The `--check-level=exhaustive` option was briefly added, then changed to
`--max-ctu-depth=40`, presumably because the version being used in CI
(cppcheck 2.7 on ubuntu-22.04) did not support the former.
The current version in CI (cppcheck 2.13 on ubuntu-24.04) supports that
option, so restore it.
This fixes a flood of `information:` messages (which appear even with
`-q`) in the latest version of cppcheck:
$ cppcheck --version
Cppcheck 2.18.0
$ make cppcheck
cppcheck -q -j 4 --force --error-exitcode=1 --enable=warning,performance \
--max-ctu-depth=40 \
-i src/firejail/checkcfg.c \
-i src/firejail/main.c \
-i src/lib/syscall.c \
.
cppcheck: --max-ctu-depth is being capped at 10. This limitation will be removed in a future Cppcheck version.
src/etc-cleanup/main.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_bin.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
src/fbuilder/build_fs.c:0:0: information: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches. [normalCheckLevelMaxBranches]
^
[...]
This is a follow-up to #6874.
Related commits:
* be3c2a071 ("some problems reported by ccpcheck", 2025-08-17)
* d4881b6bc ("cppcheck cleanup", 2025-08-17)
* ebb368780 ("ci: cppcheck: upgrade ubuntu-22.04 to ubuntu-24.04",
2025-08-20) / PR #6874
To avoid CI failures.
From the first run of `cppcheck_old` on commit 8f69e9841 ("bugfix:
firecfg: check full filename in check_profile() (#6674)", 2025-03-04)
[1]:
> This is a scheduled Ubuntu 20.04 brownout. Ubuntu 20.04 LTS runner
> will be removed on 2025-04-01. For more details, see
> https://github.com/actions/runner-images/issues/11101
The target depends on the cppcheck version from Ubuntu 20.04 in order to
work properly and this distribution will become EOL next month (April
2025), so just remove the target.
Added on commit 53f0b3950 ("CI: keep old cppcheck job and ignore two
files in new job that take too long to check", 2022-07-26).
[1] https://github.com/netblue30/firejail/actions/runs/13658953453/job/38185280665
To make it consistent with the standard GNU make targets.
From the manual of GNU Make (version 4.4.1-2):
> 'installcheck'
> Perform installation tests (if any). The user must build and
> install the program before running the tests. You should not
> assume that '$(bindir)' is in the search path.
Commands used to search and replace:
$ git grep -Ilz print-version |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
's/print-version/installcheck/g' '{}')\" >'{}'"
$ git grep -Ilz 'print version' .github/workflows |
xargs -0 -I '{}' sh -c "printf '%s\n' \"\$(sed \
's/print version/make installcheck/g' '{}')\" >'{}'"
Added on commit c9531d95e ("build: add print-version target and use in
CI", 2024-02-22) / #6230.
Changes:
* Remove / after `$(DESTDIR)`
* Remove useless -c
* Use 0755 instead of 755
* Use -d after -m
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
The command below already installs it.
Added on commit 926790411 ("add basic Firejail support to AppArmor base
abstraction (#3226)", 2021-10-21) / PR #4628.
And remove the extraneous semicolon at the end of the command string.
See also commit dae3933bc ("rework make realinstall and uninstall
(#3435)", 2020-06-04).
Tools:
* gzip
* install
* rm
* strip
* tar
For the programs not checked in configure.ac:
From the manual of GNU Autoconf (version 2.71):
> If you use `AC_PROG_INSTALL`, you must include `install-sh` in your
> distribution
So set `install` just in the Makefile. Use `$(RM)` to ensure that `-f`
is always used and to make it easier to spot when `-r` is used.
See commit 93d623fdf ("build: allow overriding certain tools",
2024-02-23) / PR #6222.
Cleaning does not appear to make a difference; the same amount of files
is checked with/without cleaning.
Environment: cppcheck 2.12.0-3 on Artix Linux.
Added on commit 4e22add64 ("llvm scan", 2015-11-29).
This is a follow-up to #6222.
Leave just the "install" and "install-strip" targets.
See commit 099925e18 ("added install-strip, make install now without
strip.", 2015-09-10) / PR #60 and commit 0215cbc02 ("make install, make
install-strip", 2015-09-11).
Changes:
* Use the same command from the cppcheck CI job in the cppcheck target
* Add cppcheck-old target based on the cppcheck_old CI job
* Call the make targets in CI to avoid duplicating the commands
Allow overriding the following tools at configure-time and build-time:
* codespell
* cppcheck
* gawk
* scan-build
For example, instead of hardcoding `gawk`, enable overriding it at
configure-time with:
./configure GAWK=/path/to/gawk
To override it for a single `make` invocation:
make GAWK=/path/to/gawk
Also, add default values for the programs that are not found (rather
than leaving the variables empty), to make error messages clearer when
trying to run them:
$ make CPPCHECK= cppcheck-old
[...]
force --error-exitcode=1 --enable=warning,performance .
make: force: No such file or directory
$ make CPPCHECK=cppcheck cppcheck-old
[...]
cppcheck --force --error-exitcode=1 --enable=warning,performance .
make: cppcheck: No such file or directory
In the `debian_ci` job in .gitlab-ci.yml, dpkg-deb calls `make
distclean` before calling ./configure, which makes `make clean` fail due
to certain variables not being declared:
dpkg-source -i -I --before-build .
[...]
dh_auto_clean
make -j2 distclean
make[1]: Entering directory '/builds/kmk3/firejail_ci'
error: run ./configure to generate config.mk
[...]
rm -f contrib/syntax/files/example [...]
rm -fr - -.tar.xz
rm: invalid option -- '.'
Try 'rm --help' for more information.
make[1]: *** [Makefile:175: clean] Error 1
This amends commit 8a783cdc2 ("build: use TARNAME and remove more paths
on clean", 2023-07-29) / PR #6186.
That is, replace `paths-ignore` with `paths`.
This should reduce the number of unnecessary workflow executions and the
frequency at which paths are changed. It also reduces the overall
number of paths used.
Also, add the missing ci/printenv.sh to the path whitelists.
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
Ignore only third-party/vendored files (such as license files and files
in m4/).
And ignore more words to fix the following errors:
$ make codespell
Running codespell...
./README:484: als ==> also
./README:646: Shotcut ==> Shortcut
./RELNOTES:516: als ==> also
./etc/inc/disable-common.inc:506: chage ==> change, charge
./etc/apparmor/firejail-default:35: readby ==> read, read by
./etc/apparmor/firejail-default:36: readby ==> read, read by
./etc/profile-a-l/als.profile:1: als ==> also
./etc/profile-a-l/als.profile:5: als ==> also
make: *** [Makefile:374: codespell] Error 65
$ codespell --version
2.2.5
It works just fine without it (at least for the files in src/).
Note that by default codespell does not warn about binary files ("The
default mask is 34"):
$ make -j "$(nproc)" >/dev/null
$ make codespell
codespell --ignore-regex "UE|creat|doas|ether|isplay|shotcut" src test
$ codespell --version
2.2.5
$ codespell --help
[...]
-q QUIET_LEVEL, --quiet-level QUIET_LEVEL
bitmask that allows suppressing messages:
- 0: print all messages.
- 1: disable warnings about wrong encoding.
- 2: disable warnings about binary files.
- 4: omit warnings about automatic fixes that were
disabled in the dictionary.
- 8: don't print anything for non-automatic fixes.
- 16: don't print the list of fixed files.
- 32: don't print configuration files.
As usual with bitmasks, these levels can be combined;
e.g. use 3 for levels 1+2, 7 for 1+2+4, 23 for
1+2+4+16, etc. The default mask is 34.
Also, note that adding many ignore patterns (such as all of the ones in
.gitignore) makes it slower than letting codespell find and skip binary
files by itself. So just add the most common ones, which do not
noticeably change how fast codespell runs either but they do reduce the
noise when running with `-q 0`.
Homepage: https://github.com/codespell-project/codespell
Added on commit d78fc96ee ("codespell github action", 2023-03-05).
Make the non-phony targets that are defined in the root Makefile depend
on it, to ensure that they get re-generated if their recipes change.
Note that these targets are generated nearly instantly, so this should
not noticeably affect rebuild times.
Relates to #5627.
The clean target is currently enough to remove all generated files other
than the ones directly in the root directory, so to simplify the dist
target, make it depend on clean instead of distclean.
See commit 5f2785290 ("build: remove unnecessary distclean targets",
2023-07-15) / PR #5911.
Relates to #5142#5182.
