diff --git a/apps/dtls/dtlsClient.c b/apps/dtls/dtlsClient.c
index b725e9a..2574a9d 100644
--- a/apps/dtls/dtlsClient.c
+++ b/apps/dtls/dtlsClient.c
@@ -852,12 +852,11 @@ int32 main(int32 argc, char **argv)
 #ifdef USE_ECC_CIPHER_SUITE
 	CAstreamLen += sizeof(ECCAS);
 #endif
-	if (CAstreamLen > 0) {
-		CAstream = psMalloc(NULL, CAstreamLen);
-	} else {
-		/* coverity[dead_error_line] */
-		CAstream = NULL;
-	}
+#if defined(USE_RSA_CIPHER_SUITE) || defined(USE_ECC_CIPHER_SUITE)
+	CAstream = psMalloc(NULL, CAstreamLen);
+#else
+	CAstream = NULL;
+#endif
 
 	CAstreamLen = 0;
 #ifdef USE_RSA_CIPHER_SUITE
diff --git a/apps/dtls/dtlsServer.c b/apps/dtls/dtlsServer.c
index 8515adf..eeab234 100644
--- a/apps/dtls/dtlsServer.c
+++ b/apps/dtls/dtlsServer.c
@@ -1056,15 +1056,20 @@ static int32 handleResends(SOCKET sock)
 	Set the REUSE flag to minimize the number of sockets in TIME_WAIT
 	Then we set REUSEADDR, NODELAY and NONBLOCK on the socket
 */
-static void setSocketOptions(SOCKET fd)
+static int32_t setSocketOptions(SOCKET fd)
 {
-	int32 rc;
+	int32_t rc;
 
 #ifdef POSIX
-	fcntl(fd, F_SETFD, FD_CLOEXEC);
+	if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
 #endif
 	rc = 1;
-	setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc));
+	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&rc, sizeof(rc)) < 0) {
+		return PS_PLATFORM_FAIL;
+	}
+	return PS_SUCCESS;
 }
 
 
@@ -1079,16 +1084,20 @@ static SOCKET newUdpSocket(char *ip, short port, int *err)
 		return INVALID_SOCKET;
 	}
 
-	setSocketOptions(fd);
+	if (setSocketOptions(fd) < 0) {
+		*err = SOCKET_ERRNO;
+		close(fd);
+		return INVALID_SOCKET;
+	}
 
 	addr.sin_family = AF_INET;
 	addr.sin_port = htons(port);
 	if (ip == NULL) {
 		addr.sin_addr.s_addr = INADDR_ANY;
 		if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
-			close(fd);
 			_psTrace("Can't bind socket. Port in use or permission problem\n");
 			*err = SOCKET_ERRNO;
+			close(fd);
 			return INVALID_SOCKET;
 		}
 	}
diff --git a/apps/ssl/client.c b/apps/ssl/client.c
index 3de5393..f0bc32b 100644
--- a/apps/ssl/client.c
+++ b/apps/ssl/client.c
@@ -920,12 +920,12 @@ int32 main(int32 argc, char **argv)
 #ifdef USE_ECC_CIPHER_SUITE
 	CAstreamLen += sizeof(ECCAS);
 #endif
-	if (CAstreamLen > 0) {
-		CAstream = psMalloc(NULL, CAstreamLen);
-	} else {
-		/* coverity[dead_error_line] */
-		CAstream = NULL;
-	}
+
+#if defined(USE_RSA_CIPHER_SUITE) || defined(USE_ECC_CIPHER_SUITE)
+	CAstream = psMalloc(NULL, CAstreamLen);
+#else
+	CAstream = NULL;
+#endif
 
 	CAstreamLen = 0;
 #ifdef USE_RSA_CIPHER_SUITE
@@ -941,7 +941,6 @@ int32 main(int32 argc, char **argv)
 	CAstreamLen += sizeof(ECCAS);
 #endif
 
-
 #ifdef ID_RSA
 	rc = loadRsaKeys(g_key_len, keys, CAstream, CAstreamLen);
 	if (rc < 0) {
@@ -993,7 +992,6 @@ int32 main(int32 argc, char **argv)
 		CAstream = psMalloc(NULL, CAstreamLen);
 		memset(CAstream, 0x0, CAstreamLen);
 	} else {
-		/* coverity[dead_error_line] */
 		CAstream = NULL;
 	}
 
diff --git a/core/POSIX/osdep.c b/core/POSIX/osdep.c
index 861ff3f..d9bf8dc 100644
--- a/core/POSIX/osdep.c
+++ b/core/POSIX/osdep.c
@@ -486,11 +486,15 @@ int32 psGetFileBuf(psPool_t *pool, const char *fileName, unsigned char **buf,
 	if (fileName == NULL) {
 		return PS_ARG_FAIL;
 	}
-	if ((fp = fopen(fileName, "r")) == NULL || fstat(fileno(fp), &f_stat) != 0) {
+	if ((fp = fopen(fileName, "r")) == NULL) {
 		psTraceStrCore("Unable to open %s\n", (char*)fileName);
 		return PS_PLATFORM_FAIL;
 	}
-
+ 	if (fstat(fileno(fp), &f_stat) != 0) {
+		fclose(fp);
+		psTraceStrCore("Unable to stat %s\n", (char*)fileName);
+		return PS_PLATFORM_FAIL;
+	}
 	*buf = psMalloc(pool, (size_t)(f_stat.st_size + 1));
 	if (*buf == NULL) {
 		fclose(fp);
diff --git a/crypto/test/rsaperf/rsaperf.c b/crypto/test/rsaperf/rsaperf.c
index 2c1dcb3..9e160d3 100644
--- a/crypto/test/rsaperf/rsaperf.c
+++ b/crypto/test/rsaperf/rsaperf.c
@@ -518,6 +518,7 @@ int main(int argc, char **argv)
 		memset(in, 0x0, keysize);
 
 		psGetTime(&start, NULL);
+		/* coverity[swapped_arguments] */
 		if (psRsaDecryptPriv(pool, &privkey, out, keysize, in, 5, pkaInfo) < 0) {
 			_psTrace("	FAILED DECRYPT OPERATION\n");
 		}
diff --git a/matrixssl/hsDecode.c b/matrixssl/hsDecode.c
index 7165de8..485f479 100644
--- a/matrixssl/hsDecode.c
+++ b/matrixssl/hsDecode.c
@@ -1394,10 +1394,11 @@ int32 parseServerHello(ssl_t *ssl, int32 hsLen, unsigned char **cp,
 				ssl->err = SSL_ALERT_PROTOCOL_VERSION;
 				psTraceInfo("Server wants to talk TLS1.0 but it's disabled\n");
 				return MATRIXSSL_ERROR;
-#endif
+#else
 				ssl->reqMinVer = ssl->minVer;
 				ssl->minVer = TLS_MIN_VER;
 				ssl->flags &= ~SSL_FLAGS_TLS_1_1;
+#endif
 			} else {
 #endif/* USE_TLS_1_1 */
 #ifdef USE_DTLS
diff --git a/matrixssl/sslDecode.c b/matrixssl/sslDecode.c
index 9704ac8..014f6c1 100644
--- a/matrixssl/sslDecode.c
+++ b/matrixssl/sslDecode.c
@@ -757,7 +757,7 @@ ADVANCE_TO_APP_DATA:
 				for (rc = (256 - padLen) - 1; rc > 0; rc--) {
 					/* make this test look like the others */
 					if ((unsigned char)rc == padLen) {
-						/* coverity[unused_value] */
+						/* coverity[assigned_value] */
 						macError = 1; /* not really an error.  reset below */
 					}
 				}
diff --git a/matrixssl/test/sslTest.c b/matrixssl/test/sslTest.c
index 033053d..9a71a5d 100644
--- a/matrixssl/test/sslTest.c
+++ b/matrixssl/test/sslTest.c
@@ -1281,17 +1281,17 @@ LBL_FREE:
 
 		} /* End version loop (unindented) */
 #ifdef USE_RSA
-		if (spec->type == CS_RSA) {
+		if (spec && spec->type == CS_RSA) {
 			goto L_NEXT_RSA;
 		}
 #endif
 #ifdef USE_ECC
-		if (spec->type == CS_ECDH_ECDSA || spec->type == CS_ECDHE_ECDSA) {
+		if (spec && (spec->type == CS_ECDH_ECDSA || spec->type == CS_ECDHE_ECDSA)) {
 			goto L_NEXT_ECC;
 		}
 #endif
 #ifdef REQUIRE_DH_PARAMS
-		if (spec->type == CS_DHE_RSA || spec->type == CS_DHE_PSK) {
+		if (spec && (spec->type == CS_DHE_RSA || spec->type == CS_DHE_PSK)) {
 			goto L_NEXT_DH;
 		}
 #endif
@@ -1572,6 +1572,9 @@ static int32 performHandshake(sslConn_t *sendingSide, sslConn_t *receivingSide)
 /*
 	The indata is the outdata from the sending side.  copy it over
 */
+	if (outbufLen <= 0 || inbufLen <= 0) {
+		return PS_FAILURE;
+	}
 	dataSent = min(outbufLen, inbufLen);
 	memcpy(inbuf, outbuf, dataSent);
 
@@ -1746,7 +1749,7 @@ static int32_t throughputTest(sslConn_t *s, sslConn_t *r, uint16_t nrec, uint16_
 		s->appTime += psDiffMsecs(start, end, NULL);
 
 		len = matrixSslGetReadbufOfSize(r->ssl, buflen, &rb);
-		if (len < buflen) {
+		if (buflen <= 0 || len < buflen) {
 			return PS_FAIL;
 		}
 		memcpy(rb, wb, buflen);
@@ -1870,6 +1873,9 @@ SEND_MORE:
 */
 	inBufLen = matrixSslGetReadbuf(receivingSide->ssl, &inBuf);
 
+	if (writeBufLen <= 0 || inBufLen <= 0) {
+		return PS_FAILURE;
+	}
 	dataSent = min(writeBufLen, inBufLen);
 	memcpy(inBuf, writeBuf, dataSent);
 
@@ -2245,4 +2251,3 @@ static void statCback(void *ssl, void *stat_ptr, int32 type, int32 value)
 #endif
 /******************************************************************************/
 
-