chore(deps): bump david-a-wheeler/flawfinder from 2.0.19 to 2.0.20

[dependabot]

Bumps david-a-wheeler/flawfinder from 2.0.19 to 2.0.20.

Changelog

Sourced from david-a-wheeler/flawfinder's changelog.

2026-05-16 David A. Wheeler

• Version 2.0.20 Fix unlikely vulnerabilities (involving malicious filenames/text in analyzed systems) and implement various improvements
• Fix security vulnerabilities found by Gemini:
  • Terminal injection in standard output: apply strip_controls() to level and category in show().
  • Terminal injection in CSV output: apply strip_controls() to all untrusted fields in show_csv() (category, name, warning, suggestion, note, context_text).
  • XML injection in SonarQube output: use quoteattr() for all XML attributes in output_sonar().
  • Defense-in-depth: restrict setattr in Hit.init to an allowlist of known keys used by rule definitions, countering pickle attacks. We previously warned to not load untrusted pickle files, but completely preventing attacks is better.
  • Shell injection in CI/CD file entrypoint.sh: quoted args with "$@" and moved output filename to FLAWFINDER_OUTPUT env var in action.yml.
• Fix terminal injection vulnerability via crafted filenames. A malicious file whose name contained ANSI escape sequences (e.g. ESC[2K CR ESC[32m[OK]...) could cause flawfinder's terminal output to be overwritten, e.g., so it falsely appeared that no security issues were found. Filenames containing control characters are now rejected with a warning. As defense in depth, h() and show_csv() also strip control characters from filenames before output. Reported by Dan Lenz (thank you!!).
• Reject malicious pickles on hitlist load. Hitlists (--loadhitlist, --diffhitlist) are now loaded via SafeUnpickler, a restricted unpickler that only allows the specific classes and hook functions that appear in legitimate hitlists. Arbitrary code execution from a crafted hitlist file is blocked. A @​hook decorator registers each hook function, and a startup check ensures the allowlist stays in sync with the ruleset automatically.
• Fix false positive: strlen() on a string literal (e.g., strlen("foo"), strlen(L"wide"), strlen(u8"utf8")) is always safe because string literals are guaranteed null-terminated. No warning is now issued in this case. Fixes https://sourceforge.net/p/flawfinder/bugs/24/
• Fix false positive: equal(), mismatch(), and is_permutation() used as identifiers (e.g. enum members) rather than function calls no longer produce spurious warnings. Fixes https://sourceforge.net/p/flawfinder/bugs/28/
• Fix false positive: std::ranges::equal(), std::ranges::mismatch(), and std::ranges::is_permutation() (C++20) check both range lengths automatically and are not vulnerable to over-read; they are no longer flagged. Fixes https://sourceforge.net/p/flawfinder/bugs/29/
• Fix typos in comments (preceeding, posible, theses, levle).

... (truncated)

Commits

• c4216b7 Merge pull request #102 from david-a-wheeler/improvements2
• 3859d11 ChangeLog: note swprintf fix
• ebb222f Fix swprintf/vswprintf format-string position (#43)
• 40294b6 ChangeLog: note attribute false positive fix
• 8ebc4e3 Fix false positive: skip contents of attribute((...)) (#27)
• d8af6d2 ChangeLog: Expand
• 5959132 Strip leading ./ from SARIF artifact URIs for uriBaseId portability
• 1acb3df Merge pull request #101 from david-a-wheeler/improvements
• 0dc6deb Fix pylint complaint
• a840bc3 Add --exclude PATTERN option to skip files/dirs by glob (#89, #65)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)