diff --git a/lib/cose/cose_sign.c b/lib/cose/cose_sign.c
index d7ae64f3d..7c624de59 100644
--- a/lib/cose/cose_sign.c
+++ b/lib/cose/cose_sign.c
@@ -209,9 +209,12 @@ lws_cose_sign_payload_chunk(struct lws_cose_sign_context *csc,
 
 			lws_lec_init(&lec, lbuf, sizeof(lbuf));
 
-			/* we know it will fit */
-			lws_lec_printf(&lec, "{1:%lld}",
+			/* we know it will fit... but coverity doesn't */
+			ret = lws_lec_printf(&lec, "{1:%lld}",
 					     (long long)alg->cose_alg);
+		       if (ret != LWS_LECPCTX_RET_FINISHED)
+			       return ret;
+
 			lws_lec_scratch(&lec);
 
 			if (!csc->subsequent) {
@@ -293,9 +296,11 @@ lws_cose_sign_payload_chunk(struct lws_cose_sign_context *csc,
 
 				lws_lec_init(&lec, lbuf, sizeof(lbuf));
 
-				/* we know it will fit */
-				lws_lec_printf(&lec, "{1:%lld}",
+				/* we know it will fit... but coverity doesn't... */
+				ret = lws_lec_printf(&lec, "{1:%lld}",
 						     (long long)alg->cose_alg);
+			       if (ret != LWS_LECPCTX_RET_FINISHED)
+				       return ret;
 
 				lws_lec_init(&lec1, lb, sizeof(lb));
 				lws_lec_int(&lec1, LWS_CBOR_MAJTYP_BSTR, 0,
@@ -454,8 +459,10 @@ inner_protected:
 			lws_lec_init(&lec1, lb, sizeof(lb));
 			lws_lec_int(&lec1, LWS_CBOR_MAJTYP_BSTR, 0,
 					lec.used);
-			lws_lec_printf(csc->info.lec, "{1:%lld}",
-					     (long long)csc->alg->cose_alg);
+			if (lws_lec_printf(csc->info.lec, "{1:%lld}",
+					     (long long)csc->alg->cose_alg) != LWS_LECPCTX_RET_FINISHED)
+				/* coverity */
+				return 0;
 			break;
 		default:
 			lec.used = 0;
diff --git a/lib/plat/unix/unix-init.c b/lib/plat/unix/unix-init.c
index 383a1e896..dac085bdb 100644
--- a/lib/plat/unix/unix-init.c
+++ b/lib/plat/unix/unix-init.c
@@ -183,9 +183,10 @@ lws_plat_init(struct lws_context *context,
 	{
 		char *klf_env = getenv("SSLKEYLOGFILE");
 
-		if (klf_env)
+		if (klf_env && strlen(klf_env) && strlen(klf_env) < sizeof(context->keylog_file)) {
 			lws_strncpy(context->keylog_file, klf_env,
 				sizeof(context->keylog_file));
+		}
 	}
 #endif
 
diff --git a/plugins/ssh-base/sshd.c b/plugins/ssh-base/sshd.c
index ef735fdf6..eef3f262d 100644
--- a/plugins/ssh-base/sshd.c
+++ b/plugins/ssh-base/sshd.c
@@ -2013,7 +2013,7 @@ lws_callback_raw_sshd(struct lws *wsi, enum lws_callback_reasons reason,
 	const struct lws_protocol_vhost_options *pvo;
 	const struct lws_protocols *prot;
 	struct lws_ssh_channel *ch;
-	char lang[10];
+	char lang[10] = "";
 	int n, m, o;
 
 	/*