Sonar reports a finding in args.c, where a file check is done . Stat performs a check on file, and later fopen is called on the file : https://sonarcloud.io/project/issues?id=shipilev_jdk&languages=c&open=AXck8CL0BBG2CXpcnhtM&resolved=false&types=VULNERABILITY
The coding could be slightly rewritten so that the potential TOCTOU is removed (however I do not think that it is such a big issue). ------------- Commit messages: - JDK-8262199 Changes: https://git.openjdk.java.net/jdk/pull/2692/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=2692&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8262199 Stats: 32 lines in 1 file changed: 12 ins; 16 del; 4 mod Patch: https://git.openjdk.java.net/jdk/pull/2692.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/2692/head:pull/2692 PR: https://git.openjdk.java.net/jdk/pull/2692
