add codeql fixes/suppressions (#664)

openbsd-compat/getopt_long.c

@@ -383,7 +383,7 @@ start:
 		/*
 		 * If we have "-" do nothing, if "--" we are done.
 		 */
-		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
+		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') { // CodeQL [SM01947]: upstream code; place re-assigned in previous line
 			optind++;
 			place = EMSG;
 			/*

regress/unittests/test_helper/test_helper.c

@@ -159,7 +159,7 @@ main(int argc, char **argv)
 	/* Handle systems without __progname */
 	if (__progname == NULL) {
 		__progname = strrchr(argv[0], '/');
-		if (__progname == NULL || (__progname[0] != '\0' && __progname[1] == '\0')) // fix CodeQL SM01947
+		if (__progname == NULL || (__progname[0] != '\0' && __progname[1] == '\0')) // CodeQL [SM01947]: __progname may be longer than 1 byte and prev. checks handle if smaller
 			__progname = argv[0];	
 		else
 			__progname++;
@@ -423,7 +423,7 @@ tohex(const void *_s, size_t l)
 		r[j++] = hex[(s[i] >> 4) & 0xf]; // CodeQL [SM02311]: tests rely on assert for NULL checks
 		r[j++] = hex[s[i] & 0xf];
 	}
-	r[j] = '\0';
+	r[j] = '\0'; // CodeQL [SM02311]: tests rely on assert for NULL checks
 	return r;
 }
 

regress/unittests/win32compat/tests.c

@@ -35,6 +35,8 @@ dup_str(char *inStr)
 
 	int len = strlen(inStr);
 	char *outStr = malloc(len + 1);
+	if (NULL == outStr)
+		return NULL;
 	strncpy(outStr, inStr, len);
 	outStr[len] = '\0';
 	return outStr;