Re: Considering ignoring Coverity 'tainted' checks

[Pascal Quantin <pascal.quantin () gmail com>]

Hi Jaap,

2016-07-11 12:46 GMT+02:00 Jaap Keuter <jaap.keuter () xs4all nl>:

> Hi List,
>
> Since (not so) recently the Coverity code analysis has added a checker for
> so called tainted data. This data is considered coming from an external
> source (eg. the network) hence suspicious until validated. Using these
> tainted values is considered a risk. In general this is true, Wireshark on
> the other hand is intended and designed to handle suspicious / (very)
> possibly wrong network data (that’s what we’re using it for, amongst other
> things). So even though data is tainted, many cases the use of the TVB,
> etc. protects us from the problems envisioned by the checker writers.
>
> So what to so with these Coverity issues. Before we start to implement all
> kinds of arbitrary checks (duplicating effort already handled by the tvb
> code) and limits (mostly arbitrary) we should consider is this checker is
> really valuable in this context.

I started looking at a few of those warnings some time ago and agree with
you we should ignore them.
Is there a way to disable this check globally? Or will we need to add a
code annotation for each occurrence?

Pascal.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe