summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/kernel/auth/credentials.go
diff options
context:
space:
mode:
authorMichael Pratt <mpratt@google.com>2021-07-26 10:24:11 -0700
committergVisor bot <gvisor-bot@google.com>2021-07-26 10:26:43 -0700
commita42d3fd0aeb6c67c3fd2fb851845a1f88a298972 (patch)
tree4cac50f3a73482ba3c82aa2ac1bcfcac9a9a46b6 /pkg/sentry/kernel/auth/credentials.go
parent9ba8c40a3a3c7fed40d9137fed8a87fa9d536a22 (diff)
Fix per-analyzer overrides of default-disabled groups
Currently behavior of config groups with `default: false` is buggy. The intention is that adding an empty suppression section for that group to a specific analyzer config should enable reporting for that analyzer. i.e., ``` groups: - name: foo regex: "^foo/" default: false global: ... analyzers: asmdecl: foo: # Enabled. ``` This should enable the foo group only for asmdecl. Unfortunately, today the actual behavior depends on the contents of the `global:` section. If `global:` contains an entry for foo, then it will work as described. If `global:` does _not_ contain an entry for foo, then the group default (disabled) always applies and the individual analyzer options have no effect. The cause of this is confusion in `AnalyzerConfig.shouldReport`, which doesn't distinguish between explicit suppression via a global suppression/exclude and simply having no configuration at all. Make this more explicit, so that the no configuration case can continue to per-analyzer configuration before falling back to the group default. The last test case in the added test fails without this change. This re-enables several opted-in analyzers for external dependencies, which have gained a few more false positives to suppress. PiperOrigin-RevId: 386904725
Diffstat (limited to 'pkg/sentry/kernel/auth/credentials.go')
0 files changed, 0 insertions, 0 deletions