std::istream::read() reports security issue, false alert?

[oneiric]

Hi Expert,

I noticed that flawfinder will report security issue when using modern C++ std::istream::read().
https://en.cppreference.com/w/cpp/io/basic_istream/read

OpenAPITools/openapi-generator#10349

The check rule in Flawfinder is as below:

https://github.com/david-a-wheeler/flawfinder/blob/d9ddc06b7efea4c626205e5d39157255d112bfe4/flawfinder.py#L1282~L1287

    # fread not included here; in practice I think it's rare to mistake it.
    "getchar|fgetc|getc|read|_gettc":
    (normal, 1,
     "Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20)",
     "",
     "buffer", "dangers-c", {'input': 1}, "FF1029"),

Is this a false alert when using modern C++ std::istream::read() function?
If no, how to fix this issue?
https://github.com/OpenAPITools/openapi-generator/blob/master/samples/client/petstore/cpp-restsdk/client/ModelBase.cpp#L519

Regards,
Alex

[oneiric]

By the way, the read() API is not in the latest microsoft banned functions.

https://github.com/x509cert/banned/blob/master/banned.h

[oneiric]

@david-a-wheeler

[david-a-wheeler]

For your specific challenge, just use a flawfinder: ignore comment.

The problem is that flawfinder doesn't understand C++ namespace references. It's completely possible to add that functionality. Patches welcome.

[oneiric]

Thanks for the suggestions, David.