On Wed, Oct 29, 2025 at 6:00 AM Siteshwar Vashisht <[email protected]> wrote:
> Hello, > > I am writing this message to get feedback from the community on new > findings by static analyzers in Critical Path Packages that have > changed in Fedora 44. > > TLDR: This report[1] contains a total of 47352 findings and 843 new > findings identified since Fedora 43. Please review the report and > provide feedback. False positives can now be recorded in the > known-false-positives[5] repository. > > A mass scan was performed on the packages that have changed in Fedora > 44. This report[1] contains all the findings that have been identified > in the Critical Path Packages. Newly added findings since Fedora 43 > are listed under ‘+’ column and these should be prioritized while > reviewing the findings (and fixing them upstream). Not all findings > reported by OpenScanHub may be actual bugs, so please verify reported > findings before investing time into fixing or reporting them. We have > used the current development version of GCC to perform the scans, > which may increase the likelihood of having false positives in the GCC > reports. > > False positives can now be recorded in the known-false-positives[5] > repository. These findings are automatically suppressed by OpenScanHub > in scans that are triggered later. Also, you can filter findings with > the csgrep utility to make it easier to review reports that may > contain a large amount of false positives. Examples of csgrep > invocation are available on the Fedora wiki[4]. > > We hope this is helpful for the packages you maintain and for the > upstream projects. Questions can be asked on the OpenScanHub mailing > list[2]. If you want to see the full logs of the scans, they are > available on the tasks[3] page. User documentation for performing a > scan is available on the Fedora wiki[4]. > > Please keep the feedback on this thread constructive. Thank you! > > [1] > https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-28-Oct-2025/ > > [2] > https://lists.fedoraproject.org/archives/list/[email protected]/ > > [3] https://openscanhub.fedoraproject.org/task/ > > [4] https://fedoraproject.org/wiki/OpenScanHub > > [5] https://github.com/openscanhub/known-false-positives > > -- > I'm pretty sure https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-28-Oct-2025/sscg-4.0.0-1.fc44/added.html is a false-positive. The line that it claims "leaks" isn't an exit to the function and the memory is freed just a few lines later. I'm not sure why OSH thinks that there's a problem. The BIO_read() function from OpenSSL is essentially just a memcpy() into the buffer that was passed in. (FWIW, this is also only in a unit test; there's no impact to the actual delivered package.)
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
