diff options
author | Michael Pratt <mpratt@google.com> | 2021-07-26 10:24:11 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-07-26 10:26:43 -0700 |
commit | a42d3fd0aeb6c67c3fd2fb851845a1f88a298972 (patch) | |
tree | 4cac50f3a73482ba3c82aa2ac1bcfcac9a9a46b6 /pkg/sentry/arch/arch_amd64.go | |
parent | 9ba8c40a3a3c7fed40d9137fed8a87fa9d536a22 (diff) |
Fix per-analyzer overrides of default-disabled groups
Currently behavior of config groups with `default: false` is buggy. The
intention is that adding an empty suppression section for that group to a
specific analyzer config should enable reporting for that analyzer. i.e.,
```
groups:
- name: foo
regex: "^foo/"
default: false
global:
...
analyzers:
asmdecl:
foo: # Enabled.
```
This should enable the foo group only for asmdecl. Unfortunately, today the
actual behavior depends on the contents of the `global:` section. If `global:`
contains an entry for foo, then it will work as described. If `global:` does
_not_ contain an entry for foo, then the group default (disabled) always
applies and the individual analyzer options have no effect.
The cause of this is confusion in `AnalyzerConfig.shouldReport`, which doesn't
distinguish between explicit suppression via a global suppression/exclude and
simply having no configuration at all. Make this more explicit, so that the no
configuration case can continue to per-analyzer configuration before falling
back to the group default.
The last test case in the added test fails without this change.
This re-enables several opted-in analyzers for external dependencies, which
have gained a few more false positives to suppress.
PiperOrigin-RevId: 386904725
Diffstat (limited to 'pkg/sentry/arch/arch_amd64.go')
0 files changed, 0 insertions, 0 deletions