Fix many, but not all, clang-tidy complaints (#339)

.clang-tidy

@@ -1,7 +1,7 @@
 ---
 # readability-function-cognitive-complexity temporarily disabled until clang-tidy is fixed
 # right now emalloc causes it to misbehave
-Checks:          '*,misc-const-correctness,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-cppcoreguidelines-owning-memory,-cert-err58-cpp,-fuchsia-statically-constructed-objects,-google-build-using-namespace,-hicpp-avoid-goto,-cppcoreguidelines-avoid-goto,-hicpp-no-array-decay,-cppcoreguidelines-pro-bounds-array-to-pointer-decay,-cppcoreguidelines-pro-bounds-constant-array-index,-cppcoreguidelines-avoid-magic-numbers,-readability-magic-numbers,-abseil-string-find-str-contains,-bugprone-unchecked-optional-access,-readability-use-anyofallof'
+Checks:          '*,misc-const-correctness,-bugprone-reserved-identifier,-hicpp-signed-bitwise,-llvmlibc-restrict-system-libc-headers,-altera-unroll-loops,-hicpp-named-parameter,-cert-dcl37-c,-cert-dcl51-cpp,-read,-cppcoreguidelines-init-variables,-cppcoreguidelines-avoid-non-const-global-variables,-altera-id-dependent-backward-branch,-performance-no-int-to-ptr,-altera-struct-pack-align,-google-readability-casting,-modernize-use-trailing-return-type,-llvmlibc-implementation-in-namespace,-llvmlibc-callee-namespace,-cppcoreguidelines-pro-bounds-pointer-arithmetic,-fuchsia-default-arguments-declarations,-fuchsia-overloaded-operator,-cppcoreguidelines-pro-type-union-access,-fuchsia-default-arguments-calls,-cppcoreguidelines-non-private-member-variables-in-classes,-misc-non-private-member-variables-in-classes,-google-readability-todo,-llvm-header-guard,-readability-function-cognitive-complexity,-readability-identifier-length,-cppcoreguidelines-owning-memory,-cert-err58-cpp,-fuchsia-statically-constructed-objects,-google-build-using-namespace,-hicpp-avoid-goto,-cppcoreguidelines-avoid-goto,-hicpp-no-array-decay,-cppcoreguidelines-pro-bounds-array-to-pointer-decay,-cppcoreguidelines-pro-bounds-constant-array-index,-cppcoreguidelines-avoid-magic-numbers,-readability-magic-numbers,-abseil-string-find-str-contains,-bugprone-unchecked-optional-access,-readability-use-anyofallof,-cppcoreguidelines-avoid-c-arrays,-hicpp-avoid-c-arrays,-cppcoreguidelines-no-malloc'
 WarningsAsErrors: '*'
 HeaderFilterRegex: ''
 CheckOptions:

.github/workflows/test.yml

@@ -249,7 +249,7 @@ jobs:
         working-directory: Debug
 
       - name: Tidy
-        run: make tidy || true
+        run: make tidy
         working-directory: Debug
 
   tools:

src/action_mapper.cpp

@@ -4,10 +4,16 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
 
+#include <functional>
+#include <map>
+#include <memory>
 #include <stdexcept>
+#include <string>
+#include <string_view>
+#include <unordered_map>
+#include <utility>
 
 #include "action_mapper.hpp"
-#include "uuid.hpp"
 
 namespace ddwaf {
 action_type action_type_from_string(std::string_view type)

src/builder/processor_builder.cpp

@@ -4,11 +4,17 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
 
-#include <concepts>
+#include <memory>
+#include <set>
+#include <vector>
 
 #include "builder/processor_builder.hpp"
+#include "indexer.hpp"
+#include "parser/specification.hpp"
+#include "processor/base.hpp"
 #include "processor/extract_schema.hpp"
 #include "processor/fingerprint.hpp"
+#include "scanner.hpp"
 
 namespace ddwaf {
 

src/clock.cpp

@@ -4,17 +4,19 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
 
-#include "clock.hpp"
+#include <atomic>
+#include <cerrno>
+#include <chrono>
 
 #ifdef __linux__
 
-#  include <system_error>
-
 // NOLINTNEXTLINE(cppcoreguidelines-macro-usage)
 #  define _GNU_SOURCE 1
 #  include <ctime>
 #  include <dlfcn.h>
-#  include <log.hpp>
+
+#  include "clock.hpp"
+#  include "log.hpp"
 
 namespace ddwaf {
 namespace {
@@ -25,15 +27,17 @@ constexpr const char *VDSO_CLOCK_GETTIME = "__vdso_clock_gettime64";
 #  else
 constexpr const char *VDSO_CLOCK_GETTIME = "__vdso_clock_gettime";
 #  endif
-} // namespace
 
+// NOLINTNEXTLINE(misc-include-cleaner)
 using clock_gettime_t = int (*)(clockid_t, timespec *);
-
-static clock_gettime_t clock_gettime = &::clock_gettime;
+// NOLINTNEXTLINE(misc-include-cleaner)
+clock_gettime_t clock_gettime = &::clock_gettime;
+} // namespace
 
 monotonic_clock::time_point monotonic_clock::now() noexcept
 {
     struct timespec ts {};
+    // NOLINTNEXTLINE(misc-include-cleaner)
     const int ret = ddwaf::clock_gettime(CLOCK_MONOTONIC, &ts);
     if (ret < 0) {
         bool expected = false;
@@ -64,6 +68,7 @@ struct VdsoInitializer {
     ~VdsoInitializer()
     {
         if (handle != nullptr) {
+            // NOLINTNEXTLINE(misc-include-cleaner)
             ddwaf::clock_gettime = &::clock_gettime;
             dlclose(handle);
         }

src/collection.cpp

@@ -3,11 +3,24 @@
 //
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
-
+#include <memory>
+#include <optional>
+#include <string>
+#include <string_view>
+#include <unordered_map>
+#include <utility>
+#include <vector>
+
+#include "clock.hpp"
 #include "collection.hpp"
+#include "context_allocator.hpp"
+#include "event.hpp"
 #include "exception.hpp"
-#include "exclusion/rule_filter.hpp"
+#include "exclusion/common.hpp"
 #include "log.hpp"
+#include "matcher/base.hpp"
+#include "object_store.hpp"
+#include "rule.hpp"
 
 namespace ddwaf {
 

src/condition/lfi_detector.cpp

@@ -3,10 +3,22 @@
 //
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
-
+#include <cstddef>
+#include <optional>
+#include <string>
+#include <string_view>
+#include <utility>
+#include <vector>
+
+#include "argument_retriever.hpp"
+#include "clock.hpp"
+#include "condition/base.hpp"
 #include "condition/lfi_detector.hpp"
+#include "ddwaf.h"
 #include "exception.hpp"
+#include "exclusion/common.hpp"
 #include "iterator.hpp"
+#include "log.hpp"
 #include "platform.hpp"
 #include "utils.hpp"
 
@@ -63,9 +75,9 @@ bool lfi_impl_windows(std::string_view path, std::string_view param)
         return false;
     }
 
-    bool is_absolute = param[0] == '/' || param[0] == '\\' ||
-                       (param.size() >= 3 && (ddwaf::isalpha(param[0]) && param[1] == ':' &&
-                                                 (param[2] == '/' || param[2] == '\\')));
+    const bool is_absolute = param[0] == '/' || param[0] == '\\' ||
+                             (param.size() >= 3 && (ddwaf::isalpha(param[0]) && param[1] == ':' &&
+                                                       (param[2] == '/' || param[2] == '\\')));
     return (is_absolute && param == path) || find_directory_escape(param, "/\\");
 }
 
@@ -100,7 +112,7 @@ lfi_result lfi_impl(std::string_view path, const ddwaf_object &params,
             continue;
         }
 
-        std::string_view value{param.stringValue, static_cast<std::size_t>(param.nbEntries)};
+        const std::string_view value{param.stringValue, static_cast<std::size_t>(param.nbEntries)};
         if (lfi_fn(path, value)) {
             return {{std::string(value), it.get_current_path()}};
         }
@@ -118,7 +130,7 @@ eval_result lfi_detector::eval_impl(const unary_argument<std::string_view> &path
         auto res = lfi_impl(path.value, *param.value, objects_excluded, limits_, deadline);
         if (res.has_value()) {
             std::vector<std::string> path_kp{path.key_path.begin(), path.key_path.end()};
-            bool ephemeral = path.ephemeral || param.ephemeral;
+            const bool ephemeral = path.ephemeral || param.ephemeral;
 
             auto &[highlight, param_kp] = res.value();
 

src/condition/scalar_condition.cpp

@@ -3,11 +3,27 @@
 //
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
-
-#include "scalar_condition.hpp"
+#include <memory>
+#include <optional>
+#include <span>
+#include <string>
+#include <string_view>
+#include <unordered_map>
+#include <utility>
+
+#include "clock.hpp"
+#include "condition/base.hpp"
+#include "ddwaf.h"
 #include "exception.hpp"
+#include "exclusion/common.hpp"
 #include "iterator.hpp"
+#include "log.hpp"
+#include "matcher/base.hpp"
+#include "object_store.hpp"
+#include "scalar_condition.hpp"
+#include "transformer/base.hpp"
 #include "transformer/manager.hpp"
+#include "utils.hpp"
 
 using namespace std::literals;
 

src/condition/shi_detector.cpp

@@ -3,11 +3,23 @@
 //
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
-
-#include "condition/shi_detector.hpp"
+#include <cstddef>
+#include <optional>
+#include <string>
+#include <string_view>
+#include <utility>
+#include <vector>
+
+#include "argument_retriever.hpp"
+#include "clock.hpp"
+#include "condition/base.hpp"
 #include "condition/match_iterator.hpp"
+#include "condition/shi_detector.hpp"
+#include "condition/structured_condition.hpp"
+#include "ddwaf.h"
 #include "exception.hpp"
-#include "iterator.hpp"
+#include "exclusion/common.hpp"
+#include "log.hpp"
 #include "tokenizer/shell.hpp"
 #include "utils.hpp"
 
@@ -86,7 +98,7 @@ eval_result shi_detector::eval_impl(const unary_argument<std::string_view> &reso
         if (res.has_value()) {
             std::vector<std::string> resource_kp{
                 resource.key_path.begin(), resource.key_path.end()};
-            bool ephemeral = resource.ephemeral || param.ephemeral;
+            const bool ephemeral = resource.ephemeral || param.ephemeral;
 
             auto &[highlight, param_kp] = res.value();
 

src/condition/sqli_detector.cpp

@@ -3,18 +3,32 @@
 //
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
-#include "condition/sqli_detector.hpp"
+#include <cstddef>
+#include <limits>
+#include <span>
+#include <stdexcept>
+#include <string>
+#include <string_view>
+#include <utility>
+#include <variant>
+#include <vector>
+
+#include "argument_retriever.hpp"
+#include "clock.hpp"
+#include "condition/base.hpp"
 #include "condition/match_iterator.hpp"
+#include "condition/sqli_detector.hpp"
+#include "ddwaf.h"
 #include "exception.hpp"
-#include "iterator.hpp"
+#include "exclusion/common.hpp"
+#include "log.hpp"
 #include "tokenizer/generic_sql.hpp"
 #include "tokenizer/mysql.hpp"
 #include "tokenizer/pgsql.hpp"
+#include "tokenizer/sql_base.hpp"
 #include "tokenizer/sqlite.hpp"
 #include "utils.hpp"
 
-#include <variant>
-
 using namespace std::literals;
 
 namespace ddwaf {
@@ -356,8 +370,8 @@ bool is_benign_order_by_clause(const std::vector<sql_token> &resource_tokens,
         return false;
     }
 
-    std::string_view order = resource_tokens[param_tokens_begin - 2].str;
-    std::string_view by = resource_tokens[param_tokens_begin - 1].str;
+    const std::string_view order = resource_tokens[param_tokens_begin - 2].str;
+    const std::string_view by = resource_tokens[param_tokens_begin - 1].str;
 
     if (!string_iequals_literal(order, "order") || !string_iequals_literal(by, "by")) {
         return false;
@@ -508,7 +522,7 @@ sqli_result sqli_impl(std::string_view resource, std::vector<sql_token> &resourc
             sql.value, resource_tokens, *param.value, dialect, objects_excluded, limits_, deadline);
         if (std::holds_alternative<internal::matched_param>(res)) {
             std::vector<std::string> sql_kp{sql.key_path.begin(), sql.key_path.end()};
-            bool ephemeral = sql.ephemeral || param.ephemeral;
+            const bool ephemeral = sql.ephemeral || param.ephemeral;
 
             auto stripped_stmt = internal::strip_literals(sql.value, resource_tokens);
 

src/condition/ssrf_detector.cpp

@@ -3,11 +3,27 @@
 //
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2021 Datadog, Inc.
-
-#include "condition/ssrf_detector.hpp"
+#include <array>
+#include <cstddef>
+#include <memory>
+#include <optional>
+#include <string>
+#include <string_view>
+#include <unordered_set>
+#include <utility>
+#include <vector>
+
+#include "argument_retriever.hpp"
+#include "clock.hpp"
+#include "condition/base.hpp"
 #include "condition/match_iterator.hpp"
+#include "condition/ssrf_detector.hpp"
+#include "condition/structured_condition.hpp"
+#include "ddwaf.h"
 #include "exception.hpp"
-#include "iterator.hpp"
+#include "exclusion/common.hpp"
+#include "log.hpp"
+#include "matcher/ip_match.hpp"
 #include "uri_utils.hpp"
 #include "utils.hpp"
 
@@ -183,7 +199,7 @@ ssrf_result ssrf_impl(const uri_decomposed &uri, const ddwaf_object &params,
             //
             //  scheme://userinfo@host:port/path?query#fragment
             //                   <────>
-            bool host_fully_injected =
+            const bool host_fully_injected =
                 param_index <= uri.authority.host_index &&
                 param_index + param.size() >= uri.authority.host_index + uri.authority.host.size();
 
@@ -252,7 +268,7 @@ eval_result ssrf_detector::eval_impl(const unary_argument<std::string_view> &uri
             dangerous_ip_matcher_, authorised_schemes_, deadline);
         if (res.has_value()) {
             std::vector<std::string> uri_kp{uri.key_path.begin(), uri.key_path.end()};
-            bool ephemeral = uri.ephemeral || param.ephemeral;
+            const bool ephemeral = uri.ephemeral || param.ephemeral;
 
             auto &[highlight, param_kp] = res.value();