Add flawfinder ignore comments for false positive security warnings

dpage · claude · dpage · commit 6a234e1f9a69 · 2026-01-13T15:10:39.000Z
All 14 security warnings from Codacy/flawfinder are false positives:
- strlen() calls on PostgreSQL text datums (always null-terminated)
- strlen() calls on palloc'd strings (explicitly null-terminated)
- memcpy() in curl callbacks (buffer pre-allocated to exact size)
- strncpy() followed by explicit null-termination

Added inline suppression comments explaining why each is safe.

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/chunking.c b/src/chunking.c
@@ -101,6 +101,7 @@ strip_non_ascii(const char *text)
 	if (text == NULL)
 		return NULL;
 
+	/* flawfinder: ignore - text from PostgreSQL text datum is null-terminated */
 	len = strlen(text);
 	result = palloc(len + 1);
 	j = 0;
@@ -166,6 +167,7 @@ chunk_by_tokens(const char *content, ChunkConfig *config)
 		processed_content = (char *) content;
 	}
 
+	/* flawfinder: ignore - processed_content is null-terminated (from PG or strip_non_ascii) */
 	content_len = strlen(processed_content);
 	if (content_len == 0)
 	{
diff --git a/src/hybrid_chunking.c b/src/hybrid_chunking.c
@@ -786,6 +786,7 @@ split_oversized_chunks(List *chunks, int max_tokens)
 		{
 			/* Split oversized chunk */
 			const char *content = chunk->content;
+			/* flawfinder: ignore - chunk->content is palloc'd, null-terminated */
 			int content_len = strlen(content);
 			int start_offset = 0;
 
@@ -1025,6 +1026,7 @@ elements_to_chunks_simple(List *elements, ChunkConfig *config)
 
 		initStringInfo(&chunk_text);
 
+		/* flawfinder: ignore - heading_context is palloc'd, null-terminated */
 		if (chunk->heading_context != NULL && strlen(chunk->heading_context) > 0)
 		{
 			appendStringInfoString(&chunk_text, "[Context: ");
@@ -1195,6 +1197,7 @@ chunk_hybrid(const char *content, ChunkConfig *config)
 		initStringInfo(&chunk_text);
 
 		/* Optionally prepend heading context for better retrieval */
+		/* flawfinder: ignore - heading_context is palloc'd, null-terminated */
 		if (chunk->heading_context != NULL && strlen(chunk->heading_context) > 0)
 		{
 			appendStringInfoString(&chunk_text, "[Context: ");
diff --git a/src/provider_ollama.c b/src/provider_ollama.c
@@ -141,6 +141,7 @@ ollama_generate(const char *text, int *dim, char **error_msg)
 	curl_easy_setopt(curl, CURLOPT_URL, url);
 	curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_request);
+	/* flawfinder: ignore - json_request from cJSON is null-terminated */
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(json_request));
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
 	curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
@@ -231,6 +232,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
 		return 0;  /* Out of memory */
 
 	mem->data = ptr;
+	/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
 	memcpy(&(mem->data[mem->size]), contents, realsize);
 	mem->size += realsize;
 	mem->data[mem->size] = 0;
diff --git a/src/provider_openai.c b/src/provider_openai.c
@@ -96,6 +96,7 @@ openai_cleanup(void)
 
 	if (api_key != NULL)
 	{
+		/* flawfinder: ignore - api_key is palloc'd, always null-terminated */
 		memset(api_key, 0, strlen(api_key));  /* Zero out key */
 		pfree(api_key);
 		api_key = NULL;
@@ -191,6 +192,7 @@ openai_generate_batch(const char **texts, int count, int *dim, char **error_msg)
 	curl_easy_setopt(curl, CURLOPT_URL, url);
 	curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_request);
+	/* flawfinder: ignore - json_request from cJSON is null-terminated */
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(json_request));
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
 	curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
@@ -240,6 +242,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
 		return 0;  /* Out of memory */
 
 	mem->data = ptr;
+	/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
 	memcpy(&(mem->data[mem->size]), contents, realsize);
 	mem->size += realsize;
 	mem->data[mem->size] = 0;
diff --git a/src/provider_voyage.c b/src/provider_voyage.c
@@ -95,6 +95,7 @@ voyage_cleanup(void)
 
 	if (api_key != NULL)
 	{
+		/* flawfinder: ignore - api_key is palloc'd, always null-terminated */
 		memset(api_key, 0, strlen(api_key));  /* Zero out key */
 		pfree(api_key);
 		api_key = NULL;
@@ -192,6 +193,7 @@ voyage_generate_batch(const char **texts, int count, int *dim, char **error_msg)
 	curl_easy_setopt(curl, CURLOPT_URL, url);
 	curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_request);
+	/* flawfinder: ignore - json_request from cJSON is null-terminated */
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(json_request));
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
 	curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
@@ -241,6 +243,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
 		return 0;  /* Out of memory */
 
 	mem->data = ptr;
+	/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
 	memcpy(&(mem->data[mem->size]), contents, realsize);
 	mem->size += realsize;
 	mem->data[mem->size] = 0;
diff --git a/src/worker.c b/src/worker.c
@@ -211,10 +211,12 @@ pgedge_vectorizer_worker_main(Datum main_arg)
 	while (*db_name == ' ' || *db_name == '\t')
 		db_name++;
 
+	/* flawfinder: ignore - explicitly null-terminated on next line */
 	strncpy(dbname, db_name, NAMEDATALEN - 1);
 	dbname[NAMEDATALEN - 1] = '\0';
 
 	/* Remove trailing whitespace */
+	/* flawfinder: ignore - dbname was just null-terminated above */
 	for (int i = strlen(dbname) - 1; i >= 0 && (dbname[i] == ' ' || dbname[i] == '\t'); i--)
 		dbname[i] = '\0';
 

Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,7 @@ strip_non_ascii(const char *text)`
`101`	`101`	`if (text == NULL)`
`102`	`102`	`return NULL;`
`103`	`103`
	`104`	`+ /* flawfinder: ignore - text from PostgreSQL text datum is null-terminated */`
`104`	`105`	`len = strlen(text);`
`105`	`106`	`result = palloc(len + 1);`
`106`	`107`	`j = 0;`
`@@ -166,6 +167,7 @@ chunk_by_tokens(const char content, ChunkConfig config)`
`166`	`167`	`processed_content = (char *) content;`
`167`	`168`	`}`
`168`	`169`
	`170`	`+ /* flawfinder: ignore - processed_content is null-terminated (from PG or strip_non_ascii) */`
`169`	`171`	`content_len = strlen(processed_content);`
`170`	`172`	`if (content_len == 0)`
`171`	`173`	`{`
Original file line number	Diff line number	Diff line change
`@@ -786,6 +786,7 @@ split_oversized_chunks(List *chunks, int max_tokens)`
`786`	`786`	`{`
`787`	`787`	`/* Split oversized chunk */`
`788`	`788`	`const char *content = chunk->content;`
	`789`	`+ /* flawfinder: ignore - chunk->content is palloc'd, null-terminated */`
`789`	`790`	`int content_len = strlen(content);`
`790`	`791`	`int start_offset = 0;`
`791`	`792`
`@@ -1025,6 +1026,7 @@ elements_to_chunks_simple(List elements, ChunkConfig config)`
`1025`	`1026`
`1026`	`1027`	`initStringInfo(&chunk_text);`
`1027`	`1028`
	`1029`	`+ /* flawfinder: ignore - heading_context is palloc'd, null-terminated */`
`1028`	`1030`	`if (chunk->heading_context != NULL && strlen(chunk->heading_context) > 0)`
`1029`	`1031`	`{`
`1030`	`1032`	`appendStringInfoString(&chunk_text, "[Context: ");`
`@@ -1195,6 +1197,7 @@ chunk_hybrid(const char content, ChunkConfig config)`
`1195`	`1197`	`initStringInfo(&chunk_text);`
`1196`	`1198`
`1197`	`1199`	`/* Optionally prepend heading context for better retrieval */`
	`1200`	`+ /* flawfinder: ignore - heading_context is palloc'd, null-terminated */`
`1198`	`1201`	`if (chunk->heading_context != NULL && strlen(chunk->heading_context) > 0)`
`1199`	`1202`	`{`
`1200`	`1203`	`appendStringInfoString(&chunk_text, "[Context: ");`