This is the mail archive of the
mailing list for the Cygwin project.
Re: Coverity Scan
- From: David Stacey <drstacey at tiscali dot co dot uk>
- To: cygwin at cygwin dot com
- Date: Fri, 16 May 2014 21:00:06 +0100
- Subject: Re: Coverity Scan
- Authentication-results: sourceware.org; auth=none
- References: <5359F391 dot 8060309 at tiscali dot co dot uk> <20140425083500 dot GA5666 at calimero dot vinschen dot de> <20140425155324 dot GA2412 at ednor dot casa dot cgf dot cx>
On 25/04/14 16:53, Christopher Faylor wrote:
On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote:
On Apr 25 06:33, David Stacey wrote:
Coverity Scan  is a commercial (paid for) static analysis tool, but
they offer it to Open Source programmes for free. I was having a browse
through the list of Open Source programmes using Coverity Scan, and
noticed that Cygwin wasn't listed. Would there be any interest in
analysing the cygwin1.dll source code on a fairly regular basis? If so,
I would be happy to have a go at setting up an analysis job for Cygwin.
I would imagine this would be of interest to CGF, Corinna and anyone
else who regularly updates the Cygwin source code. Obviously, this is
only worth doing if the analysis results are looked at and acted upon.
Depends. If the report contains lots of false positives, it's getting
annoying pretty quickly.
We use coverity at work. It is annoying and it does have false positive
but a lot of what look like false positives often turn out to be: "Oh,
wait. (#*(&$ Yeah. That's a problem."
If we could use coverity I'm sure it would be interesting if we can get
OK - we're in! You can find our project page at
https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails
to Corinna and CGF inviting them to join the project ;-)
It would be responsible of us to restrict access to known
vulnerabilities, so please _don't_ ask for visibility of the scan
results. I will leave it to CGF and Corinna to decide who we give access
to and when.
There is still a little work to do in setting up the Coverity scan. The
next step is to group the code into logical clusters, which Coverity
calls Components. Typically, this is done on directories or other file
groupings, and the tool allows you to concentrate on just one of these
components at once. If you let me know what components you'd like, I'll
set them up.
The Coverity build is being performed on one of my PCs at the moment.
I'll try to do this at least weekly using a snapshot from the snapshots
page. I'll also try to submit patches as and when time allows. But if
this is going to work then anyone who regularly contributes to the
Cygwin source code will have to make use of the tool.
Finally, I'd like to thank Dakshesh Vyas at Coverity for allowing us to
join the Scan programme.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple