nginx 1.20.0 coverity errors

B
  • 7 Dec '23
Hi,

We have a coverity testing on nginx 1.20.0 and we got some errors.
Have any plan to resolve these errors?

Checker Number
ARRAY_VS_SINGLETON 3
BAD_FREE 3
BUFFER_SIZE 1
CHECKED_RETURN 10
COPY_PASTE_ERROR 1
DC.WEAK_CRYPTO 18
DEADCODE 8
FORWARD_NULL 49
MISSING_RESTORE 1
NO_EFFECT 8
NULL_RETURNS 8
OVERRUN 12
PW.INCLUDE_RECURSION 8
RESOURCE_LEAK 5
REVERSE_INULL 5
SIGN_EXTENSION 1
SIZEOF_MISMATCH 8
STACK_USE 1
STRING_NULL 1
TAINTED_SCALAR 1
TOCTOU 12
UNINIT 10
UNREACHABLE 63
UNUSED_VALUE 4
USE_AFTER_FREE 1
Total 242
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20231207/e1ead817/attachment.htm>
X
  • 7 Dec '23
Hello Bill, 

> We have a coverity testing on nginx 1.20.0 and we got some errors.
> Have any plan to resolve these errors?

Maybe you should try same thing on 1.24.0 ?

Because AFAIK 1.20.0 has been released on 20 Apr 2021 and there is 
more than 2 years of development in between.

So you tested old code deprecated code.

Regards,
Xavier
R
  • 7 Dec '23
This is like reading a book, not understanding some words and then
complaining to the author to fix their spelling. Please don't rely on SAST
analysis without understanding the code. I would expect the vast majority
of these are false positives - provide evidence that these are real bugs if
you want them to be taken seriously.

On Thu, 7 Dec 2023 at 02:35, BILL <bill0119 at gmail.com> wrote:

> Hi,
>
> We have a coverity testing on nginx 1.20.0 and we got some errors.
> Have any plan to resolve these errors?
>
>
> Checker Number
> ARRAY_VS_SINGLETON 3
> BAD_FREE 3
> BUFFER_SIZE 1
> CHECKED_RETURN 10
> COPY_PASTE_ERROR 1
> DC.WEAK_CRYPTO 18
> DEADCODE 8
> FORWARD_NULL 49
> MISSING_RESTORE 1
> NO_EFFECT 8
> NULL_RETURNS 8
> OVERRUN 12
> PW.INCLUDE_RECURSION 8
> RESOURCE_LEAK 5
> REVERSE_INULL 5
> SIGN_EXTENSION 1
> SIZEOF_MISMATCH 8
> STACK_USE 1
> STRING_NULL 1
> TAINTED_SCALAR 1
> TOCTOU 12
> UNINIT 10
> UNREACHABLE 63
> UNUSED_VALUE 4
> USE_AFTER_FREE 1
> Total 242
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20231207/6ed50e55/attachment.htm>
M
  • 7 Dec '23
FWIW, you can find daily nginx Coverity scan results (and even be 
subscribed to updates) here

https://scan.coverity.com/projects/nginx

Thanks to Synopsys and Coverity team for the great service.

Maxim

On 07.12.2023 06:57, Richard Stanway via nginx wrote:
> This is like reading a book, not understanding some words and then 
> complaining to the author to fix their spelling. Please don't rely on 
> SAST analysis without understanding the code. I would expect the vast 
> majority of these are false positives - provide evidence that these are 
> real bugs if you want them to be taken seriously.
> 
> On Thu, 7 Dec 2023 at 02:35, BILL <bill0119 at gmail.com 
> <mailto:bill0119 at gmail.com>> wrote:
> 
>     Hi,
> 
>     We have a coverity testing on nginx 1.20.0 and we got some errors.
>     Have any plan to resolve these errors?
> 
> 
>     Checker   Number
>     ARRAY_VS_SINGLETON    3
>     BAD_FREE  3
>     BUFFER_SIZE   1
>     CHECKED_RETURN    10
>     COPY_PASTE_ERROR  1
>     DC.WEAK_CRYPTO    18
>     DEADCODE  8
>     FORWARD_NULL  49
>     MISSING_RESTORE   1
>     NO_EFFECT 8
>     NULL_RETURNS  8
>     OVERRUN   12
>     PW.INCLUDE_RECURSION  8
>     RESOURCE_LEAK 5
>     REVERSE_INULL 5
>     SIGN_EXTENSION    1
>     SIZEOF_MISMATCH   8
>     STACK_USE 1
>     STRING_NULL   1
>     TAINTED_SCALAR    1
>     TOCTOU    12
>     UNINIT    10
>     UNREACHABLE   63
>     UNUSED_VALUE  4
>     USE_AFTER_FREE    1
>     Total 242
> 
>     _______________________________________________
>     nginx mailing list
>     nginx at nginx.org <mailto:nginx at nginx.org>
>     https://mailman.nginx.org/mailman/listinfo/nginx
>     <https://mailman.nginx.org/mailman/listinfo/nginx>
> 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

-- 
Maxim Konovalov