Hi folks, last week I submitted Artemis for inclusion into Coverity Scan. Many Apache projects are there already, so you probably know about it. I case you don't, it is a static code analysis as-a-service which is free of charge for opensource.
The project is now approved by Coverity. You can open it and view the analysis. You should be able to open https://scan.coverity.com/ projects/apache-activemq-artemis and click "Add me to project". There are three visibility settings for the public. You can show either nothing, show some basic stats like number of lines of code, number of issues, and issues per kloc, or let anybody browse source and see individual issues. I selected the second option. There is a feature to sent e-mail with description of newly found issues to a given e-mail address. I did not fill any address yet. Currently, I am in "Admins" of the Coverity Scan project, with right to add other users and submit project build for analysis*. This is something that would need adjusting if you feel that Coverity Scan is useful and if established people in the community step up wanting to take over (from me ;) I uploaded all Artemis releases to date, ending with 2.0.0-snapshot from last Friday, then looked at results and found that 1) It did not find the overflow I reported in https://issues.apache.org/jira/browse/ARTEMIS-986; possible reason is that this would be discovered by the FindBugs tool and in project settings it is configured not to show FindBugs results (that is the default setting). 2) I tried to find some finds that are obviously not false positives, which turned to be quite hard, but I got one - mismatched braces and indentation at https://scan7.coverity.com/ reports.htm#v25191/p14213/g25191g/fileInstanceId=9927190&defectInstanceId= 2438316&mergedDefectId=1409238&fileStart=251&fileEnd=500 (the whole if statement is weird, although since is in generated code, it does not really count; I would probably still add the braces to the .jj file, though) 3) Found obvious false positive where it is warning about a concurrent modification of a concurrent hashset (because the hashset is implemented by artemis and Coverity does not understand it is concurrent) 4) Most useful view of issues seems to be when I group issues by component or filter out the "tests" and "test" components. It would certainly require somebody who understands the code to review it and decide if it is useful to have or not... Cheers, --------------------- * About submitting project build for analysis The way I've been uploading the builds for analysis is by following their quickstart ;) the only tricky part is the build command which I had to struggle with a bit to disable errorprone /mnt/cov/cov-analysis-linux64-8.7.0/bin/cov-build --dir ../cov-int mvn -Pexamples -DskipTests=true -Djavac-compiler-id=javac package in addition, I had to go through pom.xml and artemis-selectors/pom.xml and delete compiler args specific to errorprone; I did not find a way to do this with maven options. (cov-analysis-linux64-8.7.0 is just proprietary software downloaded from Coverity that one needs to run) -- Jiří Daněk,
