rpm-5.99.90-3.fc43

List of Findings

Error: SHELLCHECK_WARNING (CWE-252): [#def1]
/usr/lib/rpm/brp-compress:10:1: warning[SC2164]: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.
#    8|   PREFIX=${1:-/usr}
#    9|   
#   10|-> cd "$RPM_BUILD_ROOT"
#   11|   
#   12|   # Compress man pages

Error: SHELLCHECK_WARNING (CWE-569): [#def2]
/usr/lib/rpm/brp-remove-la-files:12:55: warning[SC2227]: Redirection applies to the find command itself. Rewrite to work per action (or move to end).
#   10|   do
#   11|   
#   12|->   find "$RPM_BUILD_ROOT" -type $FILETYPE -name '*.la' 2>/dev/null -print0 |
#   13|       xargs -0 grep --fixed-strings '.la - a libtool library file' --files-with-matches --null |
#   14|       xargs -0 rm --force

Error: SHELLCHECK_WARNING: [#def3]
/usr/lib/rpm/brp-strip:32:3: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   30|   strip_elf_binaries()
#   31|   {
#   32|->   local nlinks="${1}"
#   33|     local nprocs="${2}"
#   34|   

Error: SHELLCHECK_WARNING: [#def4]
/usr/lib/rpm/brp-strip:33:3: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   31|   {
#   32|     local nlinks="${1}"
#   33|->   local nprocs="${2}"
#   34|   
#   35|     cd "$RPM_BUILD_ROOT" || return 0

Error: SHELLCHECK_WARNING (CWE-569): [#def5]
/usr/lib/rpm/check-files:26:15: warning[SC2064]: Use single quotes, otherwise this expands now rather than when signalled.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-398): [#def6]
/usr/lib/rpm/check-files:26:38: warning[SC2172]: Trapping signals by number is not well defined. Prefer signal names.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-398): [#def7]
/usr/lib/rpm/check-files:26:40: warning[SC2172]: Trapping signals by number is not well defined. Prefer signal names.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-398): [#def8]
/usr/lib/rpm/check-files:26:43: warning[SC2172]: Trapping signals by number is not well defined. Prefer signal names.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-138): [#def9]
/usr/lib/rpm/check-rpaths-worker:90:23: error[SC2145]: Argument mixes string and array. Use * or separate argument.
#   88|   
#   89|       shift 2
#   90|->     echo "$msg $code: $@" >&2
#   91|   
#   92|       test -z "$fail"

Error: SHELLCHECK_WARNING (CWE-563): [#def10]
/usr/lib/rpm/check-rpaths-worker:98:5: warning[SC2034]: rpath_orig appears unused. Verify use (or export if used externally).
#   96|       pos=0
#   97|       rpath=$(echo "$1" | LANG=C grep -E "\(($2)\).*:") || return 0
#   98|->     rpath_orig="$rpath"
#   99|       rpath=$(echo "$rpath" | LANG=C sed -e "s!.*\($2\).*: \[\(.*\)\]!\2!p;d")
#  100|       lower=$(echo $2 | awk '{print tolower($0)}')

Error: SHELLCHECK_WARNING (CWE-88): [#def11]
/usr/lib/rpm/find-lang.sh:133:13: error[SC2068]: Double quote array expansions to avoid re-splitting elements.
#  131|   fi
#  132|   
#  133|-> for NAME in ${NAMES[@]}; do
#  134|   
#  135|   find "$TOP_DIR" -type f -o -type l|sed '

Error: SHELLCHECK_WARNING (CWE-569): [#def12]
/usr/lib/rpm/ocamldeps.sh:232:30: warning[SC2124]: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
#  230|   export rpm_prefix_implementation
#  231|   export mode
#  232|-> export ignore_implementation="${ignore_implementation_a[@]}"
#  233|   export ignore_interface="${ignore_interface_a[@]}"
#  234|   #

Error: SHELLCHECK_WARNING (CWE-569): [#def13]
/usr/lib/rpm/ocamldeps.sh:233:25: warning[SC2124]: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
#  231|   export mode
#  232|   export ignore_implementation="${ignore_implementation_a[@]}"
#  233|-> export ignore_interface="${ignore_interface_a[@]}"
#  234|   #
#  235|   while read filename

Error: SHELLCHECK_WARNING (CWE-569): [#def14]
/usr/lib/rpm/rpm-setup-autosign:17:13: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#   15|   function log()
#   16|   {
#   17|->     echo -e $* 1>&2
#   18|   }
#   19|   

Error: SHELLCHECK_WARNING (CWE-569): [#def15]
/usr/lib/rpm/rpm-setup-autosign:22:9: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#   20|   function error()
#   21|   {
#   22|->     log $*
#   23|       exit 1
#   24|   }

Error: SHELLCHECK_WARNING (CWE-571): [#def16]
/usr/lib/rpm/rpm-setup-autosign:42:11: warning[SC2155]: Declare and assign separately to avoid masking return values.
#   40|   {
#   41|       log "Generating key ${email}"
#   42|->     local keyfp=$(sq key generate \
#   43|                        --batch \
#   44|                        --quiet \

Error: SHELLCHECK_WARNING: [#def17]
/usr/lib/rpm/rpm2cpio.sh:13:2: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   11|   
#   12|   _dd() {
#   13|-> 	local o="$1"; shift
#   14|   	dd if="$pkg" skip="$o" iflag=skip_bytes status=none $*
#   15|   }

Error: SHELLCHECK_WARNING (CWE-569): [#def18]
/usr/lib/rpm/rpm2cpio.sh:14:54: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#   12|   _dd() {
#   13|   	local o="$1"; shift
#   14|-> 	dd if="$pkg" skip="$o" iflag=skip_bytes status=none $*
#   15|   }
#   16|   

Error: SHELLCHECK_WARNING: [#def19]
/usr/lib/rpm/rpm2cpio.sh:26:2: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   24|   	offset=$(($1 + 8))
#   25|   
#   26|-> 	local i b b0 b1 b2 b3 b4 b5 b6 b7
#   27|   
#   28|   	i=0

Error: SHELLCHECK_WARNING (CWE-563): [#def20]
/usr/lib/rpm/rpm2cpio.sh:55:1: warning[SC2034]: hdrsize appears unused. Verify use (or export if used externally).
#   53|   
#   54|   calcsize $(($offset + (8 - ($sigsize % 8)) % 8))
#   55|-> hdrsize=$rsize
#   56|   
#   57|   case "$(_dd $offset bs=2 count=1 | tr -d '\0')" in

Error: SHELLCHECK_WARNING (CWE-569): [#def21]
/usr/lib/rpm/tgpg:4:12: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#    2|   
#    3|   
#    4|-> for pkg in $*
#    5|   do
#    6|       if [ "$pkg" = "" ] || [ ! -e "$pkg" ]; then

Error: SHELLCHECK_WARNING (CWE-156): [#def22]
/usr/lib/rpm/tgpg:21:9: warning[SC2046]: Quote this to prevent word splitting.
#   19|       o=`expr $leadsize + 8`
#   20|   
#   21|->     set `od -j $o -N 8 -t u1 $pkg`
#   22|       il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
#   23|       dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`

Error: COMPILER_WARNING (CWE-686): [#def23]
rpm-5.99.90/_build/CMakeFiles/CMakeScratch/TryCompile-Ksqdx0/CheckFunctionExists.c:7:3: warning[-Wbuiltin-declaration-mismatch]: conflicting types for built-in function ‘stpcpy’; expected ‘char *(char *, const char *)’

Error: COMPILER_WARNING (CWE-686): [#def24]
rpm-5.99.90/_build/CMakeFiles/CMakeScratch/TryCompile-W18FmW/CheckFunctionExists.c:7:3: warning[-Wbuiltin-declaration-mismatch]: conflicting types for built-in function ‘stpncpy’; expected ‘char *(char *, const char *, long unsigned int)’

Error: COMPILER_WARNING (CWE-686): [#def25]
rpm-5.99.90/_build/CMakeFiles/CMakeScratch/TryCompile-maoYOW/CheckFunctionExists.c:7:3: warning[-Wbuiltin-declaration-mismatch]: conflicting types for built-in function ‘mempcpy’; expected ‘void *(void *, const void *, long unsigned int)’

Error: CPPCHECK_WARNING (CWE-758): [#def26]
rpm-5.99.90/include/rpm/rpmbuild.h:43: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   41|       RPMBUILD_MKBUILDDIR	= (1 << 23),	/*!< Internal use only */
#   42|   
#   43|->     RPMBUILD_NOBUILD	= (1 << 31)	/*!< Don't execute or package. */
#   44|   };
#   45|   

Error: CPPCHECK_WARNING (CWE-758): [#def27]
rpm-5.99.90/include/rpm/rpmfiles.h:91: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   89|       RPMVERIFY_READFAIL	= (1 << 29),	/*!< file read failed */
#   90|       RPMVERIFY_LSTATFAIL	= (1 << 30),	/*!< lstat failed */
#   91|->     RPMVERIFY_LGETFILECONFAIL	= (1 << 31)	/*!< lgetfilecon failed */
#   92|   };
#   93|   

Error: CPPCHECK_WARNING (CWE-758): [#def28]
rpm-5.99.90/include/rpm/rpmplugin.h:25: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   23|   enum rpmFileActionFlags_e {
#   24|       /* bits 0-15 reserved for actions */
#   25|->     FAF_UNOWNED		= (1 << 31)
#   26|   };
#   27|   typedef rpmFlags rpmFileActionFlags;

Error: CPPCHECK_WARNING (CWE-758): [#def29]
rpm-5.99.90/include/rpm/rpmts.h:60: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   58|       RPMTRANS_FLAG_NOARTIFACTS	= (1 << 29),	/*!< from --noartifacts */
#   59|       RPMTRANS_FLAG_NOCONFIGS	= (1 << 30),	/*!< from --noconfigs */
#   60|->     RPMTRANS_FLAG_DEPLOOPS	= (1 << 31)	/*!< from --deploops */
#   61|   };
#   62|   

Error: CPPCHECK_WARNING (CWE-476): [#def30]
rpm-5.99.90/lib/depends.cc:819: warning[nullPointer]: Possible null pointer dereference: dep
#  817|   	dep = rpmdsN(depds);
#  818|       if (neg) {
#  819|-> 	ndep = (char *)xmalloc(strlen(dep) + 2);
#  820|   	ndep[0] = '!';
#  821|   	strcpy(ndep + 1, dep);

Error: CPPCHECK_WARNING (CWE-476): [#def31]
rpm-5.99.90/lib/depends.cc:821: warning[nullPointer]: Possible null pointer dereference: dep
#  819|   	ndep = (char *)xmalloc(strlen(dep) + 2);
#  820|   	ndep[0] = '!';
#  821|-> 	strcpy(ndep + 1, dep);
#  822|   	dep = ndep;
#  823|       }

Error: CPPCHECK_WARNING (CWE-457): [#def32]
rpm-5.99.90/lib/header.cc:886: error[uninitvar]: Uninitialized variables: &key.data, &key.length, &key.rdlen
#  884|       key.info.tag = tag;
#  885|   
#  886|->     entry = (indexEntry)bsearch(&key, h->index, h->indexUsed, sizeof(*h->index), indexCmp);
#  887|       if (entry == NULL)
#  888|   	return NULL;

Error: CPPCHECK_WARNING (CWE-476): [#def33]
rpm-5.99.90/lib/tagexts.cc:907: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: e
#  905|       if (!headerGet(h, RPMTAG_EPOCH, td, HEADERGET_ALLOC)) {
#  906|   	uint32_t *e = (uint32_t *)malloc(sizeof(*e));
#  907|-> 	*e = 0;
#  908|   	td->data = e;
#  909|   	td->type = RPM_INT32_TYPE;

Error: CPPCHECK_WARNING (CWE-476): [#def34]
rpm-5.99.90/rpmio/rpmlua.cc:846: warning[nullPointer]: Possible null pointer dereference: argv
#  844|       rpmSetCloseOnExec();
#  845|   
#  846|->     status = posix_spawnp(&pid, argv[0], fap, NULL, argv, environ);
#  847|   
#  848|       argvFree(argv);

Error: CPPCHECK_WARNING (CWE-476): [#def35]
rpm-5.99.90/tools/rpmdump.cc:133: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: blob
#  131|   
#  132|       blob = (uint32_t *)malloc(sizeof(numEntries) + sizeof(numBytes) + headerLen);
#  133|->     blob[0] = htonl(numEntries);
#  134|       blob[1] = htonl(numBytes);
#  135|   

Error: CPPCHECK_WARNING (CWE-476): [#def36]
rpm-5.99.90/tools/rpmdump.cc:134: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: blob
#  132|       blob = (uint32_t *)malloc(sizeof(numEntries) + sizeof(numBytes) + headerLen);
#  133|       blob[0] = htonl(numEntries);
#  134|->     blob[1] = htonl(numBytes);
#  135|   
#  136|       pe = (struct entryInfo *) &(blob[2]);

Error: CPPCHECK_WARNING (CWE-682): [#def37]
rpm-5.99.90/tools/rpmdump.cc:144: error[nullPointerArithmeticOutOfMemory]: If memory allocation fail: pointer addition with NULL pointer.
#  142|   
#  143|       
#  144|->     if (read(fd, blob+2, headerLen) != headerLen) {
#  145|   	fprintf(stderr, "reading %d bytes of header fail\n", headerLen);
#  146|   	goto exit;
Scan Properties

analyzer-version-clippy	1.86.0
analyzer-version-cppcheck	2.17.1
analyzer-version-gcc	15.0.1
analyzer-version-gcc-analyzer	15.0.1
analyzer-version-shellcheck	0.10.0
analyzer-version-unicontrol	0.0.2
enabled-plugins	clippy, cppcheck, gcc, shellcheck, unicontrol
exit-code	0
host	ip-172-16-1-154.us-west-2.compute.internal
known-false-positives	/usr/share/csmock/known-false-positives.js
known-false-positives-rpm	known-false-positives-0.0.0.20250425.124705.g1c7c448.main-1.el9.noarch
mock-config	fedora-rawhide-x86_64
project-name	rpm-5.99.90-3.fc43
store-results-to	/tmp/tmp9ag8fqr6/rpm-5.99.90-3.fc43.tar.xz
time-created	2025-04-25 15:38:51
time-finished	2025-04-25 15:41:08
tool	csmock
tool-args	'/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'unicontrol,cppcheck,gcc,clippy,shellcheck' '-o' '/tmp/tmp9ag8fqr6/rpm-5.99.90-3.fc43.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmp9ag8fqr6/rpm-5.99.90-3.fc43.src.rpm'
tool-version	csmock-3.8.1.20250422.172604.g26bc3d6-1.el9