Newly introduced findings

List of Findings

Error: SHELLCHECK_WARNING (CWE-457): [#def1]
/usr/bin/makepkg:496:44: warning[SC2154]: xdata is referenced but not assigned.
#  494|   	write_kv_pair "pkgname" "$pkgname"
#  495|   	write_kv_pair "pkgbase" "$pkgbase"
#  496|-> 	write_kv_pair "xdata" "pkgtype=$pkgtype" "${xdata[@]}"
#  497|   
#  498|   	local fullver=$(get_full_version)

Error: SHELLCHECK_WARNING (CWE-571): [#def2]
/usr/bin/repo-add:367:10: warning[SC2155]: Declare and assign separately to avoid masking return values.
#  365|   
#  366|   		if (( RMEXISTING )); then
#  367|-> 			local oldfilename="$(sed -n '/^%FILENAME%$/ {n;p;q;}' "$pkgentry/desc")"
#  368|   			local oldfile="$repodir/$oldfilename"
#  369|   

Error: SHELLCHECK_WARNING (CWE-153): [#def3]
/usr/share/makepkg/autodep/library_depends.sh:54:28: warning[SC2053]: Quote the right-hand side of == in [[ ]] to prevent glob matching.
#   52|   				unset prefix
#   53|   				for libdir in ${LIB_DIRS[@]}; do
#   54|-> 					if [[ ${libdir#*:} == ${libpath} ]]; then
#   55|   						prefix=${libdir%%:*}
#   56|   					fi

Error: SHELLCHECK_WARNING (CWE-571): [#def4]
/usr/share/makepkg/buildenv/compiler.sh:47:10: warning[SC2155]: Declare and assign separately to avoid masking return values.
#   45|   	if check_buildoption "distcc" "y"; then
#   46|   		if (( using_ccache )); then
#   47|-> 			local distcc=$(type -p distcc)
#   48|   			if [[ " $CCACHE_PREFIX " != *" ${distcc} "* ]]; then
#   49|   				export CCACHE_PREFIX="${CCACHE_PREFIX:+$CCACHE_PREFIX }${distcc}"

Error: SHELLCHECK_WARNING (CWE-563): [#def5]
/usr/share/makepkg/lint_config/buildenv.sh:55:3: warning[SC2034]: ret appears unused. Verify use (or export if used externally).
#   53|   
#   54|   		error "$(gettext "%s array contains unknown option '%s'")" "OPTIONS" "$i"
#   55|-> 		ret=1
#   56|   	done
#   57|   }

Error: SHELLCHECK_WARNING (CWE-88): [#def6]
/usr/share/makepkg/lint_pkgbuild/arch.sh:43:39: error[SC2068]: Double quote array expansions to avoid re-splitting elements.
#   41|   	fi
#   42|   
#   43|-> 	if (( ${#arch[@]} != $(printf "%s\n" ${arch[@]} | sort -u | wc -l) )); then
#   44|   		error "$(gettext "%s can not contain duplicate values")" 'arch'
#   45|   		ret=1

Error: SHELLCHECK_WARNING (CWE-563): [#def7]
/usr/share/makepkg/reproducible/source_date_epoch.sh:29:2: warning[SC2034]: REPRODUCIBLE appears unused. Verify use (or export if used externally).
#   27|   
#   28|   if [[ -n $SOURCE_DATE_EPOCH ]]; then
#   29|-> 	REPRODUCIBLE=1
#   30|   else
#   31|   	SOURCE_DATE_EPOCH=$(date +%s)

Error: SHELLCHECK_WARNING (CWE-88): [#def8]
/usr/share/makepkg/tidy/10-docs.sh:35:13: error[SC2068]: Double quote array expansions to avoid re-splitting elements.
#   33|   	if check_option "docs" "n" && [[ -n ${DOC_DIRS[*]} ]]; then
#   34|   		msg2 "$(gettext "Removing doc files...")"
#   35|-> 		rm -rf -- ${DOC_DIRS[@]}
#   36|   	fi
#   37|   }

Error: SHELLCHECK_WARNING (CWE-149): [#def9]
/usr/share/makepkg/tidy/10-libtool.sh:35:30: warning[SC2140]: Word is of the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"?
#   33|   tidy_libtool() {
#   34|   	if check_option "libtool" "n"; then
#   35|-> 		msg2 "$(gettext "Removing "%s" files...")" "libtool"
#   36|   		find . ! -type d -name "*.la" -exec rm -f -- '{}' +
#   37|   	fi

Error: SHELLCHECK_WARNING (CWE-457): [#def10]
/usr/share/makepkg/tidy/50-strip.sh:49:15: warning[SC2154]: srcdir is referenced but not assigned.
#   47|   
#   48|   	LANG=C debugedit --no-recompute-build-id \
#   49|-> 		--base-dir "${srcdir}" \
#   50|   		--dest-dir "${dbgsrcdir}" \
#   51|   		--list-file /dev/stdout "$1" \

Error: SHELLCHECK_WARNING (CWE-571): [#def11]
/usr/share/makepkg/tidy/50-strip.sh:71:8: warning[SC2155]: Declare and assign separately to avoid masking return values.
#   69|   safe_objcopy() {
#   70|   	local binary=$1; shift
#   71|-> 	local tempfile=$(mktemp "$binary.XXXXXX")
#   72|   	objcopy "$@" "$binary" "$tempfile"
#   73|   	cat "$tempfile" > "$binary"

Error: SHELLCHECK_WARNING (CWE-571): [#def12]
/usr/share/makepkg/tidy/50-strip.sh:81:9: warning[SC2155]: Declare and assign separately to avoid masking return values.
#   79|   
#   80|   	if check_option "debug" "y"; then
#   81|-> 		local bid=$(build_id "$binary")
#   82|   
#   83|   		# has this file already been stripped

Error: SHELLCHECK_WARNING (CWE-571): [#def13]
/usr/share/makepkg/tidy/50-strip.sh:128:8: warning[SC2155]: Declare and assign separately to avoid masking return values.
#  126|   safe_strip_file(){
#  127|   	local binary=$1; shift
#  128|-> 	local tempfile=$(mktemp "$binary.XXXXXX")
#  129|   	if strip "$@" "$binary" -o "$tempfile"; then
#  130|   		cat "$tempfile" > "$binary"

Error: SHELLCHECK_WARNING (CWE-571): [#def14]
/usr/share/makepkg/tidy/50-strip.sh:138:8: warning[SC2155]: Declare and assign separately to avoid masking return values.
#  136|   	local binary=$1;
#  137|   
#  138|-> 	local tempfile=$(mktemp "$binary.XXXXXX")
#  139|   	if strip -R .gnu.lto_* -R .gnu.debuglto_* -N __gnu_lto_v1 "$binary" -o "$tempfile"; then
#  140|   		cat "$tempfile" > "$binary"

Error: SHELLCHECK_WARNING (CWE-457): [#def15]
/usr/share/makepkg/tidy/50-strip.sh:192:12: warning[SC2154]: pkgdirbase is referenced but not assigned.
#  190|   
#  191|   		if check_option "debug" "y"; then
#  192|-> 			dbgdir="$pkgdirbase/$pkgbase-debug/usr/lib/debug"
#  193|   			dbgsrcdir="${DBGSRCDIR:-/usr/src/debug}/${pkgbase}"
#  194|   			dbgsrc="$pkgdirbase/$pkgbase-debug$dbgsrcdir"

Error: SHELLCHECK_WARNING (CWE-457): [#def16]
/usr/share/makepkg/tidy/50-strip.sh:192:24: warning[SC2154]: pkgbase is referenced but not assigned.
#  190|   
#  191|   		if check_option "debug" "y"; then
#  192|-> 			dbgdir="$pkgdirbase/$pkgbase-debug/usr/lib/debug"
#  193|   			dbgsrcdir="${DBGSRCDIR:-/usr/src/debug}/${pkgbase}"
#  194|   			dbgsrc="$pkgdirbase/$pkgbase-debug$dbgsrcdir"

Error: SHELLCHECK_WARNING (CWE-140): [#def17]
/usr/share/makepkg/tidy/50-strip.sh:207:12: warning[SC2207]: Prefer mapfile or read -a to split command output (or quote to avoid splitting).
#  205|   					# Be sure to keep the number of concurrently running processes less
#  206|   					# than limit value to prevent an accidental fork bomb.
#  207|-> 					jobs=($(jobs -p))
#  208|   					(( ${#jobs[@]} >= $NPROC )) && wait -n "${jobs[@]}"
#  209|   

Error: SHELLCHECK_WARNING (CWE-571): [#def18]
/usr/share/makepkg/tidy/50-strip.sh:224:11: warning[SC2155]: Declare and assign separately to avoid masking return values.
#  222|   		while IFS= read -rd '' binary ; do
#  223|   			if check_option "debug" "y"; then
#  224|-> 				local inode="$(stat -c '%i %n' -- "$binary")"
#  225|   				inode=${inode%% *}
#  226|   				if [[ -z "${hardlinks[$inode]}" ]]; then

Error: SHELLCHECK_WARNING (CWE-563): [#def19]
/usr/share/makepkg/util/config.sh:81:14: warning[SC2034]: BUILDENV appears unused. Verify use (or export if used externally).
#   79|   
#   80|   	# prevent altering these directly
#   81|-> 	readonly -a BUILDENV OPTIONS
#   82|   
#   83|   	eval "$restore_envvars"

Error: SHELLCHECK_WARNING (CWE-563): [#def20]
/usr/share/makepkg/util/config.sh:81:23: warning[SC2034]: OPTIONS appears unused. Verify use (or export if used externally).
#   79|   
#   80|   	# prevent altering these directly
#   81|-> 	readonly -a BUILDENV OPTIONS
#   82|   
#   83|   	eval "$restore_envvars"

Error: SHELLCHECK_WARNING (CWE-457): [#def21]
/usr/share/makepkg/util/option.sh:86:40: warning[SC2154]: options is referenced but not assigned (did you mean 'option'?).
#   84|   check_option() {
#   85|   	declare -n options_arch=options_$CARCH
#   86|-> 	check_opt_array "$@" "${OPTIONS[@]}" "${options[@]}" "${options_arch[@]}"
#   87|   }
#   88|

Scan Properties

analyzer-version-clippy	1.95.0
analyzer-version-cppcheck	2.20.0
analyzer-version-gcc	16.1.1
analyzer-version-gcc-analyzer	16.1.1
analyzer-version-shellcheck	0.11.0
analyzer-version-unicontrol	0.0.2
diffbase-analyzer-version-clippy	1.95.0
diffbase-analyzer-version-cppcheck	2.20.0
diffbase-analyzer-version-gcc	16.1.1
diffbase-analyzer-version-gcc-analyzer	16.1.1
diffbase-analyzer-version-shellcheck	0.11.0
diffbase-analyzer-version-unicontrol	0.0.2
diffbase-enabled-plugins	clippy, cppcheck, gcc, shellcheck, unicontrol
diffbase-exit-code	0
diffbase-host	ip-172-16-1-19.us-west-2.compute.internal
diffbase-known-false-positives	/usr/share/csmock/known-false-positives.js
diffbase-known-false-positives-rpm	known-false-positives-0.0.0.20260524.213755.g3c6d0be.main-1.el9.noarch
diffbase-mock-config	fedora-rawhide-x86_64
diffbase-project-name	pacman-7.0.0-6.fc44
diffbase-store-results-to	/tmp/tmpdnjxjfb7/pacman-7.0.0-6.fc44.tar.xz
diffbase-time-created	2026-06-01 15:25:37
diffbase-time-finished	2026-06-01 15:27:35
diffbase-tool	csmock
diffbase-tool-args	'/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'shellcheck,cppcheck,clippy,unicontrol,gcc' '-o' '/tmp/tmpdnjxjfb7/pacman-7.0.0-6.fc44.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmpdnjxjfb7/pacman-7.0.0-6.fc44.src.rpm'
diffbase-tool-version	csmock-3.8.5.20260529.133039.g6f3b5c6-1.el9
enabled-plugins	clippy, cppcheck, gcc, shellcheck, unicontrol
exit-code	0
host	ip-172-16-1-19.us-west-2.compute.internal
known-false-positives	/usr/share/csmock/known-false-positives.js
known-false-positives-rpm	known-false-positives-0.0.0.20260524.213755.g3c6d0be.main-1.el9.noarch
mock-config	fedora-rawhide-x86_64
project-name	pacman-7.1.0-1.fc45
store-results-to	/tmp/tmpydszei7f/pacman-7.1.0-1.fc45.tar.xz
time-created	2026-06-01 15:28:01
time-finished	2026-06-01 15:29:30
title	Newly introduced findings
tool	csmock
tool-args	'/usr/bin/csmock' '-r' 'fedora-rawhide-x86_64' '-t' 'shellcheck,cppcheck,clippy,unicontrol,gcc' '-o' '/tmp/tmpydszei7f/pacman-7.1.0-1.fc45.tar.xz' '--gcc-analyze' '--unicontrol-notests' '--unicontrol-bidi-only' '--install' 'pam' '--gcc-analyzer-bin=/usr/bin/gcc' '/tmp/tmpydszei7f/pacman-7.1.0-1.fc45.src.rpm'
tool-version	csmock-3.8.5.20260529.133039.g6f3b5c6-1.el9