romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-23 10:02:17 +03:00
Code Issues Projects Releases Packages Wiki Activity
curl/docs
History
Viktor Szakats 6d87eb2878
cmake: add CURL_GCC_ANALYZER option, enable in CI, fix/silence 
Enable in one existing Linux, macOS and Windows job.

Cost:
- Linux: +1.3 minutes.
- macOS: +1.5 minutes.
- Windows: +2.5 minutes.

Fix or silence issues found:
- conncache: silence NULL deref warning.
  ```
  lib/conncache.c:564:18: warning: dereference of NULL '*data.multi' [CWE-476] [-Wanalyzer-null-dereference]
  ```
  Ref: ede6a8e087 #19378
- http2: check pointer for NULL.
  ```
  lib/http2.c:388:7: error: dereference of NULL ‘data’ [CWE-476] [-Wanalyzer-null-dereference]
  ```
- http2: silence potential NULL deref in `cf_h2_recv`.
  ```
  lib/http2.c: In function 'cf_h2_recv':
  lib/curl_trc.h:62:15: warning: dereference of NULL 'data' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- openldap: silence deref before NULL check.
  Seen in GHA/Linux.
  ```
  lib/openldap.c: In function ‘oldap_state_mechs_resp’:
  lib/curl_trc.h:140:7: warning: check of ‘data’ for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
  ```
- sendf: silence NULL deref false positive in `Curl_creader_set_fread`.
  It looks impossible to happen.
  ```
  lib/sendf.c:1133:7: warning: dereference of NULL 'r' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- ws: silence deref before NULL check.
  ```
  lib/ws.c: In function 'ws_send_raw_blocking':
  lib/curl_trc.h:205:7: warning: check of 'data' for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
  ```
- var: fix potential NULL deref
  ```
  src/var.c:216:29: warning: dereference of NULL 'envp' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- cli_hx_upload.c: fix NULL check after dereference.
  ```
  tests/libtest/cli_hx_upload.c:170:7: warning: check of '*t.method' for NULL after already dereferencing it [-Wanalyzer-deref-before-check]
  ```
- unit1607, unit1609: fix theoretical NULL ptr dereference.
  ```
  tests/unit/unit1607.c:211:12: warning: dereference of NULL 'addr' [CWE-476] [-Wanalyzer-null-dereference]
  tests/unit/unit1609.c:193:12: warning: dereference of NULL 'addr' [CWE-476] [-Wanalyzer-null-dereference]
  ```
- globally disable checks triggering false positives only:
  ```
  docs/examples/externalsocket.c:135:8: warning: 'connect' on possibly invalid file descriptor 'sockfd' [-Wanalyzer-fd-use-without-check]
  lib/bufq.c:465:16: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop] (gcc-15 Windows)
  lib/doh.c:1035:34: warning: stack-based buffer over-read [CWE-126] [-Wanalyzer-out-of-bounds] (gcc-15 macOS)
  lib/ftp.c:4022:20: warning: infinite loop [CWE-835] [-Wanalyzer-infinite-loop] (gcc-15 macOS)
  lib/http2.c:689:28: warning: buffer over-read [CWE-126] [-Wanalyzer-out-of-bounds] (gcc-15 macOS)
  lib/socketpair.c:195:5: warning: leak of file descriptor 'curl_dbg_socket(2, 1, 0, 192, "D:/a/curl/curl/lib/socketpair.c")' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_doswin.c:810:7: warning: leak of file descriptor '*tdata.socket_l' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_doswin.c:816:9: warning: leak of file descriptor '*tdata.socket_l' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_main.c:96:1: warning: leak of file descriptor 'fd[0]' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_main.c:96:1: warning: leak of file descriptor 'fd[1]' [CWE-775] [-Wanalyzer-fd-leak]
  src/tool_urlglob.c:48:17: warning: leak of 'malloc(8)' [CWE-401] [-Wanalyzer-malloc-leak]
  src/tool_writeout.c:870:3: warning: leak of FILE 'stream2' [CWE-775] [-Wanalyzer-file-leak]
  tests/libtest/lib518.c:90:1: warning: leak of FILE [CWE-775] [-Wanalyzer-file-leak]
  tests/libtest/lib537.c:87:1: warning: leak of FILE [CWE-775] [-Wanalyzer-file-leak]
  tests/server/tftpd.c:1147:10: warning: 'bind' on possibly invalid file descriptor 'sock' [-Wanalyzer-fd-use-without-check]
  tests/server/tftpd.c:1155:10: warning: 'bind' on possibly invalid file descriptor 'sock' [-Wanalyzer-fd-use-without-check]
  tests/server/tftpd.c:1259:10: warning: 'connect' on possibly invalid file descriptor '4294967295' [-Wanalyzer-fd-use-without-check]
  ```

Also:
- cmake: update clang-tidy typecheck comment.

Ref: https://gcc.gnu.org/onlinedocs/gcc/Static-Analyzer-Options.html

Closes #20921
2026-03-16 11:49:34 +01:00
..
cmdline-opts docs: minor wording tweaks 2026-03-11 08:46:01 +01:00
examples cmake: add CURL_GCC_ANALYZER option, enable in CI, fix/silence 2026-03-16 11:49:34 +01:00
internals badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
libcurl badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
tests docs: minor wording tweaks 2026-03-11 08:46:01 +01:00
.gitignore docs: add RELEASE-TOOLS.md.dist to .gitignore 2024-07-01 22:49:55 +02:00
ALTSVC.md docs: fold long lines 2025-12-11 11:42:28 +01:00
BINDINGS.md docs: some nitpicks 2026-02-27 23:05:37 +01:00
BUG-BOUNTY.md BUG-BOUNTY.md: minor rephrase to say there is no bug bounty 2026-03-10 17:34:08 +01:00
BUGS.md docs: avoid using the word 'magic' 2026-03-03 15:32:13 +01:00
CIPHERS-TLS12.md docs: update CIPHERS.md 2024-08-12 23:35:56 +02:00
CIPHERS.md docs: avoid starting sentences with However, 2026-03-07 23:49:11 +01:00
CMakeLists.txt tests: move test docs into /docs 2025-05-28 15:00:03 +02:00
CODE_OF_CONDUCT.md tidy-up: Markdown, clang-format nits 2026-01-22 23:44:47 +01:00
CODE_REVIEW.md docs: fix broken link in CODE_REVIEW.md 2025-06-21 10:32:06 +02:00
CONTRIBUTE.md badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
curl-config.md docs: minor edits to please the new spellchecker regime 2025-02-27 13:15:21 +01:00
CURL-DISABLE.md build: add build-level CURL_DISABLE_TYPECHECK options 2025-11-21 13:48:35 +01:00
CURLDOWN.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
DEPRECATE.md DEPRECATE.md: SMB and NTLM become build-time opt-in 2026-03-07 14:56:08 +01:00
DISTROS.md docs: add LibreELEC to DISTROS.md 2026-01-26 12:12:05 -08:00
EARLY-RELEASE.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
ECH.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
EXPERIMENTAL.md docs/EXPERIMENTAL.md: add a mention of HTTPSRR as experimental 2025-01-16 19:41:42 +01:00
FAQ.md docs/lib: fix typos 2026-03-16 10:43:24 +01:00
FEATURES.md tidy-up: miscellaneous 2026-01-20 12:37:56 +01:00
GOVERNANCE.md docs: avoid starting sentences with However, 2026-03-07 23:49:11 +01:00
HELP-US.md tidy-up: miscellaneous 2026-01-15 13:06:13 +01:00
HISTORY.md docs: replace instances of the vague qualifier 'quite' 2026-03-07 23:52:50 +01:00
HSTS.md tidy-up: miscellaneous 2026-01-20 12:37:56 +01:00
HTTP-COOKIES.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
HTTP3.md HTTP3.md: drop outdated mentions of OpenSSL-QUIC 2026-03-12 23:20:47 +01:00
HTTPSRR.md badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
INFRASTRUCTURE.md BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 2026-01-26 08:26:28 +01:00
INSTALL INSTALL: converted to markdown => INSTALL.md 2016-10-21 15:57:29 +02:00
INSTALL-CMAKE.md cmake: add CURL_GCC_ANALYZER option, enable in CI, fix/silence 2026-03-16 11:49:34 +01:00
INSTALL.md configure: add option to trace pkg-config detection details 2026-03-16 11:31:01 +01:00
INTERNALS.md clang-tidy: replace comma-separated string with list in config 2026-02-19 16:27:08 +01:00
IPFS.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
KNOWN_BUGS.md docs: avoid starting sentences with However, 2026-03-07 23:49:11 +01:00
KNOWN_RISKS.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
MAIL-ETIQUETTE.md badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
Makefile.am tidy-up: miscellaneous 2026-01-15 13:06:13 +01:00
MANUAL.md badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
mk-ca-bundle.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
options-in-versions tool_getparam: add --knownhosts 2025-10-06 13:41:22 +02:00
README.md reuse: add copyright + license info to individual docs/*.md files 2024-03-31 12:01:18 +02:00
RELEASE-PROCEDURE.md RELEASE-PROCEDURE.md: update future release dates 2026-01-26 12:28:25 +01:00
ROADMAP.md CI: add whitespace checker 2024-06-27 13:33:30 +02:00
runtests.md badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
RUSTLS.md tidy-up: URLs 2025-09-23 00:34:46 +02:00
SECURITY-ADVISORY.md stop using the word 'just' 2026-03-03 15:30:22 +01:00
SPONSORS.md BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 2026-01-26 08:26:28 +01:00
SSL-PROBLEMS.md tidy-up: Markdown, clang-format nits 2026-01-22 23:44:47 +01:00
SSLCERTS.md tidy-up: miscellaneous 2025-12-12 04:18:48 +01:00
testcurl.md tidy-up: Markdown, clang-format nits 2026-01-22 23:44:47 +01:00
THANKS THANKS: add contributors from 8.19.0 release 2026-03-11 07:46:12 +01:00
THANKS-filter THANKS-filter: update with a new entry 2026-03-09 11:35:19 +01:00
TheArtOfHttpScripting.md badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00
TODO.md docs: avoid starting sentences with However, 2026-03-07 23:49:11 +01:00
URL-SYNTAX.md docs: avoid starting sentences with However, 2026-03-07 23:49:11 +01:00
VERSIONS.md VERSIONS: add 8.19.0 2026-03-11 07:46:12 +01:00
VULN-DISCLOSURE-POLICY.md BUG-BOUNTY.md: minor rephrase to say there is no bug bounty 2026-03-10 17:34:08 +01:00
wcurl.md badwords: avoid 'simply' 2026-03-10 19:34:06 +01:00

README.md

curl logo

Documentation

You find a mix of various documentation in this directory and subdirectories, using several different formats. Some of them are not ideal for reading directly in your browser.

If you would rather see the rendered version of the documentation, check out the curl website's documentation section for general curl stuff or the libcurl section for libcurl related documentation.