PSA: If you are C/C++ developer, use cppcheck

Ondrej Vasik ovasik at redhat.com
Wed Dec 18 08:12:06 UTC 2013 

On Tue, 2013-12-17 at 13:17 -0500, Rahul Sundaram wrote:
> Hi
> 
> 
> On Tue, Dec 17, 2013 at 12:47 PM, Daniel P. Berrange wrote:
>  
>         The issues reported against libvirt all appear to be false
>         positives.
>         Not entirely surprising since we already have coverity run
>         against
>         libvirt code nightly.
> 
> 
> Thanks for the quick response.    Does Red Hat run it only for
> packages in RHEL or it is run against all Fedora packages?  If not,
> would it be possible for Red Hat to do so and publish the results on a
> regular basis?  That might be a useful service.

Nightly Coverity scans for whole Fedora wouldn't work - RHEL subset of
packages is scanned bi-yearly - as the ~1500 C/C++ takes 21+ days to
scan (150M lines of code). Whole Fedora would take ~3 months+ .  Our
RHEL maintainers are notified about the results and are encouraged to
share the results with upstreams - many of them do.
Publishing them is a bit tricky - I can of course publish them (we scan
with cppcheck, enhanced gcc warnings, clang and coverity) - but the
reports may contain some attack vectors - and for inactive packages, it
would only show the doors to attackers. If you are community guy
(maintainer/upstream) and you are interested in getting the result of
the bi-yearly scans, just send me an email and list of packages you want
to get the result (of course, as I said, we scan only RHEL set of
packages). We work on open sourcing this scanning tool based on mock
(covering the static analyzers) - so people can use it for their
packages more easily. It could even be integrated into the
infrastructure somehow, as there is no license limitation.

For non RHEL packages, I would recommend to work with upstream to join
http://scan2.coverity.com/ .

In addition, very beneficial thing is to get DIFFERENCE between two
scans - I would recommend codescan-diff
( https://git.fedorahosted.org/git/codescan-diff.git ) - it was
originally designed for the internal Coverity scans, but now it has
support for various static analyzers.

Greetings,
         Ondrej Vasik

More information about the devel mailing list