Hello,
I am writing this message to get feedback from the community on new findings by static analyzers in Critical Path Packages that have changed in Fedora 42.
TLDR: This report[1] contains 37330 findings. Please review the report and provide feedback.
A mass scan was performed this week on the packages that have changed in Fedora 42. This report[1] contains all the new findings that have been identified in the packages listed in Critical Path Packages. Newly added findings since Fedora 41 are listed under ‘+’ column. Please review the report and fix or report any findings upstream that may be real bugs. Not all findings reported by OpenScanHub may be actual bugs, so please verify reported findings before investing time into fixing or reporting them. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[2]. If you want to see the full logs of the scans, they are available on the tasks[3] page. User documentation for performing a scan is available on the Fedora wiki[4].
Constructive feedback is appreciated. Thank you!
[1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f42-13-Nov-2024/ [2] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraprojec... [3] https://openscanhub.fedoraproject.org/task/ [4] https://fedoraproject.org/wiki/OpenScanHub
On Thu, Nov 14, 2024 at 08:47:36AM +0100, Siteshwar Vashisht wrote:
Hello,
I am writing this message to get feedback from the community on new findings by static analyzers in Critical Path Packages that have changed in Fedora 42.
TLDR: This report[1] contains 37330 findings. Please review the report and provide feedback.
A mass scan was performed this week on the packages that have changed in Fedora 42. This report[1] contains all the new findings that have been identified in the packages listed in Critical Path Packages. Newly added findings since Fedora 41 are listed under ‘+’ column. Please review the report and fix or report any findings upstream that may be real bugs. Not all findings reported by OpenScanHub may be actual bugs, so please verify reported findings before investing time into fixing or reporting them. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[2]. If you want to see the full logs of the scans, they are available on the tasks[3] page. User documentation for performing a scan is available on the Fedora wiki[4].
Constructive feedback is appreciated. Thank you!
Have you addressed the concerned raised when you last posted about this?
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
Rich.
[1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f42-13-Nov-2024/ [2] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraprojec... [3] https://openscanhub.fedoraproject.org/task/ [4] https://fedoraproject.org/wiki/OpenScanHub
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Thu, Nov 14, 2024 at 10:23 PM Richard W.M. Jones rjones@redhat.com wrote:
On Thu, Nov 14, 2024 at 08:47:36AM +0100, Siteshwar Vashisht wrote:
Hello,
I am writing this message to get feedback from the community on new findings by static analyzers in Critical Path Packages that have changed in Fedora 42.
TLDR: This report[1] contains 37330 findings. Please review the report and provide feedback.
A mass scan was performed this week on the packages that have changed in Fedora 42. This report[1] contains all the new findings that have been identified in the packages listed in Critical Path Packages. Newly added findings since Fedora 41 are listed under ‘+’ column. Please review the report and fix or report any findings upstream that may be real bugs. Not all findings reported by OpenScanHub may be actual bugs, so please verify reported findings before investing time into fixing or reporting them. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[2]. If you want to see the full logs of the scans, they are available on the tasks[3] page. User documentation for performing a scan is available on the Fedora wiki[4].
Constructive feedback is appreciated. Thank you!
Have you addressed the concerned raised when you last posted about this?
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/...
Several fixes have been made since the feedback from the report from July:
- The terms "flaw" and "defect" have been replaced with "finding". - clang was disabled due to a large amount of false positives. - Report from July contained a large amount of "Limiting analysis of branches" messages from cppcheck. They have been suppressed in the latest report. - There is a mention of '+' column in my first email, which shows differential scan results since Fedora 41. Maintainers that may not have time to look at the full report can only look at the differential scan report. - Adding to the previous point, we have enabled differential scans in Packit[1] in upstreams. If that gets wider adoption, we will see less findings in mass scan reports. - The issue of false positives is one of the most important, but hard to solve. I started a discussion[2] on GitHub, but we do not have a good answer to it yet. If you have ideas, please share on GitHub.
Let me know if I missed anything. Thanks!
Rich.
[1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f42-13-Nov-2024/ [2] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraprojec... [3] https://openscanhub.fedoraproject.org/task/ [4] https://fedoraproject.org/wiki/OpenScanHub
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[1] https://packit.dev/posts/openscanhub-prototype [2] https://github.com/openscanhub/openscanhub/issues/290
On Fri, Nov 15, 2024 at 06:53:59AM +0100, Siteshwar Vashisht wrote:
- The issue of false positives is one of the most important, but hard
to solve. I started a discussion[2] on GitHub, but we do not have a good answer to it yet. If you have ideas, please share on GitHub.
Hi,
This was already partially discussed in the other part of the thread with František, but without a clear conclusion on the reported issues. I looked into the reports for systemd, and generally they are all false positives, and actually quite immediately obvious false positives.
The very first report is: # 70| eval "arr=( $line )" # 71|-> case "${arr[0]}" in /usr/lib/rpm/sysusers.generate-pre.sh:71:9: warning[SC2154]: arr is referenced but not assigned.
Then there are reports of various leaks, but it's pretty clear that __attribute__(cleanup) is not being understood.
A bit later is: # 273|-> return RET_NERRNO(open(path, O_CLOEXEC|O_PATH)); systemd-257_rc1-build/systemd-257-rc1/src/basic/build-path.c:273:16: warning[-Wanalyzer-fd-leak]: leak of file descriptor ‘open(path, 2621440)’
i.e. the value that is returned via 'return', not leaked.
I also looked at the reports for util-linux. They first few are fairly obvious false positives too:
util-linux-2.40.2-build/util-linux-2.40.2/disk-utils/fdformat.c:127:49: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL ‘xmalloc((long unsigned int)track_size) + (sizetype)count’
util-linux-2.40.2-build/util-linux-2.40.2/disk-utils/mkfs.cramfs.c:304:9: warning[-Wanalyzer-possible-null-argument]: use of possibly-NULL ‘xmalloc(len + 257)’ where non-null expected
(xmalloc, xstrdup are obviously non-failing wrappers for malloc and strdup)
# 992|-> } else if (*s == '!') { util-linux-2.40.2-build/util-linux-2.40.2/disk-utils/fsck.c:992:28: warning[-Wanalyzer-malloc-leak]: leak of ‘xstrdup(fs_type)’
This one is strange, because it reports a comparison operation as doing something.
It seems pretty clear that the signal-to-noise ratio is extremely low. I don't think it's useful to tell people to look into those reports until this ratio improves quite a bit.
Zbyszek
What does it mean when the table lists the package version as 'el8'?
kevin
On Thu, Nov 14, 2024 at 10:47 PM Kevin Fenzi kevin@scrye.com wrote:
What does it mean when the table lists the package version as 'el8'?
I was trying to reuse some scripts that are used to generate reports for RHEL and they did not work as expected. I have fixed it now. Please take a look at the report again. Thanks!
kevin
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
openscanhub@lists.fedoraproject.org
-
Kevin Fenzi -
Richard W.M. Jones -
Siteshwar Vashisht -
Zbigniew Jędrzejewski-Szmek