Flaws detected by static analyzers in Fedora 41 Critical Path Packages

Hello,

I am writing this message to get feedback from the community on possibly new defects identified by static analyzers in Critical Path Packages that have changed in Fedora 41. For context, please see my previous email[1].

TLDR: This report[2] contains 73976 identified defects. Please review the report and provide feedback.

A mass scan was performed last week on the packages that have changed in Fedora 41. This report[2] contains all the new defects that have been identified in the packages listed in Critical Path Packages. Please review the report and fix or report any defects to upstream that may be real bugs. Not all defects reported by OpenScanHub may be actual bugs, so please verify reported defects before investing time into fixing or reporting them. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[3]. If you want to see the full logs of the scans, they are available on the tasks[4] page. User documentation for performing a scan is available on the Fedora wiki[5].

Please remember this is currently an early production stage for OpenScanHub scanning. Constructive feedback is appreciated. Thank you!

[1] RFC: OpenScanHub Prototype for Fedora - devel - Fedora mailing-lists
[2] Flaws detected by static analyzers in Fedora 41
[3] OpenScanHub - Fedora mailing-lists
[4] All tasks
[5] OpenScanHub - Fedora Project Wiki

1 Like

I took a quick look out of curiousity.

Do you know what the likelyhood is that a lot of these are false-positives?

First, I want to say that I am a big fan of this effort. Thank you @svashisht for working on this.

Second, on the question of false positives, I see a lot of entries like this:

Error: CPPCHECK_WARNING: [#def2] libedit-3.1-build/libedit-20240517-3.1/examples/tc1.c: information[normalCheckLevelMaxBranches]: Limiting analysis of branches. Use --check-level=exhaustive to analyze all branches.

Those should probably be suppressed, or at least not contribute to the final number of “flaws”.

That said, there will always be false positives with tools like these. What is needed is a way to mark a particular “flaw” as a false positive so that it isn’t presented over and over.

2 Likes

There are lots of false positives due to cppcheck warning about limiting analysis of branches. I would try to workaround these warnings before running the next mass scan. Other than that, if the scanned packages already use Coverity (or similar tools) in upstream, there may be a significant number of false positives in such packages.

I would try to workaround the mentioned warning before the next mass scan. The issue of false positives is known to us, unfortunately we do not have a solution to it right now. I would try to bring it up in our discusssions with the contributors again. Thanks for the feedback!

I opened an issue on GitHub to discuss this problem.

I have added --check-level=exhaustive option to cppcheck. Here is an example report:

Without --check-level=exhaustive:

https://openscanhub.fedoraproject.org/task/242/log/units-2.22-6.fc39/scan-results.html

With --check-level=exhaustive:

https://openscanhub.fedoraproject.org/task/2029/log/units-2.22-6.fc39/scan-results.html

So this issue should not happen in the future.

1 Like