• Anson Chung's avatar
    Refactor GitLab cppcheck and update SAST ignorelists · df35072c
    Anson Chung authored
    Line numbers had to be removed from the ignorelists in order to be
    diffed against since locations of the same findings can differ
    across runs. Therefore preprocessing has to be done on the CI findings
    so that it can be compared to the ignorelist and new findings can be
    outputted. However, since line numbers have to be removed, a situation
    occurs where it is difficult to reference the location of findings
    in code given the output of the CI job.
    
    To lessen this pain, change the cppcheck template to include
    code snippets which make it easier to reference where in the code
    the finding is referring to, even in the absence of line numbers.
    Ignorelisting works as before since locations of the finding may
    change but not the code it is referring to.
    
    Furthermore, due to the innate difficulty in maintaining ignorelists
    across branches and triaging new findings, allow failure as to not
    have constantly failing pipelines as a result of a new findings that
    have not been addressed yet.
    
    Lastly, update SAST ignorelists to match the newly refactored cppcheck
    job and the current state of the codebase.
    
    All new code of the whole pull request, including one or several
    files that are either new files or modified ones, are contributed
    under the BSD-new license. I am contributing on behalf of my
    employer Amazon Web Services, Inc.
    df35072c
flawfinder_ignorelist.json 27.4 KB