Updating/removing clang-tidy-vs from clang-tools-extra because of CVE-2018-1000210


The clang-tidy-vs visual studio plugin in clang-tools-extra contains a security vulnerability in the YamlDotNet package 1. Github flags the code in clang-tools-extra as a high priority security vulnerability. If you’re an admin of a custom fork of the llvm-project monorepo on Github, you get a banner every time you open the GitHub webpage for the repo, and an additional weekly email about this high priority vulnerability.

I’ve emailed Zachary, who originally added the plugin about this issue, and also filed a bug report on llvm.org 2. From what I gathered so far, I don’t think Zachary works on llvm-project anymore, would there be anyone else who’d be interested in updating the plugin to address the vulnerability? If not, would it be reasonable to remove this plugin from llvm-project entirely?


I reached out to Zach and he said Clang Power Tools (https://marketplace.visualstudio.com/items?itemName=caphyon.ClangPowerTools) does everything clang-tidy-vs does, so we should go ahead and remove clang-tidy-vs.

Great, thanks for reaching out to Zach! I posted a patch that removes the plugin, and suggests Clang Power Tools in the release notes instead: https://reviews.llvm.org/D66813.