The API seems to use a lot of naked raw pointers rather than shared_ptr's, lots of sca tools (such as Fortify) will flags these and reject them

[JohnBasrai]

Does anyone have any experience running source code analysis tools on this API. I love the API and I would like to use it my code but I'm concerned about all the raw pointers.

[phlptp]

We run several sanitizers, clang-tidy and cppcheck on every PR. I know I run a few others on other applications the CLI11 is a part of. We are also working through getting a full fuzzing system in place, though that will probably take a while yet.

There are no owning raw pointers in CLI11, all the owning and allocation is done with smart pointers so there is no risk of memory leaks in the application. All the regular pointers that are returned are not part of memory management

If you have reports from some others scanners I would be very interested in seeing them.

[jzakrzewski]

Raw pointers are not evil by themselves - it's a perfectly reasonable way to pass around as long as they are not owning. They are like "views" (think std::string_view, std::span<>, ...).

[JohnBasrai]

I like to use a const pointer (const x*) when I return a raw pointer to communicate to the caller that they do not need to delete it. However, this still doesn't tell them anything about its lifetime. Thanks for looking into this!