Coverity Analysis 2019.03 incorrectly marks the input argument of base64_encode(), and conseuqnetly base64_encode_alloc(), as tainted_data_sink because it sees byte-level operations on the input.
It triggered the following false positives in the cryptsetup project: Error: TAINTED_SCALAR: lib/luks2/luks2_digest_pbkdf2.c:117: tainted_data_argument: Calling function "crypt_random_get" taints argument "salt". lib/luks2/luks2_digest_pbkdf2.c:157: tainted_data: Passing tainted variable "salt" to a tainted sink. Error: TAINTED_SCALAR: lib/luks2/luks2_keyslot_luks2.c:445: tainted_data_argument: Calling function "crypt_random_get" taints argument "salt". lib/luks2/luks2_keyslot_luks2.c:448: tainted_data: Passing tainted variable "salt" to a tainted sink. ... but it can affect other gnulib-based projects, too. Would it be possible to apply the following one-line patch on gnulib source code to suppress this class of false positives in gnulib-based projects? https://gitlab.com/cryptsetup/cryptsetup/commit/75b2610e Thanks in advance for considering it! Kamil
