Hello, I added OpenSC to Coverity Scan [1], a closed source static code analyzer (even though it is not visible from the public listing of projects).
The initial scan found 434 issues, out of which 134 are about "stack size considerations" (don't really matter in non-embedded setup IMHO) and the 300 other issues can actually be dealt with (like 23 instances of dead code, 60 secure coding practices (sprintf vs snprintf et al), possible race conditions for accessing files, 76 resource leaks, 9 blocks of code with no effect etc) I now wonder what is the best method of communicating them. To get access to further results (I plan to feed every pre-release like candidate to their checker) an account is needed in their database (AFAIK only Coverity staff can add them). I did not find a way to make reasonable reports as text files, which would show the offending code snippet as well and could be distributed to the list or interested parties. Until I figure out how to distribute the results, please ask me directly for access to the Coverity GUI for inspection. [1] http://scan.coverity.com/ _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
