mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-26 10:54:59 -04:00
596ef2fd7a
OpenScanHub [1] triggered this and flagged it as CWE-688 [2]:
common/flatpak-appdata.c:298:7: warning[-Wanalyzer-null-argument]: use
of NULL ‘parent’ where non-null expected
common/flatpak-appdata.c:282:6: branch_false: following ‘false’
branch...
common/flatpak-appdata.c:285:3: branch_false: ...to here
common/flatpak-appdata.c:285:3: branch_true: following ‘true’
branch...
common/flatpak-appdata.c:287:15: branch_true: ...to here
common/flatpak-appdata.c:289:6: branch_false: following ‘false’
branch...
common/flatpak-appdata.c:297:7: branch_false: ...to here
common/flatpak-appdata.c:297:6: branch_true: following ‘true’ branch
(when the strings are equal)...
common/flatpak-appdata.c:298:7: branch_true: ...to here
common/flatpak-appdata.c:298:7: danger: argument 1 (‘parent’) NULL
where non-null expected
# 296| /* avoid picking up <id> elements from e.g. <provides> */
# 297| if (g_str_equal (element_name, "id") &&
# 298|-> g_str_equal (parent, "component"))
# 299| {
# 300| component->id = g_steal_pointer (&text);
The parsing code doesn't throw any errors from G_MARKUP_ERROR. It
expects the input to be valid, and relies on assertions to express that.
eg., it asserts that a <component> element or tag is encountered before
any other, and particularly <content_attribute>, <content_rating> and
<release>.
In the same vein, an assertion was added to express that an <id> element
or tag always has a parent.
Spotted by Siteshwar Vashisht.
[1] https://openscanhub.dev/
[2] https://cwe.mitre.org/data/definitions/688.html
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
See https://flatpak.org/ for more information.
Flatpak is available in the package repositories of most Linux distributions and can be installed from there. See https://flatpak.org/setup/ for quick setup instructions for many distributions.
Community discussion happens in #flatpak:matrix.org, on the mailing list, and on the Flathub Discourse.
Read documentation for Flatpak here.
Contributing
Flatpak welcomes contributions from anyone! Here are some ways you can help:
- Fix one of the issues and submit a PR
- Update flatpak's translations and submit a PR
- Improve flatpak's documentation, hosted at http://docs.flatpak.org and developed over in flatpak-docs
- Find a bug and submit a detailed report including your OS, flatpak version, and the steps to reproduce
- Add your favorite application to Flathub by writing a flatpak-builder manifest and submitting it
- Improve the Flatpak support in your favorite Linux distribution
Hacking
See CONTRIBUTING.md
Related Projects
Here are some notable projects in the Flatpak ecosystem:
- Flatseal: An app for managing permissions of Flatpak apps without using the CLI
- Flat-manager: A tool for managing Flatpak repositories