- OpenScanHub - Fedora mailing-lists

Findings by static analyzers in Fedora 44 Critical Path Packages
by Siteshwar Vashisht 29 Oct '25

29 Oct '25

Hello, I am writing this message to get feedback from the community on new findings by static analyzers in Critical Path Packages that have changed in Fedora 44. TLDR: This report[1] contains a total of 47352 findings and 843 new findings identified since Fedora 43. Please review the report and provide feedback. False positives can now be recorded in the known-false-positives[5] repository. A mass scan was performed on the packages that have changed in Fedora 44. This report[1] contains all the findings that have been identified in the Critical Path Packages. Newly added findings since Fedora 43 are listed under ‘+’ column and these should be prioritized while reviewing the findings (and fixing them upstream). Not all findings reported by OpenScanHub may be actual bugs, so please verify reported findings before investing time into fixing or reporting them. We have used the current development version of GCC to perform the scans, which may increase the likelihood of having false positives in the GCC reports. False positives can now be recorded in the known-false-positives[5] repository. These findings are automatically suppressed by OpenScanHub in scans that are triggered later. Also, you can filter findings with the csgrep utility to make it easier to review reports that may contain a large amount of false positives. Examples of csgrep invocation are available on the Fedora wiki[4]. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[2]. If you want to see the full logs of the scans, they are available on the tasks[3] page. User documentation for performing a scan is available on the Fedora wiki[4]. Please keep the feedback on this thread constructive. Thank you! [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-28-Oct-2025/ [2] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraproje… [3] https://openscanhub.fedoraproject.org/task/ [4] https://fedoraproject.org/wiki/OpenScanHub [5] https://github.com/openscanhub/known-false-positives

2 3

Findings by static analyzers in Fedora 43 Critical Path Packages
by Siteshwar Vashisht 28 Apr '25

28 Apr '25

Hello, I am writing this message to get feedback from the community on new findings by static analyzers in Critical Path Packages that have changed in Fedora 43. TLDR: This report[1] contains a total of 54975 findings and 1732 new findings identified since Fedora 42. Please review the report and provide feedback. False positives can now be recorded in the known-false-positives[5] repository. A mass scan was performed on the packages that have changed in Fedora 43. This report[1] contains all the findings that have been identified in the Critical Path Packages. Newly added findings since Fedora 42 are listed under ‘+’ column and these should be prioritized while reviewing the findings (and fixing them upstream).. Not all findings reported by OpenScanHub may be actual bugs, so please verify reported findings before investing time into fixing or reporting them. False positives can now be recorded in the known-false-positives[5] repository. These findings are automatically suppressed by OpenScanHub in scans that are triggered later. Also, you can filter findings with the csgrep utility to make it easier to review reports that may contain a large amount of false positives. Examples of csgrep invocation are available on the Fedora wiki[4]. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[2]. If you want to see the full logs of the scans, they are available on the tasks[3] page. User documentation for performing a scan is available on the Fedora wiki[4]. Please keep the feedback on this thread constructive. Thank you! [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f43-25-Apr-2025/ [2] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraproje… [3] https://openscanhub.fedoraproject.org/task/ [4] https://fedoraproject.org/wiki/OpenScanHub [5] https://github.com/openscanhub/known-false-positives

1 0

Findings by static analyzers in Fedora 42 Critical Path Packages
by Siteshwar Vashisht 20 Nov '24

20 Nov '24

Hello, I am writing this message to get feedback from the community on new findings by static analyzers in Critical Path Packages that have changed in Fedora 42. TLDR: This report[1] contains 37330 findings. Please review the report and provide feedback. A mass scan was performed this week on the packages that have changed in Fedora 42. This report[1] contains all the new findings that have been identified in the packages listed in Critical Path Packages. Newly added findings since Fedora 41 are listed under ‘+’ column. Please review the report and fix or report any findings upstream that may be real bugs. Not all findings reported by OpenScanHub may be actual bugs, so please verify reported findings before investing time into fixing or reporting them. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[2]. If you want to see the full logs of the scans, they are available on the tasks[3] page. User documentation for performing a scan is available on the Fedora wiki[4]. Constructive feedback is appreciated. Thank you! [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f42-13-Nov-2024/ [2] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraproje… [3] https://openscanhub.fedoraproject.org/task/ [4] https://fedoraproject.org/wiki/OpenScanHub

4 5

please make gcc-latest available in buildroot
by Kamil Dudka 11 Nov '24

11 Nov '24

Hello, could you please add repositories from https://copr.fedorainfracloud.org/coprs/dmalcolm/gcc-latest/ to the corresponding mock configs used by https://openscanhub.fedoraproject.org/? It should be safe to add them to the default configuration because the gcc-latest package will not be installed unless a user explicitly requests it (or the scanned SRPM depends on it, which is unlikely). There is a draft pull request to make csmock-plugin-gcc optionally consume the SARIF output of GCC and it depends on this COPR: https://github.com/csutils/csmock/pull/187 Kamil

2 1

Flaws detected by static analyzers in Fedora 41 Critical Path Packages
by Siteshwar Vashisht 18 Jul '24

18 Jul '24

Hello, I am writing this message to get feedback from the community on possibly new defects identified by static analyzers in Critical Path Packages that have changed in Fedora 41. For context, please see my previous email[1]. TLDR: This report[2] contains 73976 identified defects. Please review the report and provide feedback. A mass scan was performed this week on the packages that have changed in Fedora 41. This report[2] contains all the new defects that have been identified in the packages listed in Critical Path Packages. Please review the report and fix or report any defects to upstream that may be real bugs. Not all defects reported by OpenScanHub may be actual bugs, so please verify reported defects before investing time into fixing or reporting them. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[3]. If you want to see the full logs of the scans, they are available on the tasks[4] page. User documentation for performing a scan is available on the Fedora wiki[5]. Please remember this is currently an early production stage for OpenScanHub scanning. Constructive feedback is appreciated. Thank you! [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org… [2] https://svashisht.fedorapeople.org/f41-03-Jul-2024/ [3] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraproje… [4] https://openscanhub.fedoraproject.org/task/ [5] https://fedoraproject.org/wiki/OpenScanHub -- Siteshwar Vashisht

5 18

RFC: Flaws detected by static analyzers in Fedora 41 Core Critical Path Packages
by Siteshwar Vashisht 07 May '24

07 May '24

Hello, This is a follow up on my previous email[1] about OpenScanHub Prototype for Fedora. Thank you to those who have provided early feedback. Your help is truly appreciated! I am writing this message to get feedback from the community on possibly new defects identified by static analyzers in Core Critical Path packages that have changed in Fedora 41. TLDR: This report[2] contains 14188 identified defects. Please review the report and provide feedback. A mass scan was performed this week on the packages that have changed in Fedora 41. This report[2] contains all the new defects that have been identified in the core packages listed in Critical Path Packages. Please review the report and fix or report any defects to upstream that may be real bugs. Not all defects reported by OpenScanHub may be actual bugs, so please verify reported defects before investing time into fixing or reporting them. We hope this is helpful for the packages you maintain and for the upstream projects. Questions can be asked on the OpenScanHub mailing list[3]. If you want to see the full logs of the scans, they are available on the tasks[4] page. User documentation for performing a scan is available on the Fedora wiki[5]. If the feedback on this report is positive, there may be a possibility of increasing the scope of scans to cover a wider range of packages. Please remember this is currently an early production stage for OpenScanHub scanning. Constructive feedback is appreciated. Thank you! [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org… [2] https://svashisht.fedorapeople.org/f41-22-Apr-2024/ [3] https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraproje… [4] https://openscanhub.fedoraproject.org/task/ [5] https://fedoraproject.org/wiki/OpenScanHub

1 1

Re: Task [#1393] units-2.22-6.fc39 finished, state: CLOSED
by Siteshwar Vashisht 06 Apr '24

06 Apr '24

On Sat, Apr 6, 2024 at 4:26 PM <openscanhub(a)lists.fedoraproject.org> wrote: > Hostname: fedora-osh-hub-79d97bc9db-trrd6 > Task ID: 1393 > Build: units-2.22-6.fc39 > Task state: CLOSED > Task owner: svashisht > Task method: MockBuild > > Task URL: http://openscanhub.stg.fedoraproject.org/task/1393/ > Comment: > > > All defects > > CLANG_WARNING 13 > COMPILER_WARNING 4 > CPPCHECK_WARNING 5 > GCC_ANALYZER_WARNING 6 > > This is a test reply to a notification generated by OpenScanHub.

1 0

Test
by Siteshwar Vashisht 06 Apr '24

06 Apr '24

This is a test message.

1 0

2025

2024

OpenScanHub ----- 2025 ----- November 2025 October 2025 September 2025 August 2025 July 2025 June 2025 May 2025 April 2025 March 2025 February 2025 January 2025 ----- 2024 ----- December 2024 November 2024 October 2024 September 2024 August 2024 July 2024 June 2024 May 2024 April 2024

OpenScanHub