Error: SHELLCHECK_WARNING (CWE-569): [#def1] /usr/bin/clevis:30:16: warning[SC2124]: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate. # 28| # 29| cmd=clevis # 30|-> input_commands="$cmd $@" # 31| # 32| while [ $# -gt 0 ]; do Error: SHELLCHECK_WARNING (CWE-88): [#def2] /usr/bin/clevis-decrypt-tpm2:24:34: error[SC2068]: Double quote array expansions to avoid re-splitting elements. # 22| if command -v clevis-pin-tpm2 >/dev/null; # 23| then # 24|-> exec clevis-pin-tpm2 decrypt $@ # 25| fi # 26| Error: SHELLCHECK_WARNING (CWE-569): [#def3] /usr/bin/clevis-luks-bind:81:10: warning[SC2124]: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate. # 79| fi # 80| # 81|-> if ! PIN="${@:$((OPTIND++)):1}" || [ -z "$PIN" ]; then # 82| echo "Did not specify a pin!" >&2 # 83| usage Error: SHELLCHECK_WARNING (CWE-569): [#def4] /usr/bin/clevis-luks-bind:89:10: warning[SC2124]: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate. # 87| fi # 88| # 89|-> if ! CFG="${@:$((OPTIND++)):1}" || [ -z "$CFG" ]; then # 90| echo "Did not specify a pin config!" >&2 # 91| usage Error: SHELLCHECK_WARNING (CWE-563): [#def5] /usr/bin/clevis-luks-unbind:95:13: warning[SC2034]: slot appears unused. Verify use (or export if used externally). # 93| fi # 94| # 95|-> read -r slot state uuid < <(luksmeta show -d "$DEV" | grep "^$SLT *") # 96| # 97| if [ "$uuid" == "empty" ]; then Error: SHELLCHECK_WARNING (CWE-457): [#def6] /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh:38:11: warning[SC2154]: hostonly_cmdline is referenced but not assigned. # 36| # 37| install() { # 38|-> if [ "${hostonly_cmdline}" = "yes" ] && have_tang_bindings; then # 39| echo "rd.neednet=1" > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf" # 40| fi Error: SHELLCHECK_WARNING (CWE-457): [#def7] /usr/lib/dracut/modules.d/60clevis-pin-tang/module-setup.sh:39:32: warning[SC2154]: initdir is referenced but not assigned. # 37| install() { # 38| if [ "${hostonly_cmdline}" = "yes" ] && have_tang_bindings; then # 39|-> echo "rd.neednet=1" > "${initdir}/etc/cmdline.d/99clevis-pin-tang.conf" # 40| fi # 41| Error: SHELLCHECK_WARNING: [#def8] /usr/lib/dracut/modules.d/60clevis-pin-tpm2/module-setup.sh:41:26: error[SC2283]: Remove spaces around = to assign (or use [ ] to compare, or quote '=' if literal). # 39| # 40| installkernel() { # 41|-> hostonly='' instmods =drivers/char/tpm # 42| } Error: SHELLCHECK_WARNING (CWE-457): [#def9] /usr/lib/dracut/modules.d/60clevis/module-setup.sh:33:13: warning[SC2154]: systemdsystemunitdir is referenced but not assigned. # 31| if dracut_module_included "systemd"; then # 32| inst_multiple \ # 33|-> $systemdsystemunitdir/clevis-luks-askpass.service \ # 34| $systemdsystemunitdir/clevis-luks-askpass.path \ # 35| /usr/lib/systemd/systemd-reply-password \ Error: SHELLCHECK_WARNING (CWE-457): [#def10] /usr/lib/dracut/modules.d/60clevis/module-setup.sh:38:30: warning[SC2154]: initdir is referenced but not assigned. # 36| /usr/libexec/clevis-luks-askpass # 37| # 38|-> systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path # 39| else # 40| inst_hook initqueue/online 60 "$moddir/clevis-hook.sh" Error: SHELLCHECK_WARNING (CWE-457): [#def11] /usr/lib/dracut/modules.d/60clevis/module-setup.sh:40:40: warning[SC2154]: moddir is referenced but not assigned. # 38| systemctl -q --root "$initdir" add-wants cryptsetup.target clevis-luks-askpass.path # 39| else # 40|-> inst_hook initqueue/online 60 "$moddir/clevis-hook.sh" # 41| inst_hook initqueue/settled 60 "$moddir/clevis-hook.sh" # 42| inst_multiple \ Error: GCC_ANALYZER_WARNING (CWE-775): [#def12] clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:289:5: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘pull[0]’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:305:1: enter_function: entry to ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:312:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:318:12: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:319:8: branch_true: following ‘true’ branch (when ‘chld < 0’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:320:9: branch_true: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:404:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ # 287| if (*fd >= 0) # 288| close(*fd); # 289|-> *fd = -1; # 290| } # 291| Error: GCC_ANALYZER_WARNING (CWE-775): [#def13] clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:289:5: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘pull[1]’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:305:1: enter_function: entry to ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:312:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:318:12: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:319:8: branch_false: following ‘false’ branch (when ‘chld >= 0’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:324:8: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:324:8: branch_false: following ‘false’ branch (when ‘chld != 0’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:372:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:373:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ # 287| if (*fd >= 0) # 288| close(*fd); # 289|-> *fd = -1; # 290| } # 291| Error: GCC_ANALYZER_WARNING (CWE-775): [#def14] clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:289:5: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘push[0]’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:305:1: enter_function: entry to ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:312:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:8: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:316:9: branch_true: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:402:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ # 287| if (*fd >= 0) # 288| close(*fd); # 289|-> *fd = -1; # 290| } # 291| Error: GCC_ANALYZER_WARNING (CWE-775): [#def15] clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:289:5: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘push[1]’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:305:1: enter_function: entry to ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:312:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:8: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:316:9: branch_true: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:403:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ # 287| if (*fd >= 0) # 288| close(*fd); # 289|-> *fd = -1; # 290| } # 291| Error: GCC_ANALYZER_WARNING (CWE-775): [#def16] clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:289:5: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘push[t]’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:492:1: enter_function: entry to ‘main’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:500:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:505:8: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:505:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:510:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:510:8: branch_false: following ‘false’ branch... branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:549:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:554:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:554:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:557:11: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:558:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:564:8: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:564:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:577:5: call_function: inlined call to ‘safeclose’ from ‘main’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:587:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:587:9: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:591:11: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:592:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:595:16: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:600:12: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:609:12: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:639:20: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:639:19: branch_true: following ‘true’ branch... branch_true: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:640:29: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:641:29: branch_true: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:646:20: branch_false: following ‘false’ branch (when ‘r != 0’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:648:25: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:648:25: branch_false: following ‘false’ branch (when ‘r == 5’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:651:17: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:652:20: branch_false: following ‘false’ branch (when the strings are equal)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:655:21: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:659:22: call_function: calling ‘token_to_jwe’ from ‘main’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:659:22: return_function: returning to ‘main’ from ‘token_to_jwe’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:659:20: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:663:28: branch_true: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:663:28: call_function: calling ‘recover_key’ from ‘main’ # 287| if (*fd >= 0) # 288| close(*fd); # 289|-> *fd = -1; # 290| } # 291| Error: GCC_ANALYZER_WARNING (CWE-775): [#def17] clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:399:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘pull[0]’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:305:1: enter_function: entry to ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:312:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:318:12: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:319:8: branch_false: following ‘false’ branch (when ‘chld >= 0’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:324:8: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:324:8: branch_false: following ‘false’ branch (when ‘chld != 0’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:372:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:377:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:398:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:399:12: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:399:12: danger: ‘pull[0]’ leaks here # 397| # 398| safeclose(&pull[PIPE_RD]); # 399|-> return bytes; # 400| # 401| error: Error: GCC_ANALYZER_WARNING (CWE-775): [#def18] clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:399:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘pull[1]’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:305:1: enter_function: entry to ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:312:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:315:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:318:12: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:319:8: branch_true: following ‘true’ branch (when ‘chld < 0’)... clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:320:9: branch_true: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:405:5: call_function: inlined call to ‘safeclose’ from ‘recover_key’ clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:406:13: branch_false: ...to here clevis-21/redhat-linux-build/../src/luks/udisks2/clevis-luks-udisks2.c:399:12: danger: ‘pull[1]’ leaks here # 397| # 398| safeclose(&pull[PIPE_RD]); # 399|-> return bytes; # 400| # 401| error: Error: GCC_ANALYZER_WARNING (CWE-688): [#def19] clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:64:48: warning[-Wanalyzer-null-argument]: use of NULL ‘p’ where non-null expected #argument 1 of ‘__builtin_strlen’ must be non-null # 62| get_control_socket_name(const char* file_sock, char* control_sock, uint32_t control_sock_len) { # 63| char *p = strstr(file_sock, ".sock"); # 64|-> size_t prefix_length = strlen(file_sock) - strlen(p); # 65| memset(control_sock, 0, control_sock_len); # 66| memcpy(control_sock, file_sock, prefix_length); Error: GCC_ANALYZER_WARNING (CWE-479): [#def20] clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:187:9: warning[-Wanalyzer-unsafe-call-within-signal-handler]: call to ‘fprintf’ from within signal handler clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:193:5: enter_function: entry to ‘main’ clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:185:13: enter_function: entry to ‘int_handler’ clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:186:7: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:187:9: branch_true: ...to here clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:187:9: danger: call to ‘fprintf’ from within signal handler # 185| static void int_handler(int s) { # 186| if(logfile) { # 187|-> fprintf(logfile, "Closing, received signal:[%d]\n", s); # 188| fclose(logfile); # 189| } Error: GCC_ANALYZER_WARNING (CWE-479): [#def21] clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:190:5: warning[-Wanalyzer-unsafe-call-within-signal-handler]: call to ‘exit’ from within signal handler clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:193:5: enter_function: entry to ‘main’ clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:185:13: enter_function: entry to ‘int_handler’ clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:186:7: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:190:5: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/pkcs11/clevis-pkcs11-afunix-socket-unlock.c:190:5: danger: call to ‘exit’ from within signal handler # 188| fclose(logfile); # 189| } # 190|-> exit(EXIT_FAILURE); # 191| } # 192| Error: GCC_ANALYZER_WARNING (CWE-401): [#def22] clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:226:20: warning[-Wanalyzer-malloc-leak]: leak of ‘*pin.pt’ clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:135:1: enter_function: entry to ‘main’ clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:150:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:154:8: branch_false: following ‘false’ branch (when ‘epoll >= 0’)... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:157:11: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:157:11: call_function: calling ‘compact_jwe’ from ‘main’ clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:157:11: return_function: returning to ‘main’ from ‘compact_jwe’ clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:158:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:161:11: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:162:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:165:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:165:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:169:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:169:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:172:10: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:173:8: branch_false: following ‘false’ branch... branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:208:8: branch_false: following ‘false’ branch... branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:215:12: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:218:26: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:218:45: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:219:18: branch_true: ...to here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:219:16: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:225:27: acquire_memory: allocated here clevis-21/redhat-linux-build/../src/pins/sss/clevis-decrypt-sss.c:226:20: danger: ‘*pin.pt’ leaks here; was allocated at [(56)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/55) # 224| # 225| pin->pt = malloc(ptl); # 226|-> if (!pin->pt) # 227| goto egress; # 228| Error: GCC_ANALYZER_WARNING (CWE-775): [#def23] clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:12: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(dump[0], 0)’ clevis-21/redhat-linux-build/../src/pins/sss/sss.c:352:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:355:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:355:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:358:12: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:359:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:362:8: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:362:8: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:13: branch_true: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:13: acquire_resource: opened here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:12: danger: ‘dup2(dump[0], 0)’ leaks here; was opened at [(11)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/10) # 361| # 362| if (*pid == 0) { # 363|-> if (dup2(dump[PIPE_RD], STDIN_FILENO) < 0 || # 364| dup2(load[PIPE_WR], STDOUT_FILENO) < 0) # 365| exit(EXIT_FAILURE); Error: GCC_ANALYZER_WARNING (CWE-775): [#def24] clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:13: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(load[1], 1)’ clevis-21/redhat-linux-build/../src/pins/sss/sss.c:352:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:355:9: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:355:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:358:12: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:359:8: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:362:8: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:362:8: branch_true: following ‘true’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:13: branch_true: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:12: branch_false: following ‘false’ branch... clevis-21/redhat-linux-build/../src/pins/sss/sss.c:364:13: branch_false: ...to here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:364:13: acquire_resource: opened here clevis-21/redhat-linux-build/../src/pins/sss/sss.c:363:13: danger: ‘dup2(load[1], 1)’ leaks here; was opened at [(13)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/12) # 361| # 362| if (*pid == 0) { # 363|-> if (dup2(dump[PIPE_RD], STDIN_FILENO) < 0 || # 364| dup2(load[PIPE_WR], STDOUT_FILENO) < 0) # 365| exit(EXIT_FAILURE);
| analyzer-version-clippy | 1.86.0 |
| analyzer-version-cppcheck | 2.17.1 |
| analyzer-version-gcc | 15.0.1 |
| analyzer-version-gcc-analyzer | 15.0.1 |
| analyzer-version-shellcheck | 0.10.0 |
| analyzer-version-unicontrol | 0.0.2 |
| enabled-plugins | clippy, cppcheck, gcc, shellcheck, unicontrol |
| exit-code | 0 |
| host | ip-172-16-1-88.us-west-2.compute.internal |
| known-false-positives | /usr/share/csmock/known-false-positives.js |
| known-false-positives-rpm | known-false-positives-0.0.0.20250425.124705.g1c7c448.main-1.el9.noarch |
| mock-config | fedora-rawhide-x86_64 |
| project-name | clevis-21-11.fc43 |
| store-results-to | /tmp/tmp4c9uy7nq/clevis-21-11.fc43.tar.xz |
| time-created | 2025-04-25 12:11:36 |
| time-finished | 2025-04-25 12:12:59 |
| tool | csmock |
| tool-args | '/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'unicontrol,cppcheck,gcc,clippy,shellcheck' '-o' '/tmp/tmp4c9uy7nq/clevis-21-11.fc43.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmp4c9uy7nq/clevis-21-11.fc43.src.rpm' |
| tool-version | csmock-3.8.1.20250422.172604.g26bc3d6-1.el9 |