Several times a year, we get offers or full dumps of programmatic static code analysis.
We have, for decades, rejected it all, and invited reporters to bring specific analysis of actually problematic cases back to the list (or security@, as applicable.) If anyone is interested, we consistently invite reports of actual defects or security issues to be resolved. Cheers, Bill On Jan 7, 2017 8:45 PM, "Leif Hedstrom" <zw...@apache.org> wrote: > Howdy, > > I ran clang-analyzer against the HTTPD master branch, and it found 126 > issues. Many of these are benign, but I was curious if the community has > any thoughts on this? With another project, I’ve found that keep static > code analysis to zero issues can really help finding new, serious issues > (basically, we put the tree in failed state if there’s a new static code > analysis issue). > > The issues are all over the source code, in core and mod_’s alike. It’d be > pretty tedious to file individual tickets for each of them, so curious if > there’s any interest in cleaning this up to start with a clean state? It’d > then be easy to add clang-analyzer to the release process for example. > > Thoughts? > > — leif > >
