On 07/14/2015 07:51 AM, Dieter, William R wrote: > One of the original plans for the Linux Foundation infrastructure was to use > Sonar to run the SonarQube C++ plug-in. We have run into a few problems > using the commercial plug-in, however there are several community plug-ins > for C/C++ code: > > * vera++ (for checking style) > * cppcheck (static analysis checking for buffer overflows, memory, and other > problems) > * RATS (checking for security problems, including buffer overflows) > > We could enable these checks to run through Jenkins during verification > builds. The idea would be that the static analysis checkers could point out > potential problems and be an aid to code reviewers. The tools are all open > source so contributors could run them locally, too. > > The implementation plan would be to first make the static analysis > information available, but not have it give a +1 or -1. After some period > (and tweaking of rules), if the community thinks it is helpful, Sonar could > give a -1 when certain checks fail based on the observed track record. > > Before implementing this, we would like to know if there is community support > for it. Is this something people would find useful? Are there any > objections to just making the analysis available (without automatic +/-1)? >
It would be interesting to see how this compares with output from Coverity. For security, though, there is some rationale to avoid publishing full information immediately to the general public. If some actual security issues are spotted it might be good to have a review process to address them, etc. Of course, for pure open source code this is perhaps less of a factor, but there should be some thought given to what might be the appropriate responsible disclosure policies. -- Jon A. Cruz - Senior Open Source Developer Samsung Open Source Group jonc at osg.samsung.com
