterFwd.hpp()
Code: CWARN.COPY.NOASSIGN | Severity: Review (4) | State: Existing | Status: Analyze | Taxonomy: C and C++ | Owner: >unowned
# 280: Class 'FormatterBase' defines a copy constructor, but no assignment operator
CLI11-2.2.0/include/CLI/FormatterFwd.hpp:39 | FormatterFwd.hpp()
Code: CWARN.COPY.NOASSIGN | Severity: Review (4) | State: Existing | Status: Analyze | Taxonomy: C and C++ | Owner: >unowned
Fix:
Formatter& operator=(const Formatter&) = default;
Another problem concerns the stat() function, which is recognized by the tool as a "time-of-check-time-of-use" vulnerability.:
# 410: function 'stat' operates on file names and is vulnerable to race conditions. Files can be manipulated by attackers >between creation and access time.
CLI11-2.2.0/include/CLI/Validators.hpp:335 |check_path()
Code: SV.TOCTOU.FILE_ACCESS | Severity: Review (4) | State: Existing | Status: Analyze | Taxonomy: C and C++ | Owner: >unowned
The text was updated successfully, but these errors were encountered:
Technically num is an output of the lexical_cast and it makes little sense to init it. It would, however, do no real harm.
2-3. I'd say that should be fixed.
last: The validator only checks for the file existence - this is it's role. This not fixable and the application must implement its own countermeasures.
We are using cli11 v2.2.0 in one of the projects I am working on. Running Klocwork for static analysis of the project, we observe some issues reported by the tool. Most of the issues are false positives, but a few are easy to fix.:
Fix (added curly brackets):
Fix:
Fix:
Another problem concerns the
stat()function, which is recognized by the tool as a "time-of-check-time-of-use" vulnerability.:The text was updated successfully, but these errors were encountered: