CWE-1056

Invocable Control Element with Variadic Parameters. [Complexity-Issues, Improper-Adherence-To-Coding-Standards]

Required inputs: IR

A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.

This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability.

With variadic arguments, it can be difficult or inefficient for manual analysis to be certain of which function/method is being invoked.

Excerpts from CWE [https://cwe.mitre.org], Copyright (C) 2006-2026, the MITRE Corporation. See section 9.4. "3rd-Party Licenses" in the documentation for full details.

Possible Messages

Key	Text	Severity	Disabled
ellipsis_parameter	Function must not have variable number of arguments.	None	False

Options

• This rule shares the following common options: exclude_in_macros, exclude_messages_in_system_headers, excludes, extend_exclude_to_macro_invocations, includes, justification_checker, languages, post_processing, provider, report_at, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

ignore_declarations

ignore_declarations : bool = True

Allow declarations of functions with variable number of arguments (e.g. for existing library functions); only report definitions.

 

ignore_inherited

ignore_inherited : bool = False

Do not report functions inheriting a variable number of arguments.