What were you trying to do that didn't work?

We were running a valgrind command over oscap command. Valgrind has reported that the function NSS_NoDB_Init which we called has possibly lost in loss records.
We think that the problem is in the NSS.

Please provide the package NVR for which bug is seen:

nss-3.97.0-1.el10.x86_64
openscap-1.3.10-2.el10.x86_64

How reproducible:

deterministic

Steps to reproduce

1. dnf install openscap-scanner valgrind scap-security-guide
2. valgrind --leak-check=full oscap xccdf eval --rule xccdf_org.ssgproject.content_rule_selinux_state --profile '(all)' /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

Expected results

no memory leak is reported in NSS_NoDB_Init

Actual results

A large amount of problems like this:

==4294== 7 bytes in 1 blocks are possibly lost in loss record 19 of 1,019
==4294== at 0x4841847: malloc (vg_replace_malloc.c:446)
==4294== by 0x5F8D15C: NSSRWLock_New_Util (in /usr/lib64/libnssutil3.so)
==4294== by 0x50B2B4C: ??? (in /usr/lib64/libnss3.so)
==4294== by 0x50B73F8: ??? (in /usr/lib64/libnss3.so)
==4294== by 0x5057F31: ??? (in /usr/lib64/libnss3.so)
==4294== by 0x505879B: NSS_NoDB_Init (in /usr/lib64/libnss3.so)
==4294== by 0x4A4C898: __pthread_once_slow.isra.0 (in /usr/lib64/libc.so.6)
==4294== by 0x4A4C908: pthread_once@@GLIBC_2.34 (in /usr/lib64/libc.so.6)
==4294== by 0x48E778A: ??? (in /usr/lib64/libopenscap.so.25.7.0)
==4294== by 0x48E7824: oval_probe_session_new (in /usr/lib64/libopenscap.so.25.7.0)
==4294== by 0x48D339B: oval_agent_new_session (in /usr/lib64/libopenscap.so.25.7.0)
==4294== by 0x4918D6F: xccdf_session_load_oval (in /usr/lib64/libopenscap.so.25.7.0)