On 01/25/2012 12:21 PM, Ken McDonell wrote:
On Thu, 2012-01-12 at 16:14 +1100, Mark Goodwin wrote:
Coverity is a sophisticated static code analysis tool.
Among other things, it checks for the conditions listed here:
https://www.securecoding.cert.org/confluence/display/seccode/Coverity+Prevent
Can someone with knowledge of Coverity please advise ...
1. For the issues we wish to mark as IGNORED after analysis, where is
this state held and how is it used in subsequent runs to ensure we're
note forced to review these false matches again?
Eric Sandeen ran the coverity scans that we've been using, and
mailed the results to Nathan and myself. Red Hat have an
an internal license and legal have OK'd posting the results
to upstream project lists.
I'll get in touch with Eric and find out how to manage the analysis
on an ongoing basis. Another question would be how it deals with a
code base in continuous development.
2. Does Coverity understand assert()s? Specifically will
if (foo == NULL) {
...
}
assert(foo != NULL);
...
bar = *foo;
suppress Coverity warnings about dereferencing the possibly NULL foo?
no idea, but I'd assume and hope it would have intelligent semantics
for asserts and so forth. I'll endeavour to find out.
Regards
-- Mark
|