On Wednesday, 29 October 2025 21:20:12 CET Stephen Gallagher wrote: > On Wed, Oct 29, 2025 at 6:00 AM Siteshwar Vashisht <[email protected]> > wrote: > > > Hello, > > > > I am writing this message to get feedback from the community on new > > findings by static analyzers in Critical Path Packages that have > > changed in Fedora 44. > > > > TLDR: This report[1] contains a total of 47352 findings and 843 new > > findings identified since Fedora 43. Please review the report and > > provide feedback. False positives can now be recorded in the > > known-false-positives[5] repository. > > > > A mass scan was performed on the packages that have changed in Fedora > > 44. This report[1] contains all the findings that have been identified > > in the Critical Path Packages. Newly added findings since Fedora 43 > > are listed under ‘+’ column and these should be prioritized while > > reviewing the findings (and fixing them upstream). Not all findings > > reported by OpenScanHub may be actual bugs, so please verify reported > > findings before investing time into fixing or reporting them. We have > > used the current development version of GCC to perform the scans, > > which may increase the likelihood of having false positives in the GCC > > reports. > > > > False positives can now be recorded in the known-false-positives[5] > > repository. These findings are automatically suppressed by OpenScanHub > > in scans that are triggered later. Also, you can filter findings with > > the csgrep utility to make it easier to review reports that may > > contain a large amount of false positives. Examples of csgrep > > invocation are available on the Fedora wiki[4]. > > > > We hope this is helpful for the packages you maintain and for the > > upstream projects. Questions can be asked on the OpenScanHub mailing > > list[2]. If you want to see the full logs of the scans, they are > > available on the tasks[3] page. User documentation for performing a > > scan is available on the Fedora wiki[4]. > > > > Please keep the feedback on this thread constructive. Thank you! > > > > [1] > > https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-28-Oct-2025/ > > > > [2] > > https://lists.fedoraproject.org/archives/list/[email protected]/ > > > > [3] https://openscanhub.fedoraproject.org/task/ > > > > [4] https://fedoraproject.org/wiki/OpenScanHub > > > > [5] https://github.com/openscanhub/known-false-positives > > > > -- > > > > > I'm pretty sure > https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-28-Oct-2025/sscg-4.0.0-1.fc44/added.html > is a false-positive. The line that it claims "leaks" isn't an exit to the > function and the memory is freed just a few lines later. I'm not sure why > OSH thinks that there's a problem. The BIO_read() function from OpenSSL is > essentially just a memcpy() into the buffer that was passed in. > > (FWIW, this is also only in a unit test; there's no impact to the actual > delivered package.)
I agree this is a false positive. It does not happen with gcc-15.2.1-3.fc44. It happens with gcc-latest-16.0.0-5.20250914git38666cbccff5.fc44 from COPR. Dave, any idea what went wrong? The original SARIF file produced by GCC can be downloaded with the following command: curl -s 'https://openscanhub.fedoraproject.org/task/78401/log/sscg-4.0.0-1.fc44.tar.xz?format=raw' \ | xz -cd \ | tar -xv sscg-4.0.0-1.fc44/debug/raw-results/builddir/gcc-results/452-M3DZ.sarif Kamil -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
