Hi, I've filed a PR to the known-false-positives repository here:
https://github.com/openscanhub/known-false-positives/pull/47 I wanted to see if the file is correctly picked up but I don't understand how to use the csfilter-kfp mentioned here: https://github.com/openscanhub/known-false-positives/blob/8eff7013db7cd9a5031abd197a0c05f7ae4b43a7/README.md?plain=1#L31-L34 Can you please explain here or in the README how to do that with a given report like the following one? https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-08-Jan-2026/ The false positives I've identified in LLVM will probably stay there forever. My llvm/ignore.err file contains "llvm-project-21.1.8.src" in the referenced file paths. Will future versions pick this up correctly and ignore the error or do I have to modify the version for each release? Regards Konrad On Fri, Jan 9, 2026 at 1:27 PM Siteshwar Vashisht <[email protected]> wrote: > Hello, > > I am writing this message to get feedback from the community on new > findings by static analyzers in Critical Path Packages that have > changed in Fedora 44. > > TLDR: This report[1] contains a total of 89972 findings and 3375 new > findings identified since Fedora 43. Please review the report and > provide feedback. False positives can now be recorded in the > known-false-positives[5] repository. > > A mass scan was performed on the packages that have changed in Fedora > 44. This report[1] contains all the findings that have been identified > in the Critical Path Packages. Newly added findings since Fedora 43 > are listed under ‘+’ column and these should be prioritized while > reviewing the findings (and fixing them upstream). Not all findings > reported by OpenScanHub may be actual bugs, so please verify reported > findings before investing time into fixing or reporting them. We have > used the current development version of GCC to perform the scans, > which may increase the likelihood of having false positives in the GCC > reports. > > False positives can now be recorded in the known-false-positives[5] > repository. These findings are automatically suppressed by OpenScanHub > in scans that are triggered later. Also, you can filter findings with > the csgrep utility to make it easier to review reports that may > contain a large amount of false positives. Examples of csgrep > invocation are available on the Fedora wiki[4]. > > We hope this is helpful for the packages you maintain and for the > upstream projects. Questions can be asked on the OpenScanHub mailing > list[2]. If you want to see the raw scan results, they are available > on the tasks[3] page. User documentation for performing a scan is > available on the Fedora wiki[4]. > > Please keep the feedback on this thread constructive. Thank you! > > [1] > https://svashisht.fedorapeople.org/openscanhub/mass-scans/f44-08-Jan-2026/ > > [2] > https://lists.fedoraproject.org/archives/list/[email protected]/ > > [3] https://openscanhub.fedoraproject.org/task/ > > [4] https://fedoraproject.org/wiki/OpenScanHub > > [5] https://github.com/openscanhub/known-false-positives > > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
