checksrc: ban use of sscanf()

Using sscanf() is not a (security) problem in itself, but we strongly
discorage using it for parsing input since it is hard to use right, easy
to mess up and often makes for sloppy error checking.

Allow it in examples and tests

Closes #15687

docs/examples/.checksrc

@@ -1,3 +1,4 @@
 disable TYPEDEFSTRUCT
 disable SNPRINTF
 disable BANNEDFUNC
+disable SSCANF

scripts/checksrc.pl

@@ -99,6 +99,7 @@ my %warnings = (
     'SPACEBEFOREPAREN'      => 'space before an open parenthesis',
     'SPACESEMICOLON'        => 'space before semicolon',
     'SPACESWITCHCOLON'      => 'space before colon of switch label',
+    "SSCANF"                => 'use of sscanf',
     'TABS'                  => 'TAB characters not allowed',
     'TRAILINGSPACE'         => 'Trailing whitespace on the line',
     'TYPEDEFSTRUCT'         => 'typedefed struct',
@@ -814,6 +815,16 @@ sub scanfile {
                       $line, length($1), $file, $ol,
                       "use of $2 is banned");
         }
+        # scan for use of sscanf. This is not a BANNEDFUNC to allow for
+        # individual enable/disable of this warning.
+        if($l =~ /^(.*\W)(sscanf)\s*\(/x) {
+            if($1 !~ /^ *\#/) {
+                # skip preprocessor lines
+                checkwarn("SSCANF",
+                          $line, length($1), $file, $ol,
+                          "use of $2 is banned");
+            }
+        }
         if($warnings{"STRERROR"}) {
             # scan for use of banned strerror. This is not a BANNEDFUNC to
             # allow for individual enable/disable of this warning.

tests/libtest/.checksrc

@@ -1,2 +1,3 @@
 disable TYPEDEFSTRUCT
 disable BANNEDFUNC
+disable SSCANF

tests/server/.checksrc

@@ -1 +1,2 @@
 enable STRNCPY
+disable SSCANF