> Could you explain to me why you think it is a false positive ? As far as I can tell the idea behind that sanitizer is to mostly flag suspicious attempts to pass file names that haven't been sanitized in any away and I agree that in some cases depending on what happens after those files are opened it can lead to various issues (and for that reason there are a lot of static analyzers for example complaining about "tainted" strings, uncontrolled spheres and stuff like that). In this particular case files go through __libdw_open_file and their build ids are checked (which makes it kind of hard to read passwords, tokens and so on and then expose them).
Thanks, Evgeny Vereshchagin
