[vim/vim] CI: Fix CodeQL Analyze (cpp) (PR #9519)

[ichizok]

CodeQL reports command-line-injection at execl in cs_create_connection (if_cscope) since it has the flow to pass environment variables into shell command.
This SARIF generates so many 'threadFlows' items, so GitHub rejects uploading it.

CodeQL 2.7.2 and later came to report the above vulnerability.
Though, as mentioned above, GitHub rejects uploading the result (thus Code Scanning hasn't carried out for a while), the analysis job itself had succeeded until recently; but now, GitHub comes to return the error and the job fails.

This patch replaces execl by execvp, as a workaround.
(and merges if_cscope.h into .c; because no need to separate them)

However, since if_cscope code is messy, I think should change to use job, or better yet, rewrite the whole of if_cscope as Vim script plugin :)

---

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/9519

Commit Summary

• 224d6ab Fix CodeQL Analyze (cpp)

File Changes

(8 files)

• M Filelist (1)
• M src/Make_cyg_ming.mak (2)
• M src/Make_mvc.mak (2)
• M src/Make_vms.mms (2)
• M src/Makefile (2)
• M src/if_cscope.c (99)
• D src/if_cscope.h (71)
• M src/testdir/test_cscope.vim (2)

Patch Links:

• https://github.com/vim/vim/pull/9519.patch
• https://github.com/vim/vim/pull/9519.diff

—
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/9519@github.com>

[codecov[bot]]

Codecov Report

Merging #9519 (224d6ab) into master (33b25d1) will decrease coverage by 2.22%.
The diff coverage is 40.00%.

@@            Coverage Diff             @@

##           master    #9519      +/-   ##

==========================================

- Coverage   82.61%   80.39%   -2.23%     

==========================================

  Files         154      152       -2     

  Lines      171014   172648    +1634     

  Branches    39176    39181       +5     

==========================================

- Hits       141291   138802    -2489     

- Misses      16674    21133    +4459     

+ Partials    13049    12713     -336     

Flag	Coverage Δ
huge-clang-none	81.86% <40.00%> (?)
huge-gcc-none	?
huge-gcc-testgui	?
huge-gcc-unittests	2.03% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/if_cscope.c	72.47% <40.00%> (+1.55%)	⬆️
src/libvterm/src/rect.h	0.00% <0.00%> (-96.78%)	⬇️
src/libvterm/src/state.c	34.80% <0.00%> (-54.51%)	⬇️
src/libvterm/src/keyboard.c	36.84% <0.00%> (-50.79%)	⬇️
src/libvterm/include/vterm.h	0.00% <0.00%> (-44.45%)	⬇️
src/libvterm/src/parser.c	55.41% <0.00%> (-40.42%)	⬇️
src/libvterm/src/pen.c	44.37% <0.00%> (-39.52%)	⬇️
src/libvterm/src/encoding.c	37.37% <0.00%> (-36.16%)	⬇️
src/libvterm/src/vterm.c	39.17% <0.00%> (-28.53%)	⬇️
src/if_perl.xs	54.42% <0.00%> (-22.97%)	⬇️
... and 136 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 33b25d1...224d6ab. Read the comment docs.

—
Reply to this email directly, view it on GitHub, or unsubscribe.

Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/9519/c1012356144@github.com>

[lgtm-com[bot]]

This pull request fixes 1 alert when merging 224d6ab into 33b25d1 - view on LGTM.com

fixed alerts:

• 1 for Uncontrolled data used in OS command

—
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/9519/c1012368874@github.com>

[Bram Moolenaar]

Closed #9519 via 4050305.

—
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/9519/issue_event/5889475444@github.com>

[Christian Brabandt]

Does this also fix #3184?

Am 13.01.2022 um 19:10 schrieb Bram Moolenaar <vim-dev...@256bit.org>:



--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/vim/vim/pull/9519/issue_event/5889475444%40github.com.

[Christian Brabandt]

Hi @ichizok, does this fix also fix #3184?

—
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/9519/c1012962925@github.com>

[ichizok]

Hi @ichizok, does this fix also fix #3184?

Yes, as far as I confirmed, the error (as E609: Cscope error: sh: 1: Syntax error: "(" unexpected) is fixed.

—
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/9519/c1012990759@github.com>

[Christian Brabandt]

thanks

—
Reply to this email directly, view it on GitHub.
Triage notifications on the go with GitHub Mobile for iOS or Android.

You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/9519/c1012993788@github.com>