format string attack false positive?

[geeknik]

Why would GrepBugs flag this as "Susceptible to format string attacks. "?

fprintf(stderr, "Other helper already running, refusing to start.\n");`

Is it just triggering on the fprintf or something else?

[foospidy]

The rule is defined here: https://grepbugs.com/grep/94 so looks like it is triggered just based on fprintf. This will of course be noisy. If you have any suggestions that could make the rule better, description or regex, that would be awesome.

[geeknik]

I'll work on that and get back to you. I'll leave this open in the meantime if that is ok.

[veggiespam]

The regex is basic, just a printf trigger. Maybe this is acceptable: printf(, then double quote, [^"%]-star (no double quote or percent), double quote, paren. Anything else would be bad. Any var-arg could be attacked, so no commas, only one argument.

printf(variable_name) could be problematic if there is a % in the string. Or worse, if the variable is a var_arg variable type. Thus, I would argue static string only.