Newly introduced findings

List of Findings

Error: SHELLCHECK_WARNING (CWE-563): [#def1]
/usr/lib/rpm/check-rpaths-worker:98:5: warning[SC2034]: rpath_orig appears unused. Verify use (or export if used externally).
#   96|       pos=0
#   97|       rpath=$(echo "$1" | LANG=C grep -E "\(($2)\).*:") || return 0
#   98|->     rpath_orig="$rpath"
#   99|       rpath=$(echo "$rpath" | LANG=C sed -e "s!.*\($2\).*: \[\(.*\)\]!\2!p;d")
#  100|       lower=$(echo $2 | awk '{print tolower($0)}')

Error: SHELLCHECK_WARNING (CWE-569): [#def2]
/usr/lib/rpm/rpm-setup-autosign:17:13: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#   15|   function log()
#   16|   {
#   17|->     echo -e $* 1>&2
#   18|   }
#   19|   

Error: SHELLCHECK_WARNING (CWE-569): [#def3]
/usr/lib/rpm/rpm-setup-autosign:22:9: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#   20|   function error()
#   21|   {
#   22|->     log $*
#   23|       exit 1
#   24|   }

Error: SHELLCHECK_WARNING (CWE-571): [#def4]
/usr/lib/rpm/rpm-setup-autosign:42:11: warning[SC2155]: Declare and assign separately to avoid masking return values.
#   40|   {
#   41|       log "Generating key ${email}"
#   42|->     local keyfp=$(sq key generate \
#   43|                        --batch \
#   44|                        --quiet \

Error: CPPCHECK_WARNING (CWE-476): [#def5]
rpm-5.99.90/lib/depends.cc:819: warning[nullPointer]: Possible null pointer dereference: dep
#  817|   	dep = rpmdsN(depds);
#  818|       if (neg) {
#  819|-> 	ndep = (char *)xmalloc(strlen(dep) + 2);
#  820|   	ndep[0] = '!';
#  821|   	strcpy(ndep + 1, dep);

Error: CPPCHECK_WARNING (CWE-476): [#def6]
rpm-5.99.90/lib/depends.cc:821: warning[nullPointer]: Possible null pointer dereference: dep
#  819|   	ndep = (char *)xmalloc(strlen(dep) + 2);
#  820|   	ndep[0] = '!';
#  821|-> 	strcpy(ndep + 1, dep);
#  822|   	dep = ndep;
#  823|       }

Error: CPPCHECK_WARNING (CWE-457): [#def7]
rpm-5.99.90/lib/header.cc:886: error[uninitvar]: Uninitialized variables: &key.data, &key.length, &key.rdlen
#  884|       key.info.tag = tag;
#  885|   
#  886|->     entry = (indexEntry)bsearch(&key, h->index, h->indexUsed, sizeof(*h->index), indexCmp);
#  887|       if (entry == NULL)
#  888|   	return NULL;

Error: CPPCHECK_WARNING (CWE-476): [#def8]
rpm-5.99.90/lib/tagexts.cc:907: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: e
#  905|       if (!headerGet(h, RPMTAG_EPOCH, td, HEADERGET_ALLOC)) {
#  906|   	uint32_t *e = (uint32_t *)malloc(sizeof(*e));
#  907|-> 	*e = 0;
#  908|   	td->data = e;
#  909|   	td->type = RPM_INT32_TYPE;

Error: CPPCHECK_WARNING (CWE-476): [#def9]
rpm-5.99.90/rpmio/rpmlua.cc:846: warning[nullPointer]: Possible null pointer dereference: argv
#  844|       rpmSetCloseOnExec();
#  845|   
#  846|->     status = posix_spawnp(&pid, argv[0], fap, NULL, argv, environ);
#  847|   
#  848|       argvFree(argv);

Error: CPPCHECK_WARNING (CWE-476): [#def10]
rpm-5.99.90/tools/rpmdump.cc:133: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: blob
#  131|   
#  132|       blob = (uint32_t *)malloc(sizeof(numEntries) + sizeof(numBytes) + headerLen);
#  133|->     blob[0] = htonl(numEntries);
#  134|       blob[1] = htonl(numBytes);
#  135|   

Error: CPPCHECK_WARNING (CWE-476): [#def11]
rpm-5.99.90/tools/rpmdump.cc:134: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: blob
#  132|       blob = (uint32_t *)malloc(sizeof(numEntries) + sizeof(numBytes) + headerLen);
#  133|       blob[0] = htonl(numEntries);
#  134|->     blob[1] = htonl(numBytes);
#  135|   
#  136|       pe = (struct entryInfo *) &(blob[2]);

Error: CPPCHECK_WARNING (CWE-682): [#def12]
rpm-5.99.90/tools/rpmdump.cc:144: error[nullPointerArithmeticOutOfMemory]: If memory allocation fail: pointer addition with NULL pointer.
#  142|   
#  143|       
#  144|->     if (read(fd, blob+2, headerLen) != headerLen) {
#  145|   	fprintf(stderr, "reading %d bytes of header fail\n", headerLen);
#  146|   	goto exit;

Scan Properties

analyzer-version-clippy	1.86.0
analyzer-version-cppcheck	2.17.1
analyzer-version-gcc	15.0.1
analyzer-version-gcc-analyzer	15.0.1
analyzer-version-shellcheck	0.10.0
analyzer-version-unicontrol	0.0.2
diffbase-analyzer-version-clippy	1.86.0
diffbase-analyzer-version-cppcheck	2.17.1
diffbase-analyzer-version-gcc	15.0.1
diffbase-analyzer-version-gcc-analyzer	15.0.1
diffbase-analyzer-version-shellcheck	0.10.0
diffbase-analyzer-version-unicontrol	0.0.2
diffbase-enabled-plugins	clippy, cppcheck, gcc, shellcheck, unicontrol
diffbase-exit-code	0
diffbase-host	ip-172-16-1-154.us-west-2.compute.internal
diffbase-known-false-positives	/usr/share/csmock/known-false-positives.js
diffbase-known-false-positives-rpm	known-false-positives-0.0.0.20250425.124705.g1c7c448.main-1.el9.noarch
diffbase-mock-config	fedora-rawhide-x86_64
diffbase-project-name	rpm-4.20.1-1.fc42
diffbase-store-results-to	/tmp/tmpwxbicwkc/rpm-4.20.1-1.fc42.tar.xz
diffbase-time-created	2025-04-25 15:35:46
diffbase-time-finished	2025-04-25 15:38:25
diffbase-tool	csmock
diffbase-tool-args	'/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'unicontrol,cppcheck,gcc,clippy,shellcheck' '-o' '/tmp/tmpwxbicwkc/rpm-4.20.1-1.fc42.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmpwxbicwkc/rpm-4.20.1-1.fc42.src.rpm'
diffbase-tool-version	csmock-3.8.1.20250422.172604.g26bc3d6-1.el9
enabled-plugins	clippy, cppcheck, gcc, shellcheck, unicontrol
exit-code	0
host	ip-172-16-1-154.us-west-2.compute.internal
known-false-positives	/usr/share/csmock/known-false-positives.js
known-false-positives-rpm	known-false-positives-0.0.0.20250425.124705.g1c7c448.main-1.el9.noarch
mock-config	fedora-rawhide-x86_64
project-name	rpm-5.99.90-3.fc43
store-results-to	/tmp/tmp9ag8fqr6/rpm-5.99.90-3.fc43.tar.xz
time-created	2025-04-25 15:38:51
time-finished	2025-04-25 15:41:08
title	Newly introduced findings
tool	csmock
tool-args	'/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'unicontrol,cppcheck,gcc,clippy,shellcheck' '-o' '/tmp/tmp9ag8fqr6/rpm-5.99.90-3.fc43.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmp9ag8fqr6/rpm-5.99.90-3.fc43.src.rpm'
tool-version	csmock-3.8.1.20250422.172604.g26bc3d6-1.el9