diff --git a/0001-Fix-additional-covscan-warnings.patch b/0001-Fix-additional-covscan-warnings.patch
new file mode 100644
index 0000000..3d0fd27
--- /dev/null
+++ b/0001-Fix-additional-covscan-warnings.patch
@@ -0,0 +1,78 @@
+From 949c391537a588bd7359a00a716359e37afcd4da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Mon, 19 Jul 2021 09:56:31 +0200
+Subject: [PATCH] Fix additional covscan warnings
+
+- check we actually got a filename in xml parsers and in decompression
+  function
+- use g_malloc0 as we do in other places (it also takes care of checking
+  if allocation was successful)
+---
+ src/dumper_thread.c        | 2 +-
+ src/misc.c                 | 6 ++++++
+ src/xml_parser_filelists.c | 5 +++++
+ src/xml_parser_primary.c   | 5 +++++
+ 4 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/src/dumper_thread.c b/src/dumper_thread.c
+index 119f3bd8..ea10c774 100644
+--- a/src/dumper_thread.c
++++ b/src/dumper_thread.c
+@@ -562,7 +562,7 @@ cr_dumper_thread(gpointer data, gpointer user_data)
+         //  * this isn't the last task
+         // Then: save the task to the buffer
+ 
+-        struct BufferedTask *buf_task = malloc(sizeof(struct BufferedTask));
++        struct BufferedTask *buf_task = g_malloc0(sizeof(struct BufferedTask));
+         buf_task->id  = task->id;
+         buf_task->res = res;
+         buf_task->pkg = pkg;
+diff --git a/src/misc.c b/src/misc.c
+index adbc4af0..b59f304a 100644
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -622,6 +622,12 @@ cr_decompress_file_with_stat(const char *src,
+ 
+     if (!in_dst || g_str_has_suffix(in_dst, "/")) {
+         char *filename = cr_get_filename(src);
++        if (!filename) {
++            g_debug("%s: Cannot get filename from: %s", __func__, src);
++            g_set_error(err, ERR_DOMAIN, CRE_NOFILE,
++                        "Cannot get filename from: %s", src);
++            return CRE_NOFILE;
++        }
+         if (g_str_has_suffix(filename, c_suffix)) {
+             filename = g_strndup(filename, strlen(filename) - strlen(c_suffix));
+         } else {
+diff --git a/src/xml_parser_filelists.c b/src/xml_parser_filelists.c
+index f4fe6c09..86ab6c80 100644
+--- a/src/xml_parser_filelists.c
++++ b/src/xml_parser_filelists.c
+@@ -259,6 +259,11 @@ cr_end_handler(void *pdata, G_GNUC_UNUSED const xmlChar *element)
+         cr_PackageFile *pkg_file = cr_package_file_new();
+         pkg_file->name = cr_safe_string_chunk_insert(pd->pkg->chunk,
+                                                 cr_get_filename(pd->content));
++        if (!pkg_file->name) {
++            g_set_error(&pd->err, ERR_DOMAIN, ERR_CODE_XML,
++                        "Invalid <file> element: %s", pd->content);
++            break;
++        }
+         pd->content[pd->lcontent - strlen(pkg_file->name)] = '\0';
+         pkg_file->path = cr_safe_string_chunk_insert_const(pd->pkg->chunk,
+                                                            pd->content);
+diff --git a/src/xml_parser_primary.c b/src/xml_parser_primary.c
+index 86e20519..e83eb044 100644
+--- a/src/xml_parser_primary.c
++++ b/src/xml_parser_primary.c
+@@ -633,6 +633,11 @@ cr_end_handler(void *pdata, G_GNUC_UNUSED const xmlChar *element)
+         cr_PackageFile *pkg_file = cr_package_file_new();
+         pkg_file->name = cr_safe_string_chunk_insert(pd->pkg->chunk,
+                                                 cr_get_filename(pd->content));
++        if (!pkg_file->name) {
++            g_set_error(&pd->err, ERR_DOMAIN, ERR_CODE_XML,
++                        "Invalid <file> element: %s", pd->content);
++            break;
++        }
+         pd->content[pd->lcontent - strlen(pkg_file->name)] = '\0';
+         pkg_file->path = cr_safe_string_chunk_insert_const(pd->pkg->chunk,
+                                                            pd->content);
diff --git a/createrepo_c.spec b/createrepo_c.spec
index f7eb6f4..b06d618 100644
--- a/createrepo_c.spec
+++ b/createrepo_c.spec
@@ -25,10 +25,11 @@
 Summary:        Creates a common metadata repository
 Name:           createrepo_c
 Version:        0.17.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPLv2+
 URL:            https://github.com/rpm-software-management/createrepo_c
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+Patch1:         0001-Fix-additional-covscan-warnings.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc
@@ -175,6 +176,9 @@ ln -sr %{buildroot}%{_bindir}/modifyrepo_c %{buildroot}%{_bindir}/modifyrepo
 %{python3_sitearch}/%{name}-%{version}-py%{python3_version}.egg-info
 
 %changelog
+* Mon Aug 16 2021 Pavla Kratochvilova <pkratoch@redhat.com> - 0.17.2-5
+- Fix issues detected by static analyzers
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.17.2-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688