Page MenuHome GnuPG

libgpg-error coverity static analysis reports
Closed, ResolvedPublic


Our routine scan of all the packages found couple of potential issues. None of them look like high-priority, but some would be great to have fixed.

On top of these, we have also some issues with shell scripts. This can be probably simplified, but as I did not manage to come up with a proposed patch:

Error: SHELLCHECK_WARNING (CWE-398): [#def1]
/usr/bin/gpgrt-config:44:25: error[SC2066]: Since you double quoted this, it will not word split, and the loop will only run once.

  1. 42| # variant of get_attr for list (separated by ',')
  2. 43| get_attr_l () {
  3. 44|-> (IFS=', '; for x in "$(get_attr $1)"; do echo $x; done)
  4. 45| }
  5. 46|

There is a couple of more less important issues so I can either share them with you or try to prepare more patches.

Event Timeline

FYI, I sent DCO to some moments ago, so I hope it arrived correctly.

werner added a subscriber: werner.

Actually I don't care about releasing resources for regression test failures.
The other missing free is for code which is commented out (#if 0) but should eventually be fixed.

Thank you.
For get_attr_l, I pushed a fix as rE89a353f418f5: build: Fix gpgrt-config for handling 'Requires' field.

Actually, for GnuPG build with its libraries, we don't have any cases having multiple entries of Requires.

Thanks. I understand that this is no big issue in the test code, but half of the code paths have proper cleaning already so fixing it once should save anyone in the future going through the same issues over and over again during our releases or anyone else who would run your code through static analyzer.

For gpgrt_wait_processes, I modified it to skip invalid PID.
The change is: rE956c40f106ea: core: Fix gpgrt_wait_processes, by skipping invalid PID.

Thanks. Note, that the same code is in gnupg2 in common/exechelp-posix.c:736

Thanks. Note, that the same code is in gnupg2 in common/exechelp-posix.c:736

Yes, I pushed as: rGd82dae5d2229: common: Fix gnupg_wait_processes, by skipping invalid PID.

For other fixes, I will apply those eventually.

BTW, I don't have your key to check your mail of DCO. In the long run, it's good for Red Hat to prepare their WKD setup, so that keys can be distributed by the company. For a while, could you please send me your key by another email

gniibe claimed this task.

Thank you for your publishing your key of CB6BE1D0D7D1594A.
I applied and pushed your changes.