CI: `make check-static` fails on a clean v3/master after Homebrew cppcheck 2.20 → 2.21 (unpinned)

[chweidling]

Summary

make check-static (the cppcheck CI job) fails on a clean, unmodified v3/master checkout. No source change is involved: Homebrew updated cppcheck 2.20.0 → 2.21.0, and 2.21 reports additional style/warning findings on existing code. The target runs cppcheck with --error-exitcode=1, so any finding fails the job. Because the job installs cppcheck unpinned, the result is non-deterministic across runs.

Happy to open a small PR to pin the cppcheck version if that's useful.

Reproduction (pristine checkout, no patch)

git clone --branch v3/master https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity
git submodule update --init others/libinjection
git submodule update --init --recursive others/mbedtls
sh build.sh && ./configure        # any flags
make check-static                 # cppcheck 2.20.0 -> passes ;  cppcheck 2.21.0 -> fails

Verified on a fresh clone (HEAD 2fd4929, 0 local modifications):

cppcheck	make check-static
2.20.0	0 findings, exit 0 ✅
2.21.0	31 findings, exit 2 ❌

This matches CI: the v3/master run on 2026-06-08 used cppcheck 2.20.0 and passed; runs on 2026-06-10 used 2.21.0 and fail.

• Passing run (2.20.0): https://github.com/owasp-modsecurity/ModSecurity/actions/runs/27149772899/job/80137373386
• Failing run (2.21.0): https://github.com/owasp-modsecurity/ModSecurity/actions/runs/27267337259/job/80574671957

Findings newly reported by 2.21.0 (all pre-existing code)

uninitMemberVarNoCtor (warning):

• src/request_body_processor/xml.h:72
• src/utils/shared_files.h:58,62
• test/common/modsecurity_test_results.h:28
• test/regression/regression_test.h:45,46,63,64,78
• test/unit/unit_test.h:30,48,49,50,51

funcArgNamesDifferentUnnamed (style):

• src/modsecurity.cc:394, src/request_body_processor/xml.cc:40, src/transaction.cc:197
• test/common/modsecurity_test.cc:136, test/regression/regression_test.cc:106,272, test/unit/unit_test.cc:109

shadowVariable (style):

• examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h:99-104

Root cause

The cppcheck job installs cppcheck unpinned (brew install cppcheck), so the analyzer version — and therefore the set of enabled checks — drifts over time, making make check-static non-deterministic.

Suggested direction

Pinning the cppcheck version in CI would restore deterministic results. The newly-surfaced findings can then be handled (fixed, or added to test/cppcheck_suppressions.txt) on their own.

Environment

• ModSecurity: v3/master @ 2fd4929
• cppcheck 2.21.0 (Homebrew bottle cppcheck--2.21.0); reproduced locally with cppcheck 2.21.0 built from source
• CI runner: GitHub Actions macOS; make check-static → cppcheck … --error-exitcode=1

[airween]

Hi @chweidling,

thanks for this report - I'll take a look at this soon and will fix the warnings. Then you can pick up the changes for #3573.

[airween]

Uhm, I have to wait for a while... I work on a Debian SID system (for developing), but it still has 2.20, which probably is not able to find these new issues. Usually Debian uploads the newest releases after a very few days...

[chweidling]

Hi @airween,

thanks for picking this up.

I was reproducing the problem, i.e. comparing the behavior of cppcheck 2.20 and 2.21, with a Docker container. l create a Docker image that bakes a chosen cppcheck version and runs the check-static cppcheck invocation (parallelized with -j) over a mounted ModSecurity checkout.

Here are the details: I take the following Dockerfile cppcheck.Dockerfile:

FROM debian:sid
RUN apt-get update && apt-get install -y --no-install-recommends \
        build-essential cmake git ca-certificates \
 && apt-get clean && rm -rf /var/lib/apt/lists/*
ARG CPPCHECK_VERSION=2.21.0
RUN git clone --branch "${CPPCHECK_VERSION}" --depth 1 https://github.com/danmar/cppcheck.git /cc \
 && cmake -S /cc -B /ccb -DCMAKE_BUILD_TYPE=Release -DFILESDIR=/usr/local/share/cppcheck \
 && cmake --build /ccb -j"$(nproc)" \
 && cmake --install /ccb \
 && rm -rf /cc /ccb

# Runs the check-static cppcheck flags. -j is capped at 4 so --force does not
# OOM on many-core hosts; --quiet drops progress so only the collected findings
# are printed, followed by the count and the (propagated) exit code.
COPY <<'EOF' /usr/local/bin/run-cppcheck
#!/bin/sh
cppcheck --version
echo "Running cppcheck over the tree (this takes a few minutes) ..."
out=$(mktemp)
cppcheck --quiet --force -j4 --error-exitcode=1 --std=c++17 --inconclusive \
  --enable=warning,style,performance,portability,missingInclude \
  --suppressions-list=./test/cppcheck_suppressions.txt --inline-suppr \
  -D MS_CPPCHECK_DISABLED_FOR_PARSER -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT -U YY_USER_INIT \
  -I headers -I . -I others -I src -I others/mbedtls/include \
  -I others/mbedtls/tf-psa-crypto/include -I others/mbedtls/tf-psa-crypto/drivers/builtin/include \
  -i src/parser/seclang-parser.cc -i src/parser/seclang-scanner.cc -i others \
  --template='warning: {file},{line},{severity},{id},{message}' . 2>"$out"
rc=$?
echo
echo "===== cppcheck findings: $(grep -c '^warning:' "$out") ====="
cat "$out"
echo "===== cppcheck exit code: $rc ====="
exit $rc
EOF
RUN chmod +x /usr/local/bin/run-cppcheck
WORKDIR /src
ENTRYPOINT ["/usr/local/bin/run-cppcheck"]

I build an image for each version (once):

docker build -t modsec-cppcheck:2.20.0 --build-arg CPPCHECK_VERSION=2.20.0 -f cppcheck.Dockerfile .
docker build -t modsec-cppcheck:2.21.0 --build-arg CPPCHECK_VERSION=2.21.0 -f cppcheck.Dockerfile .

Then I run each against your checkout and compare (read-only mount, so the source tree is untouched):

docker run --rm -v "$PWD":/src:ro modsec-cppcheck:2.20.0   # -> 0 findings, exit 0
docker run --rm -v "$PWD":/src:ro modsec-cppcheck:2.21.0   # -> 31 findings, exit 1

I run it at a ModSecurity checkout where ./configure has already run and the submodules are initialized (so the include paths and src/config.h exist).