I think this is really a false positive, but want to check, and code could be cleaned up.
There is the following code ion getXsdGroupType()
if (*s == '\"')
3. strlen_assign: Setting variable len to the return value of strlen called with argument s.
857 size_t len = strlen(s);
CID 1143265 (#1 of 1): Out-of-bounds access (OVERRUN)
4. alloc_strlen: Allocating insufficient memory for the terminating null of the string.
858 xsdgrouptype = (char*)malloc(len);
5. Falling through to end of if statement.
I think it is assuming that the last character is a \", and if so remove it. If so it would be worth commenting, but also changing the strncpy to a memcpy - which would be clearer and more efficient.