Page 1 of 1

Coverity Scan

Posted: Thu Jul 25, 2019 1:24 am
by jdart
I have mentioned this before but there is a free (for open source) code static analysis website: https://scan.coverity.com/. This was broken for a while but they have since fixed it. It will scan your code (C/C++/Java/Ruby/Javascript/C#/Python) and report possible bugs.

--Jon

Re: Coverity Scan

Posted: Thu Jul 25, 2019 5:09 am
by flok
jdart wrote:
Thu Jul 25, 2019 1:24 am
I have mentioned this before but there is a free (for open source) code static analysis website: https://scan.coverity.com/. This was broken for a while but they have since fixed it. It will scan your code (C/C++/Java/Ruby/Javascript/C#/Python) and report possible bugs.

--Jon
FWIW: it looks like c++17 still gives problems but with c++11 and below you'll be fine.

Re: Coverity Scan

Posted: Thu Jul 25, 2019 2:31 pm
by elcabesa
coverity search for security vulnerability in your code. I have found a greater benefits using codacy or his backend "cppcheck"

Re: Coverity Scan

Posted: Thu Jul 25, 2019 3:58 pm
by flok
elcabesa wrote:
Thu Jul 25, 2019 2:31 pm
coverity search for security vulnerability in your code
That's not entirely correct.
They also find dead code, null pointer dereferencing and tons of other things.

Re: Coverity Scan

Posted: Thu Jul 25, 2019 5:29 pm
by mar
There is also PVS studio which can be used in open-source and personal projects:
https://www.viva64.com/en/b/0457/

It's hands down the best static analysis tool out there, very low amount of false positives and also very fast and very high bug detection rate.

They also had a product called CppCat some time ago (now canceled) which I was really happy with.

I remember Coverity from my previous job, but it produced way too many FPs for my taste.
CppCheck is even worse, unfortunately, so many FPs or annoying warnings, that it's basically unusable for me.

Static analysis should help you find bugs, not force you to code around false positives. The latter is just a waste of time.

I rely more on compiler warning these days, just try to compile with different compilers now and then (msc, gcc and clang)

Re: Coverity Scan

Posted: Thu Jul 25, 2019 10:57 pm
by JohnWoe
I used valgrind to check Sapeli 1.34. Found out it reported 92000+ errors. :P
Pretty easy fix. But these tools are useful. g++ shows lots of warnings. But Sapeli is a C program so those can be ignored.

Re: Coverity Scan

Posted: Fri Jul 26, 2019 12:08 am
by DustyMonkey
flok wrote:
Thu Jul 25, 2019 3:58 pm
elcabesa wrote:
Thu Jul 25, 2019 2:31 pm
coverity search for security vulnerability in your code
That's not entirely correct.
They also find dead code, null pointer dereferencing and tons of other things.
One mans "dead code" is another mans "old version of the eval" or "known to be bug-free alphabeta"

Yes these are things you wouldnt want in the production source of a team project maintained by source control, but at the same time you would want them to be there in your own single-developer source not maintained by source control.

Re: Coverity Scan

Posted: Tue Jul 30, 2019 11:12 am
by xr_a_y
Isn't clang with Weverything and a little cppcheck gives the same thing ?

Anyway, do you know SonarQube ?

Re: Coverity Scan

Posted: Wed Jul 31, 2019 3:15 pm
by Sesse
flok wrote:
Thu Jul 25, 2019 5:09 am
FWIW: it looks like c++17 still gives problems but with c++11 and below you'll be fine.
It has huge problems with C++11, too. E.g., the latest version finally understands lock_guard<T>, but still not unique_lock<T>, so it produces tons of false positives around locking.

I really want to like Coverity. On the surface of it, it sounds like a very useful product. But for me, even after extensive use of various versions of Scan across my code, adding modeling files, annotations, etc., it's pure garbage. 95%+ of the warnings it gives me are false positives, and the rest is nearly always in unit test code where I don't honestly care about memory cleanup and the likes. From my git logs, it's found one line of dead line, one 2 kB object that was passed by value and shouldn't, and one off-by-one in a memcpy-like thing. Apart from that, well, no. Sorry :-)

(The Scan web interface is utter garbage, too. Super-duper-buggy, to the point where I had to create another account and share my projects with it just to get to view anything at all.)

Re: Coverity Scan

Posted: Thu Aug 01, 2019 9:51 pm
by jdart
I have found Coverity somewhat useful. It does spit out some false positives but I have seen worse. I am reminded of the line that as I remember was in the man page of early versions of lint: "There are some things you cannot get lint to shut up about." There are of course lots of other tools including compiler diagnostics, the MSVC code analyzer, and the clang code checker.

--Jon