First off thanks to the E/EFL community for making me aware of Coverity. I had not heard of it before I came to E, and noticed it was in use. I quickly put it to use for any apps I was working on. Though I found some things to be less than desirable.
Like the whole getenv tainted var situation. Which there is more than one way to fix, but the scanner seem to only like one way.... That one is super annoying from Coverity!!! Another super annoying thing about Coverity, it gives you NO clue as to what to do to fix something. Nor any reason why you should. Unlike Sonar which shows you how to fix an issue it points out, and gives you reference documents to support why. Click the 3 dots at end of text describing issue. Brings up window in bottom, with description https://sonarcloud.io/project/issues?id=entrance&issues=AWFzBrrtjU3w4cAunX4i&open=AWFzBrrtjU3w4cAunX4i Some like this will show you additional references, MISRA, etc https://sonarcloud.io/project/issues?id=entrance&issues=AWFzBrrcjU3w4cAunX4K&open=AWFzBrrcjU3w4cAunX4K Coverity is SUPER picky on who they approve scanning for. If you are not a member of a project or directly affiliated, you cannot scan. That is you fork a project, or just want to scan some existing FOSS project that is not scanned by Coverity. Their scan admin nazi will reject it. I even had them remove one I had setup for months for Clipboard module. Which is a fork for e21+, with the other I got it from focusing on E17/Moska. Yet Coverity could not understand this difference... Due to issues with Coverity denying me scans and removing a past project I had scans setup for and running for months. I started looking for alternatives. Thankfully I did!!! I played a bit with clang's scan-build. That seems about the same as coverity. Since I fixed all issues under Coverity. I have never had scan-build report anything. That was NOT the case with Sonar. Sonar scanner immediately pointed out a few things Coverity never did. It did and does have some false positives. Its also lagging in some stuff about changes in GNU handling of reentrant functions. But it helped me improve the code far beyond anything from Coverity scans. Plus under Sonar to fully pass, you need at least 80% of code coverage on tests. Which actually running code, for coverage is way better than just analyzing. I REALLY like Sonar scanner and SonarCloud. The UI of SonarCloud is so much better than Coverity. It is not restricted from the general public like Coverity. You are not limited to 4 scans per day. It runs the scan on the CI instance or locally. So you are not re-building again for the static analyzer. Does not effect CI build time like Coverity the slug... I am finding little use of Coverity after Sonar, and slowly moving away from Coverity. I run scan-build locally and it seems to catch anything Coverity would. Not to mention Sonar would likely catch that stuff as well. The core Sonar is FOSS, but the CFamily Plugin is not FOSS. But you could develop your own plugins. Or further the core. https://github.com/SonarSource/sonarqube None the less all around I am loving Sonar and SonarCloud. I cannot say I ever loved Coverity. I surely got no love from them on bringing new projects to Coverity that were not presently scanned like pinentry and openrc. Coverity denied me, and I setup both on Sonar. Thanks Coverity! https://sonarcloud.io/dashboard?id=openrc https://sonarcloud.io/dashboard?id=pinentry All Sonar projects being scanned https://sonarcloud.io/organizations/obsidian-studiosinc-github/projects You can see even after passing Coverity for Entrance, Sonar pointed out a BUNCH of stuff to address... https://scan.coverity.com/projects/obsidian-studiosinc-entrance https://sonarcloud.io/project/issues?id=entrance&resolutions=FIXED Also checked out Codacy, it also points out a few things neither Coverity or Sonar do, which is interesting and beneficial. https://app.codacy.com/app/Obsidian-StudioInc/entrance/dashboard Not sure if this is publicly visible. https://app.codacy.com/projects?orgId=12207 Anyway just wanted to pass that on. Maybe worth looking into setting up Sonar scanner and SonarCloud for E stuff, EFL, Enlightenment, etc. I find it extremely beneficial. Way more so than Coverity. Codacy seems of benefit as well. Seems like between Sonar and Codacy it will cover a bunch of stuff neither Coverity or clang's scan-build catch. P.S. I made a dark theme for Sonar, also Travis, compliments my E eminence. https://userstyles.org/styles/158324/sonarcloud-dark-purple https://userstyles.org/styles/158318/travis-ci-dark-purple -- William L. Thomson Jr.
pgpXLIHq1CmuT.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
