Error: SHELLCHECK_WARNING (CWE-563): [#def1] /usr/bin/neon-config:6:1: warning[SC2034]: exec_prefix appears unused. Verify use (or export if used externally). # 4| # 5| prefix=/usr # 6|-> exec_prefix=/usr # 7| includedir=/usr/include # 8| libdir=/usr/lib64 Error: SHELLCHECK_WARNING (CWE-563): [#def2] /usr/bin/neon-config:7:1: warning[SC2034]: includedir appears unused. Verify use (or export if used externally). # 5| prefix=/usr # 6| exec_prefix=/usr # 7|-> includedir=/usr/include # 8| libdir=/usr/lib64 # 9| Error: CPPCHECK_WARNING (CWE-562): [#def3] neon-0.36.0/src/ne_alloc.c:91: error[returnDanglingLifetime]: Returning pointer to local variable 'ret' that will be invalid when returning. # 89| char *ret; # 90| DO_MALLOC(ret, strlen(s) + 1); # 91|-> return strcpy(ret, s); # 92| } # 93| Error: GCC_ANALYZER_WARNING (CWE-465): [#def4] neon-0.36.0/src/ne_auth.c:1205:20: warning[-Wanalyzer-deref-before-check]: check of 'pnt' for NULL after already dereferencing it neon-0.36.0/src/ne_auth.c:1256:12: enter_function: entry to 'verify_digest_response' neon-0.36.0/src/ne_auth.c:1271:12: call_function: calling 'tokenize' from 'verify_digest_response' # 1203| case BEFORE_EQ: # 1204| if (*pnt == '=') { # 1205|-> if (*key == NULL) # 1206| return -1; # 1207| *pnt = '\0'; Error: GCC_ANALYZER_WARNING (CWE-465): [#def5] neon-0.36.0/src/ne_auth.c:1210:24: warning[-Wanalyzer-deref-before-check]: check of 'pnt' for NULL after already dereferencing it neon-0.36.0/src/ne_auth.c:1438:12: enter_function: entry to 'auth_challenge' neon-0.36.0/src/ne_auth.c:1451:13: call_function: calling 'tokenize' from 'auth_challenge' # 1208| *value = pnt + 1; # 1209| state = AFTER_EQ; # 1210|-> } else if ((*pnt == ' ' || *pnt == ',') # 1211| && ischall && *key != NULL) { # 1212| *value = NULL; Error: GCC_ANALYZER_WARNING (CWE-465): [#def6] neon-0.36.0/src/ne_auth.c:1217:23: warning[-Wanalyzer-deref-before-check]: check of 'pnt' for NULL after already dereferencing it neon-0.36.0/src/ne_auth.c:1256:12: enter_function: entry to 'verify_digest_response' neon-0.36.0/src/ne_auth.c:1271:12: call_function: calling 'tokenize' from 'verify_digest_response' # 1215| *hdr = pnt + 1; # 1216| return 0; # 1217|-> } else if (*key == NULL && strchr(" \r\n\t", *pnt) == NULL) { # 1218| *key = pnt; # 1219| } Error: GCC_ANALYZER_WARNING (CWE-465): [#def7] neon-0.36.0/src/ne_auth.c:1239:9: warning[-Wanalyzer-deref-before-check]: check of 'pnt' for NULL after already dereferencing it neon-0.36.0/src/ne_auth.c:1438:12: enter_function: entry to 'auth_challenge' neon-0.36.0/src/ne_auth.c:1451:13: call_function: calling 'tokenize' from 'auth_challenge' # 1237| } while (*++pnt != '\0'); # 1238| # 1239|-> if (state == BEFORE_EQ && ischall && *key != NULL) { # 1240| *value = NULL; # 1241| if (sep) *sep = '\0'; Error: GCC_ANALYZER_WARNING (CWE-457): [#def8] neon-0.36.0/src/ne_auth.c:1272:15: warning[-Wanalyzer-use-of-uninitialized-value]: use of uninitialized value 'val' neon-0.36.0/src/ne_auth.c:1256:12: enter_function: entry to 'verify_digest_response' neon-0.36.0/src/ne_auth.c:1271:12: call_function: calling 'tokenize' from 'verify_digest_response' neon-0.36.0/src/ne_auth.c:1271:12: return_function: returning to 'verify_digest_response' from 'tokenize' neon-0.36.0/src/ne_auth.c:1271:12: branch_true: following 'true' branch... neon-0.36.0/src/ne_auth.c:1272:15: branch_true: ...to here neon-0.36.0/src/ne_auth.c:1272:15: danger: use of uninitialized value 'val' here # 1270| # 1271| while (tokenize(&pnt, &key, &val, NULL, 0) == 0) { # 1272|-> val = ne_shave(val, "\""); # 1273| # 1274| if (ne_strcasecmp(key, "qop") == 0) { Error: GCC_ANALYZER_WARNING (CWE-404): [#def9] neon-0.36.0/src/ne_auth.c:1422:11: warning[-Wanalyzer-va-list-leak]: missing call to 'va_end' neon-0.36.0/src/ne_auth.c:1421:5: acquire_resource: 'va_start' called here neon-0.36.0/src/ne_auth.c:1422:11: throw: if 'ne_vsnprintf' throws an exception... neon-0.36.0/src/ne_auth.c:1422:11: danger: missing call to 'va_end' to match 'va_start' at [(1)](sarif:/runs/0/results/11/codeFlows/0/threadFlows/0/locations/0) # 1420| # 1421| va_start(ap, fmt); # 1422|-> len = ne_vsnprintf(err, sizeof err, fmt, ap); # 1423| va_end(ap); # 1424| NE_DEBUG(NE_DBG_HTTPAUTH, "auth: Challenge error: %s\n", err); Error: GCC_ANALYZER_WARNING (CWE-476): [#def10] neon-0.36.0/src/ne_basic.c:325:5: warning[-Wanalyzer-null-dereference]: dereference of NULL 'stype' neon-0.36.0/src/ne_basic.c:317:8: branch_false: following 'false' branch... neon-0.36.0/src/ne_basic.c:317:26: branch_false: ...to here neon-0.36.0/src/ne_basic.c:317:9: branch_false: following 'false' branch... neon-0.36.0/src/ne_basic.c:321:17: branch_false: ...to here neon-0.36.0/src/ne_basic.c:325:5: danger: dereference of NULL 'stype' # 323| stype = strchr(ct->value, '/'); # 324| # 325|-> *stype++ = '\0'; # 326| ct->type = ct->value; # 327| ct->charset = NULL; Error: GCC_ANALYZER_WARNING (CWE-476): [#def11] neon-0.36.0/src/ne_md5.c:403:5: warning[-Wanalyzer-null-dereference]: dereference of NULL 'ctx' neon-0.36.0/src/ne_md5.c:528:1: enter_function: entry to 'ne_md5_stream' neon-0.36.0/src/ne_md5.c:555:14: branch_false: following 'false' branch... neon-0.36.0/src/ne_md5.c:556:10: branch_false: ...to here neon-0.36.0/src/ne_md5.c:556:10: branch_false: following 'false' branch... neon-0.36.0/src/ne_md5.c:566:7: branch_false: ...to here neon-0.36.0/src/ne_md5.c:566:7: call_function: calling 'ne_md5_process_block' from 'ne_md5_stream' # 401| struct ne_md5_ctx *ctx) # 402| { # 403|-> EVP_DigestUpdate(ctx->ctx, buffer, len); # 404| } # 405| Error: GCC_ANALYZER_WARNING (CWE-476): [#def12] neon-0.36.0/src/ne_md5.c:409:5: warning[-Wanalyzer-null-dereference]: dereference of NULL 'ctx' neon-0.36.0/src/ne_md5.c:528:1: enter_function: entry to 'ne_md5_stream' neon-0.36.0/src/ne_md5.c:555:14: branch_true: following 'true' branch... neon-0.36.0/src/ne_md5.c:555:14: branch_true: ...to here neon-0.36.0/src/ne_md5.c:556:10: branch_true: following 'true' branch... neon-0.36.0/src/ne_md5.c:556:21: branch_true: ...to here neon-0.36.0/src/ne_md5.c:556:11: branch_false: following 'false' branch... neon-0.36.0/src/ne_md5.c:570:6: branch_false: ...to here neon-0.36.0/src/ne_md5.c:570:6: branch_true: following 'true' branch (when 'sum != 0')... neon-0.36.0/src/ne_md5.c:571:5: branch_true: ...to here neon-0.36.0/src/ne_md5.c:571:5: call_function: calling 'ne_md5_process_bytes' from 'ne_md5_stream' # 407| struct ne_md5_ctx *ctx) # 408| { # 409|-> EVP_DigestUpdate(ctx->ctx, buffer, len); # 410| } # 411| Error: GCC_ANALYZER_WARNING (CWE-476): [#def13] neon-0.36.0/src/ne_md5.c:415:5: warning[-Wanalyzer-null-dereference]: dereference of NULL 'ctx' neon-0.36.0/src/ne_md5.c:528:1: enter_function: entry to 'ne_md5_stream' neon-0.36.0/src/ne_md5.c:556:10: branch_true: following 'true' branch... neon-0.36.0/src/ne_md5.c:556:21: branch_true: ...to here neon-0.36.0/src/ne_md5.c:556:11: branch_false: following 'false' branch... neon-0.36.0/src/ne_md5.c:570:6: branch_false: ...to here neon-0.36.0/src/ne_md5.c:570:6: branch_false: following 'false' branch (when 'sum == 0')... neon-0.36.0/src/ne_md5.c:574:3: branch_false: ...to here neon-0.36.0/src/ne_md5.c:574:3: call_function: calling 'ne_md5_finish_ctx' from 'ne_md5_stream' # 413| { # 414| unsigned int len = MD5_DIGEST_LENGTH; # 415|-> EVP_DigestFinal(ctx->ctx, resbuf, &len); # 416| return resbuf; # 417| } Error: COMPILER_WARNING (CWE-477): [#def14] neon-0.36.0/src/ne_ntlm.c: scope_hint: In function 'setup_des_key' neon-0.36.0/src/ne_ntlm.c:262:3: warning[-Wdeprecated-declarations]: 'DES_set_odd_parity' is deprecated: Since OpenSSL 3.0 # 262 | DES_set_odd_parity(&key); # | ^~~~~~~~~~~~~~~~~~ neon-0.36.0/src/ne_ntlm.c:171: included_from: Included from here. /usr/include/openssl/des.h:176:28: note: declared here # 176 | OSSL_DEPRECATEDIN_3_0 void DES_set_odd_parity(DES_cblock *key); # | ^~~~~~~~~~~~~~~~~~ # 260| key[7] = (key_56[6] << 1) & 0xFF; # 261| # 262|-> DES_set_odd_parity(&key); # 263| DES_set_key(&key, ks); # 264| } Error: COMPILER_WARNING (CWE-477): [#def15] neon-0.36.0/src/ne_ntlm.c:262:3: warning[-Wdeprecated-declarations]: 'DES_set_odd_parity' is deprecated: Since OpenSSL 3.0 # 260| key[7] = (key_56[6] << 1) & 0xFF; # 261| # 262|-> DES_set_odd_parity(&key); # 263| DES_set_key(&key, ks); # 264| } Error: COMPILER_WARNING (CWE-477): [#def16] neon-0.36.0/src/ne_ntlm.c:263:3: warning[-Wdeprecated-declarations]: 'DES_set_key' is deprecated: Since OpenSSL 3.0 # 263 | DES_set_key(&key, ks); # | ^~~~~~~~~~~ /usr/include/openssl/des.h:186:5: note: declared here # 186 | int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule); # | ^~~~~~~~~~~ # 261| # 262| DES_set_odd_parity(&key); # 263|-> DES_set_key(&key, ks); # 264| } # 265| Error: COMPILER_WARNING (CWE-477): [#def17] neon-0.36.0/src/ne_ntlm.c:263:3: warning[-Wdeprecated-declarations]: 'DES_set_key' is deprecated: Since OpenSSL 3.0 # 261| # 262| DES_set_odd_parity(&key); # 263|-> DES_set_key(&key, ks); # 264| } # 265| Error: CPPCHECK_WARNING (CWE-457): [#def18] neon-0.36.0/src/ne_ntlm.c:277: error[uninitvar]: Uninitialized variable: ks # 275| DES_key_schedule ks; # 276| # 277|-> setup_des_key(keys, DESKEY(ks)); # 278| DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) results, # 279| DESKEY(ks), DES_ENCRYPT); Error: COMPILER_WARNING (CWE-477): [#def19] neon-0.36.0/src/ne_ntlm.c: scope_hint: In function 'calc_resp' neon-0.36.0/src/ne_ntlm.c:278:3: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 278 | DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) results, # | ^~~~~~~~~~~~~~~ /usr/include/openssl/des.h:105:6: note: declared here # 105 | void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, # | ^~~~~~~~~~~~~~~ # 276| # 277| setup_des_key(keys, DESKEY(ks)); # 278|-> DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) results, # 279| DESKEY(ks), DES_ENCRYPT); # 280| Error: COMPILER_WARNING (CWE-477): [#def20] neon-0.36.0/src/ne_ntlm.c:278:3: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 276| # 277| setup_des_key(keys, DESKEY(ks)); # 278|-> DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) results, # 279| DESKEY(ks), DES_ENCRYPT); # 280| Error: COMPILER_WARNING (CWE-477): [#def21] neon-0.36.0/src/ne_ntlm.c:282:3: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 282 | DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+8), # | ^~~~~~~~~~~~~~~ /usr/include/openssl/des.h:105:6: note: declared here # 105 | void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, # | ^~~~~~~~~~~~~~~ # 280| # 281| setup_des_key(keys+7, DESKEY(ks)); # 282|-> DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+8), # 283| DESKEY(ks), DES_ENCRYPT); # 284| Error: COMPILER_WARNING (CWE-477): [#def22] neon-0.36.0/src/ne_ntlm.c:282:3: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 280| # 281| setup_des_key(keys+7, DESKEY(ks)); # 282|-> DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+8), # 283| DESKEY(ks), DES_ENCRYPT); # 284| Error: COMPILER_WARNING (CWE-477): [#def23] neon-0.36.0/src/ne_ntlm.c:286:3: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 286 | DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+16), # | ^~~~~~~~~~~~~~~ /usr/include/openssl/des.h:105:6: note: declared here # 105 | void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, # | ^~~~~~~~~~~~~~~ # 284| # 285| setup_des_key(keys+14, DESKEY(ks)); # 286|-> DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+16), # 287| DESKEY(ks), DES_ENCRYPT); # 288| } Error: COMPILER_WARNING (CWE-477): [#def24] neon-0.36.0/src/ne_ntlm.c:286:3: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 284| # 285| setup_des_key(keys+14, DESKEY(ks)); # 286|-> DES_ecb_encrypt((DES_cblock*) plaintext, (DES_cblock*) (results+16), # 287| DESKEY(ks), DES_ENCRYPT); # 288| } Error: CPPCHECK_WARNING (CWE-457): [#def25] neon-0.36.0/src/ne_ntlm.c:330: error[uninitvar]: Uninitialized variable: ks # 328| DES_key_schedule ks; # 329| # 330|-> setup_des_key(pw, DESKEY(ks)); # 331| DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)lmbuffer, # 332| DESKEY(ks), DES_ENCRYPT); Error: COMPILER_WARNING (CWE-477): [#def26] neon-0.36.0/src/ne_ntlm.c: scope_hint: In function 'mkhash' neon-0.36.0/src/ne_ntlm.c:331:5: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 331 | DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)lmbuffer, # | ^~~~~~~~~~~~~~~ /usr/include/openssl/des.h:105:6: note: declared here # 105 | void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, # | ^~~~~~~~~~~~~~~ # 329| # 330| setup_des_key(pw, DESKEY(ks)); # 331|-> DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)lmbuffer, # 332| DESKEY(ks), DES_ENCRYPT); # 333| Error: COMPILER_WARNING (CWE-477): [#def27] neon-0.36.0/src/ne_ntlm.c:331:5: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 329| # 330| setup_des_key(pw, DESKEY(ks)); # 331|-> DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)lmbuffer, # 332| DESKEY(ks), DES_ENCRYPT); # 333| Error: COMPILER_WARNING (CWE-477): [#def28] neon-0.36.0/src/ne_ntlm.c:335:5: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 335 | DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8), # | ^~~~~~~~~~~~~~~ /usr/include/openssl/des.h:105:6: note: declared here # 105 | void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, # | ^~~~~~~~~~~~~~~ # 333| # 334| setup_des_key(pw+7, DESKEY(ks)); # 335|-> DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8), # 336| DESKEY(ks), DES_ENCRYPT); # 337| Error: COMPILER_WARNING (CWE-477): [#def29] neon-0.36.0/src/ne_ntlm.c:335:5: warning[-Wdeprecated-declarations]: 'DES_ecb_encrypt' is deprecated: Since OpenSSL 3.0 # 333| # 334| setup_des_key(pw+7, DESKEY(ks)); # 335|-> DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8), # 336| DESKEY(ks), DES_ENCRYPT); # 337| Error: COMPILER_WARNING (CWE-477): [#def30] neon-0.36.0/src/ne_ntlm.c:355:5: warning[-Wdeprecated-declarations]: 'MD4_Init' is deprecated: Since OpenSSL 3.0 # 355 | MD4_Init(&md4); # | ^~~~~~~~ neon-0.36.0/src/ne_ntlm.c:172: included_from: Included from here. /usr/include/openssl/md4.h:50:27: note: declared here # 50 | OSSL_DEPRECATEDIN_3_0 int MD4_Init(MD4_CTX *c); # | ^~~~~~~~ # 353| } # 354| # 355|-> MD4_Init(&md4); # 356| MD4_Update(&md4, pw, 2*len); # 357| MD4_Final(ntbuffer, &md4); Error: COMPILER_WARNING (CWE-477): [#def31] neon-0.36.0/src/ne_ntlm.c:355:5: warning[-Wdeprecated-declarations]: 'MD4_Init' is deprecated: Since OpenSSL 3.0 # 353| } # 354| # 355|-> MD4_Init(&md4); # 356| MD4_Update(&md4, pw, 2*len); # 357| MD4_Final(ntbuffer, &md4); Error: COMPILER_WARNING (CWE-477): [#def32] neon-0.36.0/src/ne_ntlm.c:356:5: warning[-Wdeprecated-declarations]: 'MD4_Update' is deprecated: Since OpenSSL 3.0 # 356 | MD4_Update(&md4, pw, 2*len); # | ^~~~~~~~~~ /usr/include/openssl/md4.h:51:27: note: declared here # 51 | OSSL_DEPRECATEDIN_3_0 int MD4_Update(MD4_CTX *c, const void *data, size_t len); # | ^~~~~~~~~~ # 354| # 355| MD4_Init(&md4); # 356|-> MD4_Update(&md4, pw, 2*len); # 357| MD4_Final(ntbuffer, &md4); # 358| Error: COMPILER_WARNING (CWE-477): [#def33] neon-0.36.0/src/ne_ntlm.c:356:5: warning[-Wdeprecated-declarations]: 'MD4_Update' is deprecated: Since OpenSSL 3.0 # 354| # 355| MD4_Init(&md4); # 356|-> MD4_Update(&md4, pw, 2*len); # 357| MD4_Final(ntbuffer, &md4); # 358| Error: COMPILER_WARNING (CWE-477): [#def34] neon-0.36.0/src/ne_ntlm.c:357:5: warning[-Wdeprecated-declarations]: 'MD4_Final' is deprecated: Since OpenSSL 3.0 # 357 | MD4_Final(ntbuffer, &md4); # | ^~~~~~~~~ /usr/include/openssl/md4.h:52:27: note: declared here # 52 | OSSL_DEPRECATEDIN_3_0 int MD4_Final(unsigned char *md, MD4_CTX *c); # | ^~~~~~~~~ # 355| MD4_Init(&md4); # 356| MD4_Update(&md4, pw, 2*len); # 357|-> MD4_Final(ntbuffer, &md4); # 358| # 359| memset(ntbuffer+16, 0, 5); Error: COMPILER_WARNING (CWE-477): [#def35] neon-0.36.0/src/ne_ntlm.c:357:5: warning[-Wdeprecated-declarations]: 'MD4_Final' is deprecated: Since OpenSSL 3.0 # 355| MD4_Init(&md4); # 356| MD4_Update(&md4, pw, 2*len); # 357|-> MD4_Final(ntbuffer, &md4); # 358| # 359| memset(ntbuffer+16, 0, 5); Error: GCC_ANALYZER_WARNING (CWE-775): [#def36] neon-0.36.0/src/ne_openssl.c:953:11: warning[-Wanalyzer-file-leak]: leak of FILE 'fopen(filename, "rb")' neon-0.36.0/src/ne_openssl.c:949:10: acquire_resource: opened here neon-0.36.0/src/ne_openssl.c:950:8: branch_false: following 'false' branch... neon-0.36.0/src/ne_openssl.c:953:11: branch_false: ...to here neon-0.36.0/src/ne_openssl.c:953:11: throw: if 'd2i_PKCS12_fp' throws an exception... neon-0.36.0/src/ne_openssl.c:953:11: danger: 'fopen(filename, "rb")' leaks here; was opened at [(1)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/0) # 951| return NULL; # 952| # 953|-> p12 = d2i_PKCS12_fp(fp, NULL); # 954| # 955| fclose(fp); Error: GCC_ANALYZER_WARNING (CWE-401): [#def37] neon-0.36.0/src/ne_openssl.c:953:11: warning[-Wanalyzer-malloc-leak]: leak of 'fopen(filename, "rb")' neon-0.36.0/src/ne_openssl.c:949:10: acquire_memory: allocated here neon-0.36.0/src/ne_openssl.c:950:8: branch_false: following 'false' branch... neon-0.36.0/src/ne_openssl.c:953:11: branch_false: ...to here neon-0.36.0/src/ne_openssl.c:953:11: throw: if 'd2i_PKCS12_fp' throws an exception... neon-0.36.0/src/ne_openssl.c:953:11: danger: 'fopen(filename, "rb")' leaks here; was allocated at [(1)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/0) # 951| return NULL; # 952| # 953|-> p12 = d2i_PKCS12_fp(fp, NULL); # 954| # 955| fclose(fp); Error: GCC_ANALYZER_WARNING (CWE-775): [#def38] neon-0.36.0/src/ne_openssl.c:1209:12: warning[-Wanalyzer-file-leak]: leak of FILE 'fopen(filename, "r")' neon-0.36.0/src/ne_openssl.c:1203:16: acquire_resource: opened here neon-0.36.0/src/ne_openssl.c:1206:8: branch_false: following 'false' branch... neon-0.36.0/src/ne_openssl.c:1209:12: branch_false: ...to here neon-0.36.0/src/ne_openssl.c:1209:12: throw: if 'PEM_read_X509' throws an exception... neon-0.36.0/src/ne_openssl.c:1209:12: danger: 'fopen(filename, "r")' leaks here; was opened at [(1)](sarif:/runs/0/results/2/codeFlows/0/threadFlows/0/locations/0) # 1207| return NULL; # 1208| # 1209|-> cert = PEM_read_X509(fp, NULL, NULL, NULL); # 1210| fclose(fp); # 1211| Error: GCC_ANALYZER_WARNING (CWE-401): [#def39] neon-0.36.0/src/ne_openssl.c:1209:12: warning[-Wanalyzer-malloc-leak]: leak of 'fopen(filename, "r")' neon-0.36.0/src/ne_openssl.c:1203:16: acquire_memory: allocated here neon-0.36.0/src/ne_openssl.c:1206:8: branch_false: following 'false' branch... neon-0.36.0/src/ne_openssl.c:1209:12: branch_false: ...to here neon-0.36.0/src/ne_openssl.c:1209:12: throw: if 'PEM_read_X509' throws an exception... neon-0.36.0/src/ne_openssl.c:1209:12: danger: 'fopen(filename, "r")' leaks here; was allocated at [(1)](sarif:/runs/0/results/3/codeFlows/0/threadFlows/0/locations/0) # 1207| return NULL; # 1208| # 1209|-> cert = PEM_read_X509(fp, NULL, NULL, NULL); # 1210| fclose(fp); # 1211| Error: GCC_ANALYZER_WARNING (CWE-775): [#def40] neon-0.36.0/src/ne_openssl.c:1228:28: warning[-Wanalyzer-file-leak]: leak of FILE 'fopen(filename, "w")' neon-0.36.0/src/ne_openssl.c:1224:16: acquire_resource: opened here neon-0.36.0/src/ne_openssl.c:1226:8: branch_false: following 'false' branch... neon-0.36.0/src/ne_openssl.c:1228:28: branch_false: ...to here neon-0.36.0/src/ne_openssl.c:1228:9: throw: if 'PEM_write_X509' throws an exception... neon-0.36.0/src/ne_openssl.c:1228:28: danger: 'fopen(filename, "w")' leaks here; was opened at [(1)](sarif:/runs/0/results/4/codeFlows/0/threadFlows/0/locations/0) # 1226| if (fp == NULL) return -1; # 1227| # 1228|-> if (PEM_write_X509(fp, cert->subject) != 1) { # 1229| ERR_clear_error(); # 1230| fclose(fp); Error: GCC_ANALYZER_WARNING (CWE-401): [#def41] neon-0.36.0/src/ne_openssl.c:1228:28: warning[-Wanalyzer-malloc-leak]: leak of 'fopen(filename, "w")' neon-0.36.0/src/ne_openssl.c:1224:16: acquire_memory: allocated here neon-0.36.0/src/ne_openssl.c:1226:8: branch_false: following 'false' branch... neon-0.36.0/src/ne_openssl.c:1228:28: branch_false: ...to here neon-0.36.0/src/ne_openssl.c:1228:9: throw: if 'PEM_write_X509' throws an exception... neon-0.36.0/src/ne_openssl.c:1228:28: danger: 'fopen(filename, "w")' leaks here; was allocated at [(1)](sarif:/runs/0/results/5/codeFlows/0/threadFlows/0/locations/0) # 1226| if (fp == NULL) return -1; # 1227| # 1228|-> if (PEM_write_X509(fp, cert->subject) != 1) { # 1229| ERR_clear_error(); # 1230| fclose(fp); Error: GCC_ANALYZER_WARNING (CWE-404): [#def42] neon-0.36.0/src/ne_request.c:674:5: warning[-Wanalyzer-va-list-leak]: missing call to 'va_end' neon-0.36.0/src/ne_request.c:673:5: acquire_resource: 'va_start' called here neon-0.36.0/src/ne_request.c:674:5: throw: if 'ne_vsnprintf' throws an exception... neon-0.36.0/src/ne_request.c:674:5: danger: missing call to 'va_end' to match 'va_start' at [(1)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/0) # 672| # 673| va_start(params, format); # 674|-> ne_vsnprintf(buf, sizeof buf, format, params); # 675| va_end(params); # 676| Error: COMPILER_WARNING (CWE-704): [#def43] neon-0.36.0/src/ne_session.c: scope_hint: In function 'set_hostinfo' neon-0.36.0/src/ne_session.c:190:23: warning[-Wdiscarded-qualifiers]: assignment discards 'const' qualifier from pointer target type # 190 | && (scope = strstr(v6start, V6_SCOPE_SEP)) != NULL) # | ^ # 188| # 189| if (hlen >= V6_SCOPE_MINLEN # 190|-> && (scope = strstr(v6start, V6_SCOPE_SEP)) != NULL) # 191| v6end = scope; # 192| else Error: COMPILER_WARNING (CWE-704): [#def44] neon-0.36.0/src/ne_session.c:190:23: warning[-Wdiscarded-qualifiers]: assignment discards 'const' qualifier from pointer target type # 188| # 189| if (hlen >= V6_SCOPE_MINLEN # 190|-> && (scope = strstr(v6start, V6_SCOPE_SEP)) != NULL) # 191| v6end = scope; # 192| else Error: GCC_ANALYZER_WARNING (CWE-404): [#def45] neon-0.36.0/src/ne_session.c:428:5: warning[-Wanalyzer-va-list-leak]: missing call to 'va_end' neon-0.36.0/src/ne_session.c:427:5: acquire_resource: 'va_start' called here neon-0.36.0/src/ne_session.c:428:5: throw: if 'ne_vsnprintf' throws an exception... neon-0.36.0/src/ne_session.c:428:5: danger: missing call to 'va_end' to match 'va_start' at [(1)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/0) # 426| # 427| va_start(params, format); # 428|-> ne_vsnprintf(sess->error, sizeof sess->error, format, params); # 429| va_end(params); # 430| } Error: COMPILER_WARNING (CWE-704): [#def46] neon-0.36.0/src/ne_socket.c: scope_hint: In function 'ne_addr_resolve' neon-0.36.0/src/ne_socket.c:1022:37: warning[-Wdiscarded-qualifiers]: assignment discards 'const' qualifier from pointer target type # 1022 | if (hostname[0] == '[' && ((pnt = strchr(hostname, ']')) != NULL)) { # | ^ # 1020| # 1021| #ifdef AF_INET6 # 1022|-> if (hostname[0] == '[' && ((pnt = strchr(hostname, ']')) != NULL)) { # 1023| char *hn = ne_strdup(hostname + 1); # 1024| hn[pnt - hostname - 1] = '\0'; Error: COMPILER_WARNING (CWE-704): [#def47] neon-0.36.0/src/ne_socket.c:1022:37: warning[-Wdiscarded-qualifiers]: assignment discards 'const' qualifier from pointer target type # 1020| # 1021| #ifdef AF_INET6 # 1022|-> if (hostname[0] == '[' && ((pnt = strchr(hostname, ']')) != NULL)) { # 1023| char *hn = ne_strdup(hostname + 1); # 1024| hn[pnt - hostname - 1] = '\0'; Error: GCC_ANALYZER_WARNING (CWE-775): [#def48] neon-0.36.0/src/ne_socket.c:1589:33: warning[-Wanalyzer-fd-leak]: leak of file descriptor 'fd' neon-0.36.0/src/ne_socket.c:1563:10: acquire_resource: socket created here neon-0.36.0/src/ne_socket.c:1567:8: branch_false: following 'false' branch (when 'fd >= 0')... neon-0.36.0/src/ne_socket.c:1589:9: branch_false: ...to here neon-0.36.0/src/ne_socket.c:1589:8: branch_true: following 'true' branch... neon-0.36.0/src/ne_socket.c:1589:33: branch_true: ...to here neon-0.36.0/src/ne_socket.c:1589:33: throw: if 'fcntl' throws an exception... neon-0.36.0/src/ne_socket.c:1589:33: danger: 'fd' leaks here # 1587| /* Set the FD_CLOEXEC bit for the new fd, if the socket was not # 1588| * created with the CLOEXEC bit already set. */ # 1589|-> if (!sock_cloexec && (ret = fcntl(fd, F_GETFD)) >= 0) { # 1590| fcntl(fd, F_SETFD, ret | FD_CLOEXEC); # 1591| /* ignore failure; not a critical error. */ Error: GCC_ANALYZER_WARNING (CWE-404): [#def49] neon-0.36.0/src/ne_socket.c:2140:5: warning[-Wanalyzer-va-list-leak]: missing call to 'va_end' neon-0.36.0/src/ne_socket.c:2139:5: acquire_resource: 'va_start' called here neon-0.36.0/src/ne_socket.c:2140:5: throw: if 'ne_vsnprintf' throws an exception... neon-0.36.0/src/ne_socket.c:2140:5: danger: missing call to 'va_end' to match 'va_start' at [(1)](sarif:/runs/0/results/3/codeFlows/0/threadFlows/0/locations/0) # 2138| # 2139| va_start(params, format); # 2140|-> ne_vsnprintf(sock->error, sizeof sock->error, format, params); # 2141| va_end(params); # 2142| } Error: COMPILER_WARNING (CWE-704): [#def50] neon-0.36.0/src/ne_string.c: scope_hint: In function 'ne_qtoken' neon-0.36.0/src/ne_string.c:70:22: warning[-Wdiscarded-qualifiers]: initialization discards 'const' qualifier from pointer target type # 70 | char *quot = strchr(quotes, *pnt); # | ^~~~~~ # 68| # 69| for (pnt = *str; *pnt != '\0'; pnt++) { # 70|-> char *quot = strchr(quotes, *pnt); # 71| # 72| if (quot) { Error: COMPILER_WARNING (CWE-704): [#def51] neon-0.36.0/src/ne_string.c:70:22: warning[-Wdiscarded-qualifiers]: initialization discards 'const' qualifier from pointer target type # 68| # 69| for (pnt = *str; *pnt != '\0'; pnt++) { # 70|-> char *quot = strchr(quotes, *pnt); # 71| # 72| if (quot) { Error: GCC_ANALYZER_WARNING (CWE-404): [#def52] neon-0.36.0/src/ne_string.c:680:10: warning[-Wanalyzer-va-list-leak]: missing call to 'va_end' neon-0.36.0/src/ne_string.c:679:5: acquire_resource: 'va_start' called here neon-0.36.0/src/ne_string.c:680:10: throw: if 'ne_vstrhash' throws an exception... neon-0.36.0/src/ne_string.c:680:10: danger: missing call to 'va_end' to match 'va_start' at [(1)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/0) # 678| # 679| va_start(ap, flags); # 680|-> rv = ne_vstrhash(flags, ap); # 681| va_end(ap); # 682| Error: COMPILER_WARNING (CWE-704): [#def53] neon-0.36.0/src/ne_xml.c: scope_hint: In function 'ne_xml_get_attr' neon-0.36.0/src/ne_xml.c:698:21: warning[-Wdiscarded-qualifiers]: initialization discards 'const' qualifier from pointer target type # 698 | char *pnt = strchr(attrs[n], ':'); # | ^~~~~~ # 696| # 697| for (n = 0; attrs[n] != NULL; n += 2) { # 698|-> char *pnt = strchr(attrs[n], ':'); # 699| # 700| if (!nspace && !pnt && strcmp(attrs[n], name) == 0) { Error: COMPILER_WARNING (CWE-704): [#def54] neon-0.36.0/src/ne_xml.c:698:21: warning[-Wdiscarded-qualifiers]: initialization discards 'const' qualifier from pointer target type # 696| # 697| for (n = 0; attrs[n] != NULL; n += 2) { # 698|-> char *pnt = strchr(attrs[n], ':'); # 699| # 700| if (!nspace && !pnt && strcmp(attrs[n], name) == 0) {
| analyzer-version-clippy | 1.92.0 |
| analyzer-version-cppcheck | 2.19.1 |
| analyzer-version-gcc | 16.0.0 |
| analyzer-version-gcc-analyzer | 16.0.0 |
| analyzer-version-shellcheck | 0.11.0 |
| analyzer-version-unicontrol | 0.0.2 |
| enabled-plugins | clippy, cppcheck, gcc, shellcheck, unicontrol |
| exit-code | 0 |
| host | ip-172-16-1-68.us-west-2.compute.internal |
| known-false-positives | /usr/share/csmock/known-false-positives.js |
| known-false-positives-rpm | known-false-positives-0.0.0.20250521.132812.g8eff701.main-1.el9.noarch |
| mock-config | fedora-rawhide-x86_64 |
| project-name | neon-0.36.0-3.fc44 |
| store-results-to | /tmp/tmpsc4_cvjs/neon-0.36.0-3.fc44.tar.xz |
| time-created | 2026-01-08 19:41:08 |
| time-finished | 2026-01-08 19:42:31 |
| tool | csmock |
| tool-args | '/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'gcc,cppcheck,clippy,shellcheck,unicontrol' '-o' '/tmp/tmpsc4_cvjs/neon-0.36.0-3.fc44.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmpsc4_cvjs/neon-0.36.0-3.fc44.src.rpm' |
| tool-version | csmock-3.8.3.20251215.161544.g62de9a5-1.el9 |