On Sat, 21 Apr 2018 12:26:03 -0400 "William L. Thomson Jr." <[email protected]> said:
> First off thanks to the E/EFL community for making me aware of > Coverity. I had not heard of it before I came to E, and noticed it was > in use. I quickly put it to use for any apps I was working on. Though I > found some things to be less than desirable. > > Like the whole getenv tainted var situation. Which there is more than > one way to fix, but the scanner seem to only like one way.... That one > is super annoying from Coverity!!! you canm always dismiss a bug and tell coverity to ignore it. keep a log why so that in future if people look at that again they can see a reason why it was dismissed. coverity isnt going to be perfect. no such analyzer will be. they will miss things and get false positives. the more paranoid they are the more false positives you get. my experience is coverity is really good in the signal to noise ratio department and often finds bizarre things you may never have realized, but sometimes is a bit too keen on other things, but overall the signal to noise is good. > Another super annoying thing about Coverity, it gives you NO clue as to > what to do to fix something. Nor any reason why you should. Unlike > Sonar which shows you how to fix an issue it points out, and gives you > reference documents to support why. i have never had an issue with that. i have learned to read coverity reports as to why the thing is an issue... you sometimes have to follow the code flow it's showing traces off - which branches it takes and why etc. it doesn't tell you how to fix it.. but i've never had a problem figuring out a way to fix things except in very rare cases. > Click the 3 dots at end of text describing issue. Brings up window in > bottom, with description > https://sonarcloud.io/project/issues?id=entrance&issues=AWFzBrrtjU3w4cAunX4i&open=AWFzBrrtjU3w4cAunX4i > > Some like this will show you additional references, MISRA, etc > https://sonarcloud.io/project/issues?id=entrance&issues=AWFzBrrcjU3w4cAunX4K&open=AWFzBrrcjU3w4cAunX4K > > Coverity is SUPER picky on who they approve scanning for. If you are > not a member of a project or directly affiliated, you cannot scan. That > is you fork a project, or just want to scan some existing FOSS project > that is not scanned by Coverity. Their scan admin nazi will reject it. > I even had them remove one I had setup for months for Clipboard module. > Which is a fork for e21+, with the other I got it from focusing on > E17/Moska. Yet Coverity could not understand this difference... hasn't been a problem for us ... :) > Due to issues with Coverity denying me scans and removing a past > project I had scans setup for and running for months. I started looking > for alternatives. Thankfully I did!!! I played a bit with clang's > scan-build. That seems about the same as coverity. Since I fixed all > issues under Coverity. I have never had scan-build report anything. i've tried clang's reports. my issue is its more noise in the signal than coverity by a long shot and the worst - you can't tell it to shut up... :) wel it produces an html report and i have no "ignore this" button there like coverity. if there is a way via comments in the source for example then i don't know of it. > That was NOT the case with Sonar. Sonar scanner immediately pointed out > a few things Coverity never did. It did and does have some false > positives. Its also lagging in some stuff about changes in GNU > handling of reentrant functions. But it helped me improve the code far > beyond anything from Coverity scans. Plus under Sonar to fully pass, > you need at least 80% of code coverage on tests. Which actually running > code, for coverage is way better than just analyzing. > > I REALLY like Sonar scanner and SonarCloud. The UI of SonarCloud is so > much better than Coverity. It is not restricted from the general public > like Coverity. You are not limited to 4 scans per day. It runs the scan > on the CI instance or locally. So you are not re-building again for the > static analyzer. Does not effect CI build time like Coverity the slug... > > I am finding little use of Coverity after Sonar, and slowly moving away > from Coverity. I run scan-build locally and it seems to catch anything > Coverity would. Not to mention Sonar would likely catch that stuff as > well. The core Sonar is FOSS, but the CFamily Plugin is not FOSS. But > you could develop your own plugins. Or further the core. > https://github.com/SonarSource/sonarqube > > None the less all around I am loving Sonar and SonarCloud. I cannot say > I ever loved Coverity. I surely got no love from them on bringing new > projects to Coverity that were not presently scanned like pinentry and > openrc. Coverity denied me, and I setup both on Sonar. Thanks Coverity! > https://sonarcloud.io/dashboard?id=openrc > https://sonarcloud.io/dashboard?id=pinentry i guess we had different experiences... i've had great ones with coverity and haven't had a need to look elsewhere for a long time. > All Sonar projects being scanned > https://sonarcloud.io/organizations/obsidian-studiosinc-github/projects > > You can see even after passing Coverity for Entrance, Sonar pointed out > a BUNCH of stuff to address... > https://scan.coverity.com/projects/obsidian-studiosinc-entrance > https://sonarcloud.io/project/issues?id=entrance&resolutions=FIXED > > Also checked out Codacy, it also points out a few things neither > Coverity or Sonar do, which is interesting and beneficial. > https://app.codacy.com/app/Obsidian-StudioInc/entrance/dashboard > > Not sure if this is publicly visible. > https://app.codacy.com/projects?orgId=12207 > > Anyway just wanted to pass that on. Maybe worth looking into setting up > Sonar scanner and SonarCloud for E stuff, EFL, Enlightenment, etc. I > find it extremely beneficial. Way more so than Coverity. Codacy seems > of benefit as well. Seems like between Sonar and Codacy it will cover a > bunch of stuff neither Coverity or clang's scan-build catch. now while you seem to have a bad day with coverity, as above, my experience is otherwise, but i think it's great there are other options. knowing about them is a great thing and thanks for bringing this up. :) > > P.S. > I made a dark theme for Sonar, also Travis, compliments my E eminence. > https://userstyles.org/styles/158324/sonarcloud-dark-purple > https://userstyles.org/styles/158318/travis-ci-dark-purple > > -- > William L. Thomson Jr. -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- Carsten Haitzler - [email protected] ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
