Error: COMPILER_WARNING (CWE-563): [#def1] openssh-10.2p1/gss-genr.c: scope_hint: In function ‘ssh_gssapi_kex_mechs’ openssh-10.2p1/gss-genr.c:132:32: warning[-Wunused-variable]: unused variable ‘md’ # 132 | struct ssh_digest_ctx *md = NULL; # | ^~ # 130| u_char digest[SSH_DIGEST_MAX_LENGTH]; # 131| char deroid[2]; # 132|-> struct ssh_digest_ctx *md = NULL; # 133| char *s, *cp, *p; # 134| Error: GCC_ANALYZER_WARNING (CWE-775): [#def2] openssh-10.2p1/hostfile.c:498:22: warning[-Wanalyzer-file-leak]: leak of FILE ‘fopen(filename, "a+")’ openssh-10.2p1/hostfile.c:557:1: enter_function: entry to ‘add_host_to_hostfile’ openssh-10.2p1/hostfile.c:563:12: branch_false: following ‘false’ branch (when ‘key’ is non-NULL)... openssh-10.2p1/hostfile.c:565:9: branch_false: ...to here openssh-10.2p1/hostfile.c:566:18: acquire_resource: opened here openssh-10.2p1/hostfile.c:566:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:568:9: branch_false: ...to here openssh-10.2p1/hostfile.c:572:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:572:13: branch_false: ...to here openssh-10.2p1/hostfile.c:578:19: call_function: calling ‘write_host_entry’ from ‘add_host_to_hostfile’ # 496| struct sshbuf *entry = NULL; # 497| # 498|-> if ((entry = sshbuf_new()) == NULL) # 499| fatal_f("allocation failed"); # 500| if ((r = format_host_entry(entry, host, ip, key, store_hash)) != 1) { Error: GCC_ANALYZER_WARNING (CWE-401): [#def3] openssh-10.2p1/hostfile.c:498:22: warning[-Wanalyzer-malloc-leak]: leak of ‘fopen(filename, "a+")’ openssh-10.2p1/hostfile.c:557:1: enter_function: entry to ‘add_host_to_hostfile’ openssh-10.2p1/hostfile.c:563:12: branch_false: following ‘false’ branch (when ‘key’ is non-NULL)... openssh-10.2p1/hostfile.c:565:9: branch_false: ...to here openssh-10.2p1/hostfile.c:566:18: acquire_memory: allocated here openssh-10.2p1/hostfile.c:566:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:568:9: branch_false: ...to here openssh-10.2p1/hostfile.c:572:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:572:13: branch_false: ...to here openssh-10.2p1/hostfile.c:578:19: call_function: calling ‘write_host_entry’ from ‘add_host_to_hostfile’ # 496| struct sshbuf *entry = NULL; # 497| # 498|-> if ((entry = sshbuf_new()) == NULL) # 499| fatal_f("allocation failed"); # 500| if ((r = format_host_entry(entry, host, ip, key, store_hash)) != 1) { Error: GCC_ANALYZER_WARNING (CWE-775): [#def4] openssh-10.2p1/hostfile.c:499:17: warning[-Wanalyzer-file-leak]: leak of FILE ‘fopen(filename, "a+")’ openssh-10.2p1/hostfile.c:557:1: enter_function: entry to ‘add_host_to_hostfile’ openssh-10.2p1/hostfile.c:563:12: branch_false: following ‘false’ branch (when ‘key’ is non-NULL)... openssh-10.2p1/hostfile.c:565:9: branch_false: ...to here openssh-10.2p1/hostfile.c:566:18: acquire_resource: opened here openssh-10.2p1/hostfile.c:566:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:568:9: branch_false: ...to here openssh-10.2p1/hostfile.c:572:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:572:13: branch_false: ...to here openssh-10.2p1/hostfile.c:578:19: call_function: calling ‘write_host_entry’ from ‘add_host_to_hostfile’ # 497| # 498| if ((entry = sshbuf_new()) == NULL) # 499|-> fatal_f("allocation failed"); # 500| if ((r = format_host_entry(entry, host, ip, key, store_hash)) != 1) { # 501| debug_f("failed to format host entry"); Error: GCC_ANALYZER_WARNING (CWE-401): [#def5] openssh-10.2p1/hostfile.c:499:17: warning[-Wanalyzer-malloc-leak]: leak of ‘fopen(filename, "a+")’ openssh-10.2p1/hostfile.c:557:1: enter_function: entry to ‘add_host_to_hostfile’ openssh-10.2p1/hostfile.c:563:12: branch_false: following ‘false’ branch (when ‘key’ is non-NULL)... openssh-10.2p1/hostfile.c:565:9: branch_false: ...to here openssh-10.2p1/hostfile.c:566:18: acquire_memory: allocated here openssh-10.2p1/hostfile.c:566:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:568:9: branch_false: ...to here openssh-10.2p1/hostfile.c:572:12: branch_false: following ‘false’ branch... openssh-10.2p1/hostfile.c:572:13: branch_false: ...to here openssh-10.2p1/hostfile.c:578:19: call_function: calling ‘write_host_entry’ from ‘add_host_to_hostfile’ # 497| # 498| if ((entry = sshbuf_new()) == NULL) # 499|-> fatal_f("allocation failed"); # 500| if ((r = format_host_entry(entry, host, ip, key, store_hash)) != 1) { # 501| debug_f("failed to format host entry"); Error: GCC_ANALYZER_WARNING (CWE-401): [#def6] openssh-10.2p1/kex-names.c:129:32: warning[-Wanalyzer-malloc-leak]: leak of ‘cp’ openssh-10.2p1/kex-names.c:284:1: enter_function: entry to ‘kex_names_valid’ openssh-10.2p1/kex-names.c:288:12: branch_false: following ‘false’ branch... openssh-10.2p1/kex-names.c:290:23: acquire_memory: allocated here openssh-10.2p1/kex-names.c:290:12: branch_false: following ‘false’ branch... openssh-10.2p1/kex-names.c:292:19: branch_false: ...to here openssh-10.2p1/kex-names.c:292:38: branch_true: following ‘true’ branch... openssh-10.2p1/kex-names.c:294:21: call_function: calling ‘kex_alg_by_name’ from ‘kex_names_valid’ # 127| # 128| if (FIPS_mode() == 1) { # 129|-> mlkem768 = EVP_KEM_fetch(NULL, "mlkem768", NULL); # 130| is_fetched = mlkem768 != NULL ? 2 : 0; # 131| Error: GCC_ANALYZER_WARNING (CWE-401): [#def7] openssh-10.2p1/kex-names.c:133:36: warning[-Wanalyzer-malloc-leak]: leak of ‘cp’ openssh-10.2p1/kex-names.c:284:1: enter_function: entry to ‘kex_names_valid’ openssh-10.2p1/kex-names.c:288:12: branch_false: following ‘false’ branch... openssh-10.2p1/kex-names.c:290:23: acquire_memory: allocated here openssh-10.2p1/kex-names.c:290:12: branch_false: following ‘false’ branch... openssh-10.2p1/kex-names.c:292:19: branch_false: ...to here openssh-10.2p1/kex-names.c:292:38: branch_true: following ‘true’ branch... openssh-10.2p1/kex-names.c:294:21: call_function: calling ‘kex_alg_by_name’ from ‘kex_names_valid’ # 131| # 132| if (is_fetched == 0) { # 133|-> mlkem768 = EVP_KEM_fetch(NULL, "mlkem768", "provider=default,-fips"); # 134| is_fetched = mlkem768 != NULL ? 1 : 0; # 135| } Error: GCC_ANALYZER_WARNING (CWE-401): [#def8] openssh-10.2p1/kex-names.c:137:32: warning[-Wanalyzer-malloc-leak]: leak of ‘cp’ openssh-10.2p1/kex-names.c:284:1: enter_function: entry to ‘kex_names_valid’ openssh-10.2p1/kex-names.c:288:12: branch_false: following ‘false’ branch... openssh-10.2p1/kex-names.c:290:23: acquire_memory: allocated here openssh-10.2p1/kex-names.c:290:12: branch_false: following ‘false’ branch... openssh-10.2p1/kex-names.c:292:19: branch_false: ...to here openssh-10.2p1/kex-names.c:292:38: branch_true: following ‘true’ branch... openssh-10.2p1/kex-names.c:294:21: call_function: calling ‘kex_alg_by_name’ from ‘kex_names_valid’ # 135| } # 136| } else { # 137|-> mlkem768 = EVP_KEM_fetch(NULL, "mlkem768", NULL); # 138| is_fetched = mlkem768 != NULL ? 1 : 0; # 139| } Error: GCC_ANALYZER_WARNING (CWE-401): [#def9] openssh-10.2p1/kex.c:754:9: warning[-Wanalyzer-malloc-leak]: leak of ‘kex’ openssh-10.2p1/kex.c:695:1: enter_function: entry to ‘kex_new’ openssh-10.2p1/kex.c:699:20: acquire_memory: allocated here openssh-10.2p1/kex.c:699:12: branch_false: following ‘false’ branch (when ‘kex’ is non-NULL)... openssh-10.2p1/kex.c:700:26: branch_false: ...to here openssh-10.2p1/kex.c:699:13: branch_true: following ‘true’ branch... openssh-10.2p1/kex.c:705:17: branch_true: ...to here openssh-10.2p1/kex.c:705:17: call_function: calling ‘kex_free’ from ‘kex_new’ # 752| EC_KEY_free(kex->ec_client_key); # 753| #endif /* OPENSSL_HAS_ECC */ # 754|-> EVP_PKEY_free(kex->ec_hybrid_client_key); # 755| #endif /* WITH_OPENSSL */ # 756| for (mode = 0; mode < MODE_MAX; mode++) { Error: COMPILER_WARNING (CWE-704): [#def10] openssh-10.2p1/kexmlkem768x25519.c: scope_hint: In function ‘buf2nist_key’ openssh-10.2p1/kexmlkem768x25519.c:675:82: warning[-Wdiscarded-qualifiers]: passing argument 2 of ‘OSSL_PARAM_construct_utf8_string’ discards ‘const’ qualifier from pointer target type # 675 | params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0); # | ^~~~~~~~~~ /usr/include/openssl/indicator.h:18: included_from: Included from here. /usr/include/openssl/core_dispatch.h:16: included_from: Included from here. /usr/include/openssl/evp.h:28: included_from: Included from here. openssh-10.2p1/sshkey.h:33: included_from: Included from here. openssh-10.2p1/kexmlkem768x25519.c:37: included_from: Included from here. /usr/include/openssl/params.h:88:68: note: expected ‘char *’ but argument is of type ‘const char *’ # 88 | OSSL_PARAM OSSL_PARAM_construct_utf8_string(const char *key, char *buf, # | ~~~~~~^~~ # 673| goto err; # 674| # 675|-> params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0); # 676| params[1] = OSSL_PARAM_construct_octet_string( # 677| OSSL_PKEY_PARAM_PUB_KEY, (void *)pub_key_buf, pub_key_len); Error: COMPILER_WARNING (CWE-704): [#def11] openssh-10.2p1/kexmlkem768x25519.c:675:82: warning[-Wdiscarded-qualifiers]: passing argument 2 of ‘OSSL_PARAM_construct_utf8_string’ discards ‘const’ qualifier from pointer target type # 673| goto err; # 674| # 675|-> params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0); # 676| params[1] = OSSL_PARAM_construct_octet_string( # 677| OSSL_PKEY_PARAM_PUB_KEY, (void *)pub_key_buf, pub_key_len); Error: COMPILER_WARNING (CWE-704): [#def12] openssh-10.2p1/kexmlkem768x25519.c: scope_hint: In function ‘nist_pkey_keygen’ openssh-10.2p1/kexmlkem768x25519.c:755:82: warning[-Wdiscarded-qualifiers]: passing argument 2 of ‘OSSL_PARAM_construct_utf8_string’ discards ‘const’ qualifier from pointer target type # 755 | params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0); # | ^~~~~~~~~~ /usr/include/openssl/params.h:88:68: note: expected ‘char *’ but argument is of type ‘const char *’ # 88 | OSSL_PARAM OSSL_PARAM_construct_utf8_string(const char *key, char *buf, # | ~~~~~~^~~ # 753| } # 754| # 755|-> params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0); # 756| params[1] = OSSL_PARAM_construct_end(); # 757| Error: COMPILER_WARNING (CWE-704): [#def13] openssh-10.2p1/kexmlkem768x25519.c:755:82: warning[-Wdiscarded-qualifiers]: passing argument 2 of ‘OSSL_PARAM_construct_utf8_string’ discards ‘const’ qualifier from pointer target type # 753| } # 754| # 755|-> params[0] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, curve_name, 0); # 756| params[1] = OSSL_PARAM_construct_end(); # 757| Error: COMPILER_WARNING: [#def14] openssh-10.2p1/kexmlkem768x25519.c:42: included_from: Included from here. openssh-10.2p1/kexmlkem768x25519.c: scope_hint: In function ‘get_uncompressed_ec_pubkey’ openssh-10.2p1/kexmlkem768x25519.c:839:21: warning[-Wformat=]: format ‘%d’ expects argument of type ‘int’, but argument 8 has type ‘size_t’ {aka ‘long unsigned int’} # 839 | debug_f("Unexpected length of uncompressed public key: expected %d, got %d", buf_len, required_len); # | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~ # | | # | size_t {aka long unsigned int} openssh-10.2p1/log.h:123:100: note: in definition of macro ‘debug_f’ # 123 | #define debug_f(...) sshlog(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_DEBUG1, NULL, __VA_ARGS__) # | ^~~~~~~~~~~ openssh-10.2p1/kexmlkem768x25519.c:839:78: note: format string is defined here # 839 | debug_f("Unexpected length of uncompressed public key: expected %d, got %d", buf_len, required_len); # | ~^ # | | # | int # | %ld # 837| } # 838| } else { # 839|-> debug_f("Unexpected length of uncompressed public key: expected %d, got %d", buf_len, required_len); # 840| return SSH_ERR_LIBCRYPTO_ERROR; # 841| } Error: COMPILER_WARNING: [#def15] openssh-10.2p1/kexmlkem768x25519.c:839:21: warning[-Wformat=]: format ‘%d’ expects argument of type ‘int’, but argument 9 has type ‘size_t’ {aka ‘long unsigned int’} # 839 | debug_f("Unexpected length of uncompressed public key: expected %d, got %d", buf_len, required_len); # | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~ # | | # | size_t {aka long unsigned int} openssh-10.2p1/log.h:123:100: note: in definition of macro ‘debug_f’ # 123 | #define debug_f(...) sshlog(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_DEBUG1, NULL, __VA_ARGS__) # | ^~~~~~~~~~~ openssh-10.2p1/kexmlkem768x25519.c:839:86: note: format string is defined here # 839 | debug_f("Unexpected length of uncompressed public key: expected %d, got %d", buf_len, required_len); # | ~^ # | | # | int # | %ld # 837| } # 838| } else { # 839|-> debug_f("Unexpected length of uncompressed public key: expected %d, got %d", buf_len, required_len); # 840| return SSH_ERR_LIBCRYPTO_ERROR; # 841| } Error: GCC_ANALYZER_WARNING (CWE-775): [#def16] openssh-10.2p1/misc-agent.c:140:25: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘sock’ openssh-10.2p1/misc-agent.c:116:20: branch_false: following ‘false’ branch... openssh-10.2p1/misc-agent.c:123:29: branch_false: ...to here openssh-10.2p1/misc-agent.c:123:29: acquire_resource: stream socket created here openssh-10.2p1/misc-agent.c:123:20: branch_false: following ‘false’ branch (when ‘sock != -1’)... openssh-10.2p1/misc-agent.c:127:21: branch_false: ...to here openssh-10.2p1/misc-agent.c:139:20: branch_true: following ‘true’ branch... openssh-10.2p1/misc-agent.c:140:25: branch_true: ...to here openssh-10.2p1/misc-agent.c:140:25: throw: if ‘sshlog’ throws an exception... openssh-10.2p1/misc-agent.c:140:25: danger: ‘sock’ leaks here # 138| } # 139| if (listen(sock, backlog) == -1) { # 140|-> error_f("listen \"%s\": %s", path, strerror(errno)); # 141| break; # 142| } Error: GCC_ANALYZER_WARNING (CWE-775): [#def17] openssh-10.2p1/misc-agent.c:147:17: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘sock’ openssh-10.2p1/misc-agent.c:116:20: branch_false: following ‘false’ branch... openssh-10.2p1/misc-agent.c:123:29: branch_false: ...to here openssh-10.2p1/misc-agent.c:123:29: acquire_resource: stream socket created here openssh-10.2p1/misc-agent.c:123:20: branch_false: following ‘false’ branch (when ‘sock != -1’)... openssh-10.2p1/misc-agent.c:127:21: branch_false: ...to here openssh-10.2p1/misc-agent.c:139:20: branch_false: following ‘false’ branch... openssh-10.2p1/misc-agent.c:145:9: branch_false: ...to here openssh-10.2p1/misc-agent.c:146:12: branch_true: following ‘true’ branch (when ‘good != 0’)... openssh-10.2p1/misc-agent.c:147:17: branch_true: ...to here openssh-10.2p1/misc-agent.c:147:17: throw: if ‘sshlog’ throws an exception... openssh-10.2p1/misc-agent.c:147:17: danger: ‘sock’ leaks here # 145| umask(prev_mask); # 146| if (good) { # 147|-> debug3_f("listening on unix socket \"%s\" as fd=%d", # 148| path, sock); # 149| } else if (sock != -1) { Error: GCC_ANALYZER_WARNING (CWE-775): [#def18] openssh-10.2p1/misc-agent.c:150:17: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘sock’ openssh-10.2p1/misc-agent.c:116:20: branch_false: following ‘false’ branch... openssh-10.2p1/misc-agent.c:123:29: branch_false: ...to here openssh-10.2p1/misc-agent.c:123:29: acquire_resource: stream socket created here openssh-10.2p1/misc-agent.c:123:20: branch_false: following ‘false’ branch (when ‘sock != -1’)... openssh-10.2p1/misc-agent.c:127:21: branch_false: ...to here openssh-10.2p1/misc-agent.c:139:20: branch_true: following ‘true’ branch... openssh-10.2p1/misc-agent.c:140:25: branch_true: ...to here openssh-10.2p1/misc-agent.c:146:12: branch_false: following ‘false’ branch (when ‘good == 0’)... openssh-10.2p1/misc-agent.c:149:19: branch_false: ...to here openssh-10.2p1/misc-agent.c:149:19: branch_true: following ‘true’ branch (when ‘sock != -1’)... openssh-10.2p1/misc-agent.c:150:17: branch_true: ...to here openssh-10.2p1/misc-agent.c:150:17: throw: if ‘close’ throws an exception... openssh-10.2p1/misc-agent.c:150:17: danger: ‘sock’ leaks here # 148| path, sock); # 149| } else if (sock != -1) { # 150|-> close(sock); # 151| sock = -1; # 152| } Error: GCC_ANALYZER_WARNING (CWE-775): [#def19] openssh-10.2p1/misc-agent.c:244:9: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘fd’ openssh-10.2p1/misc-agent.c:235:12: branch_false: following ‘false’ branch... openssh-10.2p1/misc-agent.c:240:19: branch_false: ...to here openssh-10.2p1/misc-agent.c:240:19: acquire_resource: stream socket created here openssh-10.2p1/misc-agent.c:240:12: branch_false: following ‘false’ branch (when ‘fd != -1’)... openssh-10.2p1/misc-agent.c:244:9: branch_false: ...to here openssh-10.2p1/misc-agent.c:244:9: throw: if ‘set_nonblock’ throws an exception... openssh-10.2p1/misc-agent.c:244:9: danger: ‘fd’ leaks here # 242| return 0; # 243| } # 244|-> set_nonblock(fd); # 245| /* a socket without a listener should yield an error immediately */ # 246| if (connect(fd, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) == -1) { Error: GCC_ANALYZER_WARNING (CWE-401): [#def20] openssh-10.2p1/misc-agent.c:310:22: warning[-Wanalyzer-malloc-leak]: leak of ‘opendir(dirpath)’ openssh-10.2p1/misc-agent.c:283:12: branch_false: following ‘false’ branch... openssh-10.2p1/misc-agent.c:289:9: branch_false: ...to here openssh-10.2p1/misc-agent.c:292:12: branch_false: following ‘false’ branch (when ‘ignore_hosthash != 0’)... openssh-10.2p1/misc-agent.c:302:9: branch_false: ...to here openssh-10.2p1/misc-agent.c:303:18: acquire_memory: allocated here openssh-10.2p1/misc-agent.c:303:12: branch_false: following ‘false’ branch... openssh-10.2p1/misc-agent.c:309:9: branch_false: ...to here openssh-10.2p1/misc-agent.c:310:22: throw: if ‘readdir’ throws an exception... openssh-10.2p1/misc-agent.c:310:22: danger: ‘opendir(dirpath)’ leaks here; was allocated at [(5)](sarif:/runs/0/results/4/codeFlows/0/threadFlows/0/locations/4) # 308| # 309| path = NULL; # 310|-> while ((dp = readdir(d)) != NULL) { # 311| free(path); # 312| xasprintf(&path, "%s/%s", dirpath, dp->d_name); Error: GCC_ANALYZER_WARNING (CWE-775): [#def21] openssh-10.2p1/ssh-keygen.c:2968:13: warning[-Wanalyzer-file-leak]: leak of FILE ‘out’ openssh-10.2p1/ssh-keygen.c:2958:12: branch_false: following ‘false’ branch (when the strings are non-equal)... openssh-10.2p1/ssh-keygen.c:2960:25: branch_false: ...to here openssh-10.2p1/ssh-keygen.c:2960:25: acquire_resource: opened here openssh-10.2p1/ssh-keygen.c:2960:17: branch_false: following ‘false’ branch... openssh-10.2p1/ssh-keygen.c:2964:9: branch_false: ...to here openssh-10.2p1/ssh-keygen.c:2966:12: branch_true: following ‘true’ branch (when ‘moduli_bits == 0’)... openssh-10.2p1/ssh-keygen.c:2966:12: branch_true: ...to here openssh-10.2p1/ssh-keygen.c:2968:13: throw: if ‘gen_candidates’ throws an exception... openssh-10.2p1/ssh-keygen.c:2968:13: danger: ‘out’ leaks here; was opened at [(3)](sarif:/runs/0/results/11/codeFlows/0/threadFlows/0/locations/2) # 2966| if (moduli_bits == 0) # 2967| moduli_bits = DEFAULT_BITS; # 2968|-> if (gen_candidates(out, moduli_bits, start) != 0) # 2969| fatal("modulus candidate generation failed"); # 2970| #else /* WITH_OPENSSL */ Error: GCC_ANALYZER_WARNING (CWE-401): [#def22] openssh-10.2p1/ssh-keygen.c:2968:13: warning[-Wanalyzer-malloc-leak]: leak of ‘out’ openssh-10.2p1/ssh-keygen.c:2958:12: branch_false: following ‘false’ branch (when the strings are non-equal)... openssh-10.2p1/ssh-keygen.c:2960:25: branch_false: ...to here openssh-10.2p1/ssh-keygen.c:2960:25: acquire_memory: allocated here openssh-10.2p1/ssh-keygen.c:2960:17: branch_false: following ‘false’ branch... openssh-10.2p1/ssh-keygen.c:2964:9: branch_false: ...to here openssh-10.2p1/ssh-keygen.c:2966:12: branch_true: following ‘true’ branch (when ‘moduli_bits == 0’)... openssh-10.2p1/ssh-keygen.c:2966:12: branch_true: ...to here openssh-10.2p1/ssh-keygen.c:2968:13: throw: if ‘gen_candidates’ throws an exception... openssh-10.2p1/ssh-keygen.c:2968:13: danger: ‘out’ leaks here; was allocated at [(3)](sarif:/runs/0/results/12/codeFlows/0/threadFlows/0/locations/2) # 2966| if (moduli_bits == 0) # 2967| moduli_bits = DEFAULT_BITS; # 2968|-> if (gen_candidates(out, moduli_bits, start) != 0) # 2969| fatal("modulus candidate generation failed"); # 2970| #else /* WITH_OPENSSL */ Error: GCC_ANALYZER_WARNING (CWE-775): [#def23] openssh-10.2p1/ssh-pkcs11-client.c:351:20: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pair[1], 0)’ openssh-10.2p1/ssh-pkcs11-client.c:336:12: branch_false: following ‘false’ branch... openssh-10.2p1/ssh-pkcs11-client.c:338:9: branch_false: ...to here openssh-10.2p1/ssh-pkcs11-client.c:339:12: branch_false: following ‘false’ branch... openssh-10.2p1/ssh-pkcs11-client.c:343:18: branch_false: ...to here openssh-10.2p1/ssh-pkcs11-client.c:344:12: branch_false: following ‘false’ branch (when ‘pid != -1’)... openssh-10.2p1/ssh-pkcs11-client.c:350:19: branch_false: ...to here openssh-10.2p1/ssh-pkcs11-client.c:350:19: branch_true: following ‘true’ branch (when ‘pid == 0’)... openssh-10.2p1/ssh-pkcs11-client.c:351:22: branch_true: ...to here openssh-10.2p1/ssh-pkcs11-client.c:351:22: acquire_resource: opened here openssh-10.2p1/ssh-pkcs11-client.c:351:20: danger: ‘dup2(pair[1], 0)’ leaks here; was opened at [(9)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/8) # 349| return NULL; # 350| } else if (pid == 0) { # 351|-> if ((dup2(pair[1], STDIN_FILENO) == -1) || # 352| (dup2(pair[1], STDOUT_FILENO) == -1)) { # 353| fprintf(stderr, "dup2: %s\n", strerror(errno)); Error: GCC_ANALYZER_WARNING (CWE-775): [#def24] openssh-10.2p1/ssh-pkcs11-client.c:351:21: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘dup2(pair[1], 1)’ openssh-10.2p1/ssh-pkcs11-client.c:336:12: branch_false: following ‘false’ branch... openssh-10.2p1/ssh-pkcs11-client.c:338:9: branch_false: ...to here openssh-10.2p1/ssh-pkcs11-client.c:339:12: branch_false: following ‘false’ branch... openssh-10.2p1/ssh-pkcs11-client.c:343:18: branch_false: ...to here openssh-10.2p1/ssh-pkcs11-client.c:344:12: branch_false: following ‘false’ branch (when ‘pid != -1’)... openssh-10.2p1/ssh-pkcs11-client.c:350:19: branch_false: ...to here openssh-10.2p1/ssh-pkcs11-client.c:350:19: branch_true: following ‘true’ branch (when ‘pid == 0’)... openssh-10.2p1/ssh-pkcs11-client.c:351:22: branch_true: ...to here openssh-10.2p1/ssh-pkcs11-client.c:351:20: branch_false: following ‘false’ branch... openssh-10.2p1/ssh-pkcs11-client.c:352:22: branch_false: ...to here openssh-10.2p1/ssh-pkcs11-client.c:352:22: acquire_resource: opened here openssh-10.2p1/ssh-pkcs11-client.c:351:21: danger: ‘dup2(pair[1], 1)’ leaks here; was opened at [(11)](sarif:/runs/0/results/1/codeFlows/0/threadFlows/0/locations/10) # 349| return NULL; # 350| } else if (pid == 0) { # 351|-> if ((dup2(pair[1], STDIN_FILENO) == -1) || # 352| (dup2(pair[1], STDOUT_FILENO) == -1)) { # 353| fprintf(stderr, "dup2: %s\n", strerror(errno)); Error: COMPILER_WARNING (CWE-704): [#def25] openssh-10.2p1/ssh-pkcs11.c: scope_hint: In function ‘pkcs11_uri_write’ openssh-10.2p1/ssh-pkcs11.c:582:52: warning[-Wdiscarded-qualifiers]: passing argument 1 of ‘pkcs11_lookup_key’ discards ‘const’ qualifier from pointer target type # 582 | struct pkcs11_key *k11 = pkcs11_lookup_key(key); # | ^~~ openssh-10.2p1/ssh-pkcs11.c:553:34: note: expected ‘struct sshkey *’ but argument is of type ‘const struct sshkey *’ # 553 | pkcs11_lookup_key(struct sshkey *key) # | ~~~~~~~~~~~~~~~^~~ # 580| char *p = NULL; # 581| struct pkcs11_uri uri; # 582|-> struct pkcs11_key *k11 = pkcs11_lookup_key(key); # 583| # 584| if (k11 == NULL) { Error: COMPILER_WARNING (CWE-704): [#def26] openssh-10.2p1/ssh-pkcs11.c:582:52: warning[-Wdiscarded-qualifiers]: passing argument 1 of ‘pkcs11_lookup_key’ discards ‘const’ qualifier from pointer target type # 580| char *p = NULL; # 581| struct pkcs11_uri uri; # 582|-> struct pkcs11_key *k11 = pkcs11_lookup_key(key); # 583| # 584| if (k11 == NULL) { Error: GCC_ANALYZER_WARNING (CWE-775): [#def27] openssh-10.2p1/sshconnect.c:359:15: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘sock’ openssh-10.2p1/sshconnect.c:538:1: enter_function: entry to ‘ssh_connect’ openssh-10.2p1/sshconnect.c:544:12: branch_true: following ‘true’ branch... openssh-10.2p1/sshconnect.c:545:24: branch_true: ...to here openssh-10.2p1/sshconnect.c:545:24: call_function: calling ‘ssh_connect_direct’ from ‘ssh_connect’ # 357| return -1; # 358| } # 359|-> (void)fcntl(sock, F_SETFD, FD_CLOEXEC); # 360| # 361| /* Use interactive QOS (if specified) until authentication completed */ Error: GCC_ANALYZER_WARNING (CWE-401): [#def28] openssh-10.2p1/utf8.c:83:19: warning[-Wanalyzer-malloc-leak]: leak of ‘dst’ openssh-10.2p1/utf8.c:305:1: enter_function: entry to ‘mprintf’ openssh-10.2p1/utf8.c:311:15: call_function: calling ‘vfmprintf’ from ‘mprintf’ # 81| if (tsz > maxsz) # 82| tsz = maxsz; # 83|-> if ((tp = recallocarray(*dst, *sz, tsz, 1)) == NULL) # 84| return -1; # 85| *dp = tp + (*dp - *dst); Error: GCC_ANALYZER_WARNING (CWE-401): [#def29] openssh-10.2p1/utf8.c:195:38: warning[-Wanalyzer-malloc-leak]: leak of ‘dst’ openssh-10.2p1/utf8.c:305:1: enter_function: entry to ‘mprintf’ openssh-10.2p1/utf8.c:311:15: call_function: calling ‘vfmprintf’ from ‘mprintf’ # 193| break; # 194| } # 195|-> tp = vis(dp, *sp, VIS_OCTAL | VIS_ALL, 0); # 196| width = tp - dp; # 197| total_width += width;
| analyzer-version-clippy | 1.92.0 |
| analyzer-version-cppcheck | 2.19.1 |
| analyzer-version-gcc | 16.0.0 |
| analyzer-version-gcc-analyzer | 16.0.0 |
| analyzer-version-shellcheck | 0.11.0 |
| analyzer-version-unicontrol | 0.0.2 |
| diffbase-analyzer-version-clippy | 1.92.0 |
| diffbase-analyzer-version-cppcheck | 2.19.1 |
| diffbase-analyzer-version-gcc | 16.0.0 |
| diffbase-analyzer-version-gcc-analyzer | 16.0.0 |
| diffbase-analyzer-version-shellcheck | 0.11.0 |
| diffbase-analyzer-version-unicontrol | 0.0.2 |
| diffbase-enabled-plugins | clippy, cppcheck, gcc, shellcheck, unicontrol |
| diffbase-exit-code | 0 |
| diffbase-host | ip-172-16-1-164.us-west-2.compute.internal |
| diffbase-known-false-positives | /usr/share/csmock/known-false-positives.js |
| diffbase-known-false-positives-rpm | known-false-positives-0.0.0.20250521.132812.g8eff701.main-1.el9.noarch |
| diffbase-mock-config | fedora-rawhide-x86_64 |
| diffbase-project-name | openssh-10.0p1-5.fc43 |
| diffbase-store-results-to | /tmp/tmp4g90x3u7/openssh-10.0p1-5.fc43.tar.xz |
| diffbase-time-created | 2026-01-08 19:55:16 |
| diffbase-time-finished | 2026-01-08 19:58:54 |
| diffbase-tool | csmock |
| diffbase-tool-args | '/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'gcc,cppcheck,clippy,shellcheck,unicontrol' '-o' '/tmp/tmp4g90x3u7/openssh-10.0p1-5.fc43.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmp4g90x3u7/openssh-10.0p1-5.fc43.src.rpm' |
| diffbase-tool-version | csmock-3.8.3.20251215.161544.g62de9a5-1.el9 |
| enabled-plugins | clippy, cppcheck, gcc, shellcheck, unicontrol |
| exit-code | 0 |
| host | ip-172-16-1-164.us-west-2.compute.internal |
| known-false-positives | /usr/share/csmock/known-false-positives.js |
| known-false-positives-rpm | known-false-positives-0.0.0.20250521.132812.g8eff701.main-1.el9.noarch |
| mock-config | fedora-rawhide-x86_64 |
| project-name | openssh-10.2p1-1.fc44 |
| store-results-to | /tmp/tmpqz4u6kup/openssh-10.2p1-1.fc44.tar.xz |
| time-created | 2026-01-08 19:59:21 |
| time-finished | 2026-01-08 20:02:31 |
| title | Newly introduced findings |
| tool | csmock |
| tool-args | '/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'gcc,cppcheck,clippy,shellcheck,unicontrol' '-o' '/tmp/tmpqz4u6kup/openssh-10.2p1-1.fc44.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmpqz4u6kup/openssh-10.2p1-1.fc44.src.rpm' |
| tool-version | csmock-3.8.3.20251215.161544.g62de9a5-1.el9 |