Checkers that find implementation-defined behavior seem to better be off by default - or, at least, there should be a way to turn them off - because we're not sure if our users are developing cross-platform code or target a specific platform. If the behavior is well-defined on any particular target platform, then the user may say "this code works correctly, the behavior is documented, i personally don't care about portability, so the analyzer shouldn't warn".
I'm introducing an optin.portability package with this patch. The UNIX zero-size-malloc check is moved here, because the behavior is implementation-defined according even to the C standard, and man pages of various platforms clearly document which behavior is implemented. Of course, that behavior is different on linux vs. bsd/mac though, which is the whole point of the checker.
Suggestions/complains are very welcome. I'm thinking of enabling portability checks by default when we're cross-compiling, or maybe on per-platform basis, eg. linux/bsd developers care about portability much more often (and in this case we shouldn't probably add the optin prefix to the package).