Multiple CWE's in protobuf after SAST analysis by PVS-Studio
#24882 opened on Dec 15, 2025
Description
What version of protobuf and what language are you using? Version: v6.31.1 Language: C++
What operating system (Linux, Windows, ...) and version? Rocky Linux 10 (6.12.0-55.39.1.el10_0.x86_64 https://github.com/grpc/grpc/pull/1 SMP PREEMPT_DYNAMIC)
What runtime / compiler are you using (e.g., python version or gcc version) clang version 19.1.7 (RESF 19.1.7-2.el10)
What did you do? After performing SAST analysis of gRPC core project using PVS-Studio static code analyzer (https://pvs-studio.com/) the report showed multiple CWE vulnerabilities and other critical warnings.
294 of these warnings were found in protobuf project version 6.31.1 which is used in gRPC as submodule. Of the total 294 warnings 120 of them are critical (mostly CWE's). Also some of these warnings were found in generated files.
I understand that part of these warning might be false-positives. However, others might be applicable and therefore might be considered security weaknesses.
The exact steps taken were as follows:
- Build gRPC on Rocky Linux 10 with CMake, following instructions in https://github.com/grpc/grpc/blob/master/BUILDING.md and including generation of compile_commands.json for later use by PVS-Studio for analysis.
The exact commands were as follows:
$ cd /
$ git clone https://github.com/grpc/grpc
$ cd grpc
$ git submodule update --init
$ mkdir -p cmake/build
$ cd cmake/build
$ cmake -DCMAKE_CXX_STANDARD=17 -DCMAKE_EXPORT_COMPILE_COMMANDS=On ../..
$ make
-
Install PVS-Studio from official website by following the instructions in https://pvs-studio.com/en/docs/manual/0039/.
-
After successful build of gRPC run PVS-Studio analyzer in cmake/build directory of repository root:
pvs-studio-analyzer analyze -f ./compile_commands.json -o ./pvs.log -j10
This produces the PVS log file which contains PVS SAST analysis results for the entire gRPC core project which can later be converted into html form for better presentation.
- Produce the html render of PVS analysis results from PVS log file by issuing this command in previously created cmake/build directory of repository root filtering for protobuf submodule:
plog-converter -t fullhtml -r ../.. -o ./log-directory --errorCodeMapping cwe ./pvs.log -I /grpc/third_party/protobuf
(Here the -r option specifies the directory in which gRPC repository resides)
This creates a directory with the name "log-directory" inside of cmake/build directory with index.html in it which can opened by any modern browser to view PVS analysis results:
The html-rendered analysis results by PVS-Studio
Viewing the results:
The directory with index.html containing analysis results for protobuf project is attached to this issue in a tar gzip-compressed archive:
In order to view it simply open the index.html file in any browser. On the page you can see all the warnings generated for protobuf project.
To view the location of a particular warning you click on the name of the source file in "Location" column:
This will open the following page:
On it you can see the exact place in the source file where the warning was generated.
What did you expect to see?
Fewer or no CWE's after performing SAST analysis as in my particular situation protobuf having these CWE's prevents integrating it as a third party library in a software project.
What did you see instead?
Multiple critical warnings in the results of SAST analysis of protobuf project.
Anything else we should know about your project / environment?
-
It would be much appreciated if the maintainers could provide any help with resolving this issue.