rpm-6.0.0-1.fc44

List of Findings

Error: SHELLCHECK_WARNING (CWE-252): [#def1]
/usr/lib/rpm/brp-compress:10:1: warning[SC2164]: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.
#    8|   PREFIX=${1:-/usr}
#    9|   
#   10|-> cd "$RPM_BUILD_ROOT"
#   11|   
#   12|   # Compress man pages

Error: SHELLCHECK_WARNING (CWE-569): [#def2]
/usr/lib/rpm/brp-remove-la-files:12:55: warning[SC2227]: Redirection applies to the find command itself. Rewrite to work per action (or move to end).
#   10|   do
#   11|   
#   12|->   find "$RPM_BUILD_ROOT" -type $FILETYPE -name '*.la' 2>/dev/null -print0 |
#   13|       xargs -0 grep --fixed-strings '.la - a libtool library file' --files-with-matches --null |
#   14|       xargs -0 rm --force

Error: SHELLCHECK_WARNING: [#def3]
/usr/lib/rpm/brp-strip:32:3: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   30|   strip_elf_binaries()
#   31|   {
#   32|->   local nlinks="${1}"
#   33|     local nprocs="${2}"
#   34|   

Error: SHELLCHECK_WARNING: [#def4]
/usr/lib/rpm/brp-strip:33:3: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   31|   {
#   32|     local nlinks="${1}"
#   33|->   local nprocs="${2}"
#   34|   
#   35|     cd "$RPM_BUILD_ROOT" || return 0

Error: SHELLCHECK_WARNING (CWE-569): [#def5]
/usr/lib/rpm/check-files:26:15: warning[SC2064]: Use single quotes, otherwise this expands now rather than when signalled.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-398): [#def6]
/usr/lib/rpm/check-files:26:38: warning[SC2172]: Trapping signals by number is not well defined. Prefer signal names.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-398): [#def7]
/usr/lib/rpm/check-files:26:40: warning[SC2172]: Trapping signals by number is not well defined. Prefer signal names.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-398): [#def8]
/usr/lib/rpm/check-files:26:43: warning[SC2172]: Trapping signals by number is not well defined. Prefer signal names.
#   24|   
#   25|   # Ensure temporary file is cleaned up when we exit
#   26|-> trap "rm -f \"${FILES_DISK}\"" 0 2 3 5 10 13 15
#   27|   
#   28|   # Find non-directory files in the build root and compare to the manifest.

Error: SHELLCHECK_WARNING (CWE-138): [#def9]
/usr/lib/rpm/check-rpaths-worker:90:23: error[SC2145]: Argument mixes string and array. Use * or separate argument.
#   88|   
#   89|       shift 2
#   90|->     echo "$msg $code: $@" >&2
#   91|   
#   92|       test -z "$fail"

Error: SHELLCHECK_WARNING (CWE-563): [#def10]
/usr/lib/rpm/check-rpaths-worker:98:5: warning[SC2034]: rpath_orig appears unused. Verify use (or export if used externally).
#   96|       pos=0
#   97|       rpath=$(echo "$1" | LANG=C grep -E "\(($2)\).*:") || return 0
#   98|->     rpath_orig="$rpath"
#   99|       rpath=$(echo "$rpath" | LANG=C sed -e "s!.*\($2\).*: \[\(.*\)\]!\2!p;d")
#  100|       lower=$(echo $2 | awk '{print tolower($0)}')

Error: SHELLCHECK_WARNING (CWE-88): [#def11]
/usr/lib/rpm/find-lang.sh:133:13: error[SC2068]: Double quote array expansions to avoid re-splitting elements.
#  131|   fi
#  132|   
#  133|-> for NAME in ${NAMES[@]}; do
#  134|   
#  135|   find "$TOP_DIR" -type f -o -type l|sed '

Error: SHELLCHECK_WARNING (CWE-569): [#def12]
/usr/lib/rpm/ocamldeps.sh:232:30: warning[SC2124]: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
#  230|   export rpm_prefix_implementation
#  231|   export mode
#  232|-> export ignore_implementation="${ignore_implementation_a[@]}"
#  233|   export ignore_interface="${ignore_interface_a[@]}"
#  234|   #

Error: SHELLCHECK_WARNING (CWE-569): [#def13]
/usr/lib/rpm/ocamldeps.sh:233:25: warning[SC2124]: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.
#  231|   export mode
#  232|   export ignore_implementation="${ignore_implementation_a[@]}"
#  233|-> export ignore_interface="${ignore_interface_a[@]}"
#  234|   #
#  235|   while read filename

Error: SHELLCHECK_WARNING (CWE-571): [#def14]
/usr/lib/rpm/rpm-setup-autosign:42:11: warning[SC2155]: Declare and assign separately to avoid masking return values.
#   40|   {
#   41|       log "Generating key ${email}"
#   42|->     local keyfp=$(sq key generate \
#   43|                        --batch \
#   44|                        --quiet \

Error: SHELLCHECK_WARNING: [#def15]
/usr/lib/rpm/rpm2cpio.sh:13:2: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   11|   
#   12|   _dd() {
#   13|-> 	local o="$1"; shift
#   14|   	dd if="$pkg" skip="$o" iflag=skip_bytes status=none $*
#   15|   }

Error: SHELLCHECK_WARNING (CWE-569): [#def16]
/usr/lib/rpm/rpm2cpio.sh:14:54: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#   12|   _dd() {
#   13|   	local o="$1"; shift
#   14|-> 	dd if="$pkg" skip="$o" iflag=skip_bytes status=none $*
#   15|   }
#   16|   

Error: SHELLCHECK_WARNING: [#def17]
/usr/lib/rpm/rpm2cpio.sh:26:2: warning[SC3043]: In POSIX sh, 'local' is undefined.
#   24|   	offset=$(($1 + 8))
#   25|   
#   26|-> 	local i b b0 b1 b2 b3 b4 b5 b6 b7
#   27|   
#   28|   	i=0

Error: SHELLCHECK_WARNING (CWE-563): [#def18]
/usr/lib/rpm/rpm2cpio.sh:55:1: warning[SC2034]: hdrsize appears unused. Verify use (or export if used externally).
#   53|   
#   54|   calcsize $(($offset + (8 - ($sigsize % 8)) % 8))
#   55|-> hdrsize=$rsize
#   56|   
#   57|   case "$(_dd $offset bs=2 count=1 | tr -d '\0')" in

Error: SHELLCHECK_WARNING (CWE-569): [#def19]
/usr/lib/rpm/tgpg:4:12: warning[SC2048]: Use "$@" (with quotes) to prevent whitespace problems.
#    2|   
#    3|   
#    4|-> for pkg in $*
#    5|   do
#    6|       if [ "$pkg" = "" ] || [ ! -e "$pkg" ]; then

Error: SHELLCHECK_WARNING (CWE-156): [#def20]
/usr/lib/rpm/tgpg:21:9: warning[SC2046]: Quote this to prevent word splitting.
#   19|       o=`expr $leadsize + 8`
#   20|   
#   21|->     set `od -j $o -N 8 -t u1 $pkg`
#   22|       il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
#   23|       dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`

Error: COMPILER_WARNING (CWE-686): [#def21]
rpm-6.0.0/_build/CMakeFiles/CMakeScratch/TryCompile-17FmX2/CheckFunctionExists.c:7:3: warning[-Wbuiltin-declaration-mismatch]: conflicting types for built-in function ‘stpcpy’; expected ‘char *(char *, const char *)’

Error: COMPILER_WARNING (CWE-686): [#def22]
rpm-6.0.0/_build/CMakeFiles/CMakeScratch/TryCompile-Dg2KLa/CheckFunctionExists.c:7:3: warning[-Wbuiltin-declaration-mismatch]: conflicting types for built-in function ‘mempcpy’; expected ‘void *(void *, const void *, long unsigned int)’

Error: COMPILER_WARNING (CWE-686): [#def23]
rpm-6.0.0/_build/CMakeFiles/CMakeScratch/TryCompile-hhVbcg/CheckFunctionExists.c:7:3: warning[-Wbuiltin-declaration-mismatch]: conflicting types for built-in function ‘stpncpy’; expected ‘char *(char *, const char *, long unsigned int)’

Error: CPPCHECK_WARNING (CWE-758): [#def24]
rpm-6.0.0/include/rpm/rpmbuild.h:43: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   41|       RPMBUILD_MKBUILDDIR	= (1 << 23),	/*!< Internal use only */
#   42|   
#   43|->     RPMBUILD_NOBUILD	= (1 << 31)	/*!< Don't execute or package. */
#   44|   };
#   45|   

Error: CPPCHECK_WARNING (CWE-758): [#def25]
rpm-6.0.0/include/rpm/rpmfiles.h:91: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   89|       RPMVERIFY_READFAIL	= (1 << 29),	/*!< file read failed */
#   90|       RPMVERIFY_LSTATFAIL	= (1 << 30),	/*!< lstat failed */
#   91|->     RPMVERIFY_LGETFILECONFAIL	= (1 << 31)	/*!< lgetfilecon failed */
#   92|   };
#   93|   

Error: CPPCHECK_WARNING (CWE-758): [#def26]
rpm-6.0.0/include/rpm/rpmplugin.h:25: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   23|   enum rpmFileActionFlags_e {
#   24|       /* bits 0-15 reserved for actions */
#   25|->     FAF_UNOWNED		= (1 << 31)
#   26|   };
#   27|   typedef rpmFlags rpmFileActionFlags;

Error: CPPCHECK_WARNING (CWE-758): [#def27]
rpm-6.0.0/include/rpm/rpmts.h:60: error[shiftTooManyBitsSigned]: Shifting signed 32-bit value by 31 bits is undefined behaviour
#   58|       RPMTRANS_FLAG_NOARTIFACTS	= (1 << 29),	/*!< from --noartifacts */
#   59|       RPMTRANS_FLAG_NOCONFIGS	= (1 << 30),	/*!< from --noconfigs */
#   60|->     RPMTRANS_FLAG_DEPLOOPS	= (1 << 31)	/*!< from --deploops */
#   61|   };
#   62|   

Error: CPPCHECK_WARNING (CWE-476): [#def28]
rpm-6.0.0/lib/depends.cc:819: warning[nullPointer]: Possible null pointer dereference: dep
#  817|   	dep = rpmdsN(depds);
#  818|       if (neg) {
#  819|-> 	ndep = (char *)xmalloc(strlen(dep) + 2);
#  820|   	ndep[0] = '!';
#  821|   	strcpy(ndep + 1, dep);

Error: CPPCHECK_WARNING (CWE-476): [#def29]
rpm-6.0.0/lib/depends.cc:821: warning[nullPointer]: Possible null pointer dereference: dep
#  819|   	ndep = (char *)xmalloc(strlen(dep) + 2);
#  820|   	ndep[0] = '!';
#  821|-> 	strcpy(ndep + 1, dep);
#  822|   	dep = ndep;
#  823|       }

Error: CPPCHECK_WARNING (CWE-457): [#def30]
rpm-6.0.0/lib/header.cc:886: error[uninitvar]: Uninitialized variables: &key.data, &key.length, &key.rdlen
#  884|       key.info.tag = tag;
#  885|   
#  886|->     entry = (indexEntry)bsearch(&key, h->index, h->indexUsed, sizeof(*h->index), indexCmp);
#  887|       if (entry == NULL)
#  888|   	return NULL;

Error: CPPCHECK_WARNING (CWE-476): [#def31]
rpm-6.0.0/lib/tagexts.cc:907: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: e
#  905|       if (!headerGet(h, RPMTAG_EPOCH, td, HEADERGET_ALLOC)) {
#  906|   	uint32_t *e = (uint32_t *)malloc(sizeof(*e));
#  907|-> 	*e = 0;
#  908|   	td->data = e;
#  909|   	td->type = RPM_INT32_TYPE;

Error: GCC_ANALYZER_WARNING (CWE-401): [#def32]
rpm-6.0.0/plugins/audit.c:26:17: warning[-Wanalyzer-malloc-leak]: leak of ‘audit_encode_nv_string("root_dir", rpmtsRootDir(ts), 0)’
rpm-6.0.0/plugins/audit.c:59:14: enter_function: entry to ‘audit_tsm_post’
rpm-6.0.0/plugins/audit.c:65:8: branch_false: following ‘false’ branch...
rpm-6.0.0/plugins/audit.c:68:17: branch_false: ...to here
rpm-6.0.0/plugins/audit.c:70:17: acquire_memory: allocated here
rpm-6.0.0/plugins/audit.c:72:5: call_function: calling ‘getAuditOps’ from ‘audit_tsm_post’
#   24|   static void getAuditOps(rpmts ts, struct teop *ops, int nelem)
#   25|   {
#   26|->     rpmtsi pi = rpmtsiInit(ts);
#   27|       rpmte p;
#   28|       int i = 0;

Error: GCC_ANALYZER_WARNING (CWE-401): [#def33]
rpm-6.0.0/plugins/audit.c:29:17: warning[-Wanalyzer-malloc-leak]: leak of ‘audit_encode_nv_string("root_dir", rpmtsRootDir(ts), 0)’
rpm-6.0.0/plugins/audit.c:59:14: enter_function: entry to ‘audit_tsm_post’
rpm-6.0.0/plugins/audit.c:65:8: branch_false: following ‘false’ branch...
rpm-6.0.0/plugins/audit.c:68:17: branch_false: ...to here
rpm-6.0.0/plugins/audit.c:70:17: acquire_memory: allocated here
rpm-6.0.0/plugins/audit.c:72:5: call_function: calling ‘getAuditOps’ from ‘audit_tsm_post’
#   27|       rpmte p;
#   28|       int i = 0;
#   29|->     while ((p = rpmtsiNext(pi, 0)) != NULL) {
#   30|   	const char *op = NULL;
#   31|   	if (rpmteType(p) == TR_ADDED) {

Error: GCC_ANALYZER_WARNING (CWE-401): [#def34]
rpm-6.0.0/plugins/audit.c:31:13: warning[-Wanalyzer-malloc-leak]: leak of ‘audit_encode_nv_string("root_dir", rpmtsRootDir(ts), 0)’
rpm-6.0.0/plugins/audit.c:59:14: enter_function: entry to ‘audit_tsm_post’
rpm-6.0.0/plugins/audit.c:65:8: branch_false: following ‘false’ branch...
rpm-6.0.0/plugins/audit.c:68:17: branch_false: ...to here
rpm-6.0.0/plugins/audit.c:70:17: acquire_memory: allocated here
rpm-6.0.0/plugins/audit.c:72:5: call_function: calling ‘getAuditOps’ from ‘audit_tsm_post’
#   29|       while ((p = rpmtsiNext(pi, 0)) != NULL) {
#   30|   	const char *op = NULL;
#   31|-> 	if (rpmteType(p) == TR_ADDED) {
#   32|   	    op = "install";
#   33|   	} else {

Error: GCC_ANALYZER_WARNING (CWE-401): [#def35]
rpm-6.0.0/plugins/audit.c:35:23: warning[-Wanalyzer-malloc-leak]: leak of ‘audit_encode_nv_string("root_dir", rpmtsRootDir(ts), 0)’
rpm-6.0.0/plugins/audit.c:59:14: enter_function: entry to ‘audit_tsm_post’
rpm-6.0.0/plugins/audit.c:65:8: branch_false: following ‘false’ branch...
rpm-6.0.0/plugins/audit.c:68:17: branch_false: ...to here
rpm-6.0.0/plugins/audit.c:70:17: acquire_memory: allocated here
rpm-6.0.0/plugins/audit.c:72:5: call_function: calling ‘getAuditOps’ from ‘audit_tsm_post’
#   33|   	} else {
#   34|   	    op = "remove";
#   35|-> 	    rpmte d = rpmteDependsOn(p);
#   36|   	    /* Fixup op on updating elements, silence the cleanup stage */
#   37|   	    if (d != NULL && rstreq(rpmteN(d), rpmteN(p))) {

Error: GCC_ANALYZER_WARNING (CWE-401): [#def36]
rpm-6.0.0/plugins/audit.c:37:30: warning[-Wanalyzer-malloc-leak]: leak of ‘audit_encode_nv_string("root_dir", rpmtsRootDir(ts), 0)’
rpm-6.0.0/plugins/audit.c:59:14: enter_function: entry to ‘audit_tsm_post’
rpm-6.0.0/plugins/audit.c:65:8: branch_false: following ‘false’ branch...
rpm-6.0.0/plugins/audit.c:68:17: branch_false: ...to here
rpm-6.0.0/plugins/audit.c:70:17: acquire_memory: allocated here
rpm-6.0.0/plugins/audit.c:72:5: call_function: calling ‘getAuditOps’ from ‘audit_tsm_post’
#   35|   	    rpmte d = rpmteDependsOn(p);
#   36|   	    /* Fixup op on updating elements, silence the cleanup stage */
#   37|-> 	    if (d != NULL && rstreq(rpmteN(d), rpmteN(p))) {
#   38|   		/* Linear lookup, but we're only dealing with a few thousand */
#   39|   		for (int x = 0; x < i; x++) {

Error: GCC_ANALYZER_WARNING (CWE-404): [#def37]
rpm-6.0.0/plugins/selinux.c:41:5: warning[-Wanalyzer-va-list-leak]: missing call to ‘va_end’
rpm-6.0.0/plugins/selinux.c:40:5: acquire_resource: ‘va_start’ called here
rpm-6.0.0/plugins/selinux.c:41:5: danger: missing call to ‘va_end’ to match ‘va_start’ at [(1)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/0)
#   39|   
#   40|       va_start(ap, fmt);
#   41|->     rvasprintf(&buf, fmt, ap);
#   42|       va_end(ap);
#   43|   

Error: GCC_ANALYZER_WARNING (CWE-401): [#def38]
rpm-6.0.0/python/rpmmodule.c:72:12: warning[-Wanalyzer-malloc-leak]: leak of ‘fp’
rpm-6.0.0/python/rpmmodule.c:58:8: branch_true: following ‘true’ branch...
rpm-6.0.0/python/rpmmodule.c:60:14: branch_true: ...to here
rpm-6.0.0/python/rpmmodule.c:60:14: acquire_memory: allocated here
rpm-6.0.0/python/rpmmodule.c:61:12: branch_false: following ‘false’ branch (when ‘fp’ is non-NULL)...
rpm-6.0.0/python/rpmmodule.c:72:12: branch_false: ...to here
rpm-6.0.0/python/rpmmodule.c:72:12: danger: ‘fp’ leaks here; was allocated at [(3)](sarif:/runs/0/results/0/codeFlows/0/threadFlows/0/locations/2)
#   70|       }
#   71|   
#   72|->     (void) rpmlogSetFile(fp);
#   73|       Py_RETURN_NONE;
#   74|   }

Error: CPPCHECK_WARNING (CWE-476): [#def39]
rpm-6.0.0/rpmio/rpmlua.cc:847: warning[nullPointer]: Possible null pointer dereference: argv
#  845|       rpmSetCloseOnExec();
#  846|   
#  847|->     status = posix_spawnp(&pid, argv[0], fap, NULL, argv, environ);
#  848|   
#  849|       argvFree(argv);

Error: CPPCHECK_WARNING (CWE-476): [#def40]
rpm-6.0.0/tools/rpmdump.cc:137: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: blob
#  135|   
#  136|       blob = (uint32_t *)malloc(sizeof(numEntries) + sizeof(numBytes) + headerLen);
#  137|->     blob[0] = htonl(numEntries);
#  138|       blob[1] = htonl(numBytes);
#  139|   

Error: CPPCHECK_WARNING (CWE-476): [#def41]
rpm-6.0.0/tools/rpmdump.cc:138: warning[nullPointerOutOfMemory]: If memory allocation fails, then there is a possible null pointer dereference: blob
#  136|       blob = (uint32_t *)malloc(sizeof(numEntries) + sizeof(numBytes) + headerLen);
#  137|       blob[0] = htonl(numEntries);
#  138|->     blob[1] = htonl(numBytes);
#  139|   
#  140|       pe = (struct entryInfo *) &(blob[2]);

Error: CPPCHECK_WARNING (CWE-682): [#def42]
rpm-6.0.0/tools/rpmdump.cc:148: error[nullPointerArithmeticOutOfMemory]: If memory allocation fails: pointer addition with NULL pointer.
#  146|   
#  147|       
#  148|->     if (read(fd, blob+2, headerLen) != headerLen) {
#  149|   	fprintf(stderr, "reading %d bytes of header fail\n", headerLen);
#  150|   	goto exit;

Scan Properties