Thanks to visit codestin.com
Credit goes to github.com

Skip to content

zeek -u False positives on when captures #4951

New issue
New issue
Closed
Bug
Closed
zeek -u False positives on when captures#4951
Bug
Assignees
vpax
@evantypanski

Description

@evantypanski
evantypanski
opened on Oct 22, 2025

Zeek has a -u flag (that I don't know many people know about) which detects "usage errors" for variables. But, given basic captures in when statements, it detects any uses of the capture as used without definition. Here's the output from the documentation's when example:

# when.zeek
 
type r: record { x: int; y: int; };
global g = r($x=100, $y=100);

event zeek_init()
    {
    local l = r($x=1, $y=2);
    local l2 = r($x=3, $y=4);

    when [l, copy l2] ( g$x < 0 )
        {
        print l, l2;
        }

    l$x = 10;
    l2$x = 20;
    }

event zeek_init() &priority=-10
    {
    g$x = -999;
    }

$ zeek -ub when.zeek

warning in ./when.zeek, line 13: used without definition (l)
warning in ./when.zeek, line 13: used without definition (l2)
[x=10, y=2], [x=3, y=4]

Unfortunately, this causes a large amount of spam when used without bare mode. From my local install:

$ zeek -u when.zeek
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/exec.zeek, line 181: used without definition (Exec::cmd)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/active-http.zeek, line 101: used without definition (ActiveHTTP::bodyfile)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/active-http.zeek, line 101: used without definition (ActiveHTTP::headersfile)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/active-http.zeek, line 101: used without definition (ActiveHTTP::cmd)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/active-http.zeek, line 101: used without definition (ActiveHTTP::stdin_data)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/active-http.zeek, line 104: used without definition (ActiveHTTP::result)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/active-http.zeek, line 106: used without definition (ActiveHTTP::req)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/active-http.zeek, line 107: used without definition (ActiveHTTP::resp)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/dir.zeek, line 31: used without definition (Dir::dir)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/dir.zeek, line 33: used without definition (Dir::result)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/dir.zeek, line 47: used without definition (Dir::last_files)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/dir.zeek, line 48: used without definition (Dir::callback)
warning in /Users/etyp/.local/zeek/share/zeek/base/utils/dir.zeek, line 52: used without definition (Dir::poll_interval)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 223: used without definition (Notice::h2)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::out)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::n)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::line1)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::line2)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::line3)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::h1)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::h1name)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 225: used without definition (Notice::h2name)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 245: used without definition (Notice::h2name_)
warning: Notice::resp_p assignment unused: Notice::resp_p = ; /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 174
warning: Notice::orig_p assignment unused: Notice::orig_p = ; /Users/etyp/.local/zeek/share/zeek/base/frameworks/notice/actions/pp-alarms.zeek, line 173
warning: Intel::inserted_value assignment unused: Intel::inserted_value = Intel::lower_indicator; /Users/etyp/.local/zeek/share/zeek/base/frameworks/intel/main.zeek, line 574
warning: Intel::inserted_value assignment unused: Intel::inserted_value = ; /Users/etyp/.local/zeek/share/zeek/base/frameworks/intel/main.zeek, line 545
warning: Intel::removed_value assignment unused: Intel::removed_value = Intel::indicator_value; /Users/etyp/.local/zeek/share/zeek/base/frameworks/intel/main.zeek, line 723
warning: Intel::removed_value assignment unused: Intel::removed_value = ; /Users/etyp/.local/zeek/share/zeek/base/frameworks/intel/main.zeek, line 694
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/sumstats/non-cluster.zeek, line 95: used without definition (SumStats::ss_name)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/sumstats/non-cluster.zeek, line 95: used without definition (SumStats::key)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek, line 138: used without definition (OpenFlow::request)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek, line 140: used without definition (OpenFlow::result)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek, line 141: used without definition (OpenFlow::state)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek, line 141: used without definition (OpenFlow::match)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek, line 141: used without definition (OpenFlow::flow_mod)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek, line 168: used without definition (OpenFlow::request)
warning in /Users/etyp/.local/zeek/share/zeek/base/frameworks/openflow/plugins/ryu.zeek, line 168: used without definition (function(when-param-9:count) : any[OpenFlow::request,  OpenFlow::result]{ if (1 == OpenFlow::when-param-9) { OpenFlow::result = ActiveHTTP::request(OpenFlow::request)<internal>::#0 = to_any_coerce Treturn (<internal>::#0)}<internal>::#1 = to_any_coerce Treturn (<internal>::#1)})
warning in /Users/etyp/.local/zeek/share/zeek/base/protocols/ssl/main.zeek, line 252: used without definition (SSL::info)
warning: SMB1::uid assignment unused: SMB1::uid = SMB1::hdr$uid; /Users/etyp/.local/zeek/share/zeek/base/protocols/smb/smb1-main.zeek, line 24
warning in ./when.zeek, line 13: used without definition (l)
warning in ./when.zeek, line 13: used without definition (l2)
[x=10, y=2], [x=3, y=4]

I only checked the first two, there may be more issues too.

I just don't know if we want to remove this flag? Or fix this issue? Does anyone use it?

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions