1.2.7.6. alpha.security.taint.TaintPropagation (C, C++)
Generate taint information used by other checkers. A data is tainted when it comes from an unreliable source.

Examples:

void test() {
  char x = getchar(); // 'x' marked as tainted
  system(&x); // warn: untrusted data is passed to a system call
}

// note: compiler internally checks if the second param to
// sprintf is a string literal or not.
// Use -Wno-format-security to suppress compiler warning.
void test() {
  char s[10], buf[10];
  fscanf(stdin, "%s", s); // 's' marked as tainted

  sprintf(buf, s); // warn: untrusted data as a format string
}

void test() {
  size_t ts;
  scanf("%zd", &ts); // 'ts' marked as tainted
  int *p = (int *)malloc(ts * sizeof(int));
    // warn: untrusted data as buffer size
}