We are using various static analyzers to find bugs in Fedora packages. There are 704 findings[1] reported for glibc in a mass scan[2] performed on Fedora rawhide. Please review this report and either fix these findings or add them to the known-false-positives[3] repository. [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f43-25-Apr-2025/glibc-2.41.9000-10.fc43/scan-results.html [2] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/PH5MCW4SPO2D4ITTGDFLSYBSF5FWFYEL/ [3] https://github.com/openscanhub/known-false-positives Reproducible: Always
Thanks for running the analysis. It will certainly take us a long time to evaluate the results. Is it feasible to mark them all as a "baseline" and use that going forward to detect changes?
(In reply to Carlos O'Donell from comment #1) > Thanks for running the analysis. It will certainly take us a long time to > evaluate the results. > > Is it feasible to mark them all as a "baseline" and use that going forward > to detect changes? If you only want to review findings introduced in rawhide, they can be seen on the added findings[1] page. See the `+` column in report[2] shared with the Fedora community. [1] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f43-25-Apr-2025/glibc-2.41.9000-10.fc43/added.html [2] https://svashisht.fedorapeople.org/openscanhub/mass-scans/f43-25-Apr-2025/
A significant amount of findings in the full scan report were for the benchmark tests. I have opened a pull request[1] to exclude benchmark tests path to make the reports more useful. [1] https://github.com/openscanhub/known-false-positives/pull/17
(In reply to Siteshwar Vashisht from comment #3) > A significant amount of findings in the full scan report were for the > benchmark tests. I have opened a pull request[1] to exclude benchmark tests > path to make the reports more useful. > > [1] https://github.com/openscanhub/known-false-positives/pull/17 From first principles the benchmarks should always be correct. I've commented on the github PR with alternative suggestions.
Siteshwar, I note that we have updated mass scans here: https://svashisht.fedorapeople.org/openscanhub/mass-scans/ However, glibc is not in the list for the f44 scans, why might that be?
(In reply to Carlos O'Donell from comment #7) > Siteshwar, > > I note that we have updated mass scans here: > https://svashisht.fedorapeople.org/openscanhub/mass-scans/ > > However, glibc is not in the list for the f44 scans, why might that be? glibc differential scan failed[1] as the base SRPM for Fedora 43 could not be built[2]. [1] https://openscanhub.fedoraproject.org/task/90933/ [2] https://openscanhub.fedoraproject.org/task/90972/log/stdout.log
(In reply to Siteshwar Vashisht from comment #8) > (In reply to Carlos O'Donell from comment #7) > > Siteshwar, > > > > I note that we have updated mass scans here: > > https://svashisht.fedorapeople.org/openscanhub/mass-scans/ > > > > However, glibc is not in the list for the f44 scans, why might that be? > > glibc differential scan failed[1] as the base SRPM for Fedora 43 could not > be built[2]. > > [1] https://openscanhub.fedoraproject.org/task/90933/ > [2] https://openscanhub.fedoraproject.org/task/90972/log/stdout.log ~~~ RPM build errors: /usr/bin/ld.bfd: cannot find /usr/lib/libatomic.so.1.2.0: No such file or directory <--[gcc] ~~~ This has since been fixed and was part of the GCC 16 transition. commit 3ca6309421beb8eaa033da5b9c723aecf33f807d Author: DJ Delorie <dj> Date: Tue Jan 6 22:07:58 2026 -0500 Do not try to link glibc32 with libatomic (#2427390) GCC now links libatomic on an "as-needed" basis. However, the build environment doesn't have the 32-bit version during our 64-bit builds, and the link fails because the file is missing. Since it isn't needed anyway, just remove that as-needed from those builds. Since the native builds do not need libatomic (which *is* in the build environment), as-needing them is harmless as the not-needed-ness means there isn't even a DT_NEEDED for them. Is there any way to redo the differential scan?
> Is there any way to redo the differential scan? It is documented in the Fedora wiki[1]. I have triggered another scan[2] for glibc. [1] https://fedoraproject.org/wiki/OpenScanHub [2] https://openscanhub.fedoraproject.org/task/97738/
(In reply to Siteshwar Vashisht from comment #10) > > Is there any way to redo the differential scan? > > It is documented in the Fedora wiki[1]. I have triggered another scan[2] for > glibc. > > [1] https://fedoraproject.org/wiki/OpenScanHub > [2] https://openscanhub.fedoraproject.org/task/97738/ The scan has failed again as this commit[1] is not there in the Fedora 43 glibc package. I have triggered another scan[1] by adding custom `-fno-link-libatomic` flag for the Fedora 43 build. [1] https://src.fedoraproject.org/rpms/glibc/c/3ca6309421beb8eaa033da5b9c723aecf33f807d [2] https://openscanhub.fedoraproject.org/task/97741/