From fee40e6db36cd6805309694d7a99978448220847 Mon Sep 17 00:00:00 2001
From: Bryan Call <bcall@apache.org>
Date: Thu, 29 Jan 2026 14:53:16 -0800
Subject: [PATCH 1/4] Fix uninitialized DiagsConfigState in reconfigure_diags

Value-initialize DiagsConfigState to ensure the outputs array
members are initialized to false before use. This fixes Coverity
CID 1497238 (UNINIT).
---
 src/proxy/shared/DiagsConfig.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/proxy/shared/DiagsConfig.cc b/src/proxy/shared/DiagsConfig.cc
index 9e29be3d6c3..9420f2df1f0 100644
--- a/src/proxy/shared/DiagsConfig.cc
+++ b/src/proxy/shared/DiagsConfig.cc
@@ -42,7 +42,7 @@ void
 DiagsConfig::reconfigure_diags()
 {
   int              i;
-  DiagsConfigState c;
+  DiagsConfigState c{};
   bool             found, all_found;
 
   static struct {

From 6cb2a3965b2ff08349a87a6599bfc7bd1c9304fd Mon Sep 17 00:00:00 2001
From: Bryan Call <bcall@apache.org>
Date: Thu, 29 Jan 2026 14:59:09 -0800
Subject: [PATCH 2/4] Fix uninitialized ParsedValue in ParsedConfigCache::parse

Explicitly value-initialize ParsedValue to ensure the variant member
is properly initialized. This fixes Coverity CID 1644237 (UNINIT).
---
 src/proxy/http/HttpConfig.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/proxy/http/HttpConfig.cc b/src/proxy/http/HttpConfig.cc
index 3b7352b1fc6..d58f7d7c016 100644
--- a/src/proxy/http/HttpConfig.cc
+++ b/src/proxy/http/HttpConfig.cc
@@ -745,7 +745,7 @@ ParsedConfigCache::lookup_impl(TSOverridableConfigKey key, std::string_view valu
 ParsedConfigCache::ParsedValue
 ParsedConfigCache::parse(TSOverridableConfigKey key, std::string_view value)
 {
-  ParsedValue result;
+  ParsedValue result{};
 
   // Store the string value - the parsed structures may reference this.
   result.conf_value_storage = std::string(value);

From a3fa311a4d7714b0fe522647e0d4516f9940ebde Mon Sep 17 00:00:00 2001
From: Bryan Call <bcall@apache.org>
Date: Thu, 29 Jan 2026 15:00:52 -0800
Subject: [PATCH 3/4] Fix uninitialized TLSClientHelloSummary in test_ja4

Value-initialize TLSClientHelloSummary to ensure all members are
properly initialized before use. This fixes Coverity CID 1644228 (UNINIT).
---
 plugins/experimental/ja4_fingerprint/test_ja4.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/experimental/ja4_fingerprint/test_ja4.cc b/plugins/experimental/ja4_fingerprint/test_ja4.cc
index ffc2f6820cb..c941283ed8b 100644
--- a/plugins/experimental/ja4_fingerprint/test_ja4.cc
+++ b/plugins/experimental/ja4_fingerprint/test_ja4.cc
@@ -37,7 +37,7 @@ static std::string inc(std::string_view sv);
 
 TEST_CASE("JA4")
 {
-  JA4::TLSClientHelloSummary TLS_summary;
+  JA4::TLSClientHelloSummary TLS_summary{};
 
   SECTION("Given the protocol is TCP, "
           "when we create a JA4 fingerprint, "

From f74d54859b7b54258cdf88e8dbb1bcf29a11685c Mon Sep 17 00:00:00 2001
From: Bryan Call <bcall@apache.org>
Date: Thu, 29 Jan 2026 15:02:34 -0800
Subject: [PATCH 4/4] Fix uninitialized IPRange in background_fetch and
 cache_fill plugins

The condition for parsing Client-IP was inverted - it should load the
IP range when the value is NOT a single '*' character. With the old
logic, single-character non-'*' values would skip loading, leaving
the IPRange uninitialized.

This fixes Coverity CID 1533658 (UNINIT).
---
 plugins/background_fetch/configs.cc        | 2 +-
 plugins/experimental/cache_fill/configs.cc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/background_fetch/configs.cc b/plugins/background_fetch/configs.cc
index 27d48f09051..5a6b5099b9f 100644
--- a/plugins/background_fetch/configs.cc
+++ b/plugins/background_fetch/configs.cc
@@ -136,7 +136,7 @@ BgFetchConfig::readConfig(const char *config_file)
         if ("Client-IP"_tv == cfg_name) {
           swoc::IPRange r;
           // '*' is special - match any address. Signalled by empty range.
-          if (cfg_value.size() != 1 || cfg_value.front() == '*') {
+          if (cfg_value.size() != 1 || cfg_value.front() != '*') {
             if (!r.load(cfg_value)) { // assume if it loads, it's not empty.
               TSError("[%s] invalid IP address range %.*s, skipping config value", PLUGIN_NAME, int(cfg_value.size()),
                       cfg_value.data());
diff --git a/plugins/experimental/cache_fill/configs.cc b/plugins/experimental/cache_fill/configs.cc
index b65f0aa7650..26b2e1967ce 100644
--- a/plugins/experimental/cache_fill/configs.cc
+++ b/plugins/experimental/cache_fill/configs.cc
@@ -146,7 +146,7 @@ BgFetchConfig::readConfig(const char *config_file)
         if ("Client-IP"_tv == cfg_name) {
           swoc::IPRange r;
           // '*' is special - match any address. Signalled by empty range.
-          if (cfg_value.size() != 1 || cfg_value.front() == '*') {
+          if (cfg_value.size() != 1 || cfg_value.front() != '*') {
             if (!r.load(cfg_value)) { // assume if it loads, it's not empty.
               TSError("[%s] invalid IP address range %.*s, skipping config value", PLUGIN_NAME, int(cfg_value.size()),
                       cfg_value.data());