You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Hugo Trippaers <hu...@trippaers.nl> on 2013/11/04 17:39:18 UTC
Coverity static code analysis
Hey all,
At CloudOpen in Edinburgh i joined a presentation on Coverity, a static code analysis tool. Some of you may have heard of it already, it is famous for doing the code analysis on the Linux kernel for quite some years already. They added support for the java language quite a while back. The presenter dropped by our CloudStack booth and we had a nice chat on static code analysis.
You might have guessed the next step, i added CloudStack to the Coverity scanning service at scan.coverity.com: http://scan.coverity.com/projects/943.
- 1.044.609 lines of code
- 6.70 defect density
- 6997 outstanding defects
The reasoning is obviously that anything that will help us improve quality should be considered. However just adding the CloudStack sources to the scan isn’t going to solve anything. For that we all need to pitch in an help out with getting the scan results triaged, assigned and fixed. So signup en-masse and go fix ;-)
Note to new and aspiring CloudStack developers, don’t know where to start but you want to help out? This is a great way to get to know the code and the community. Have a look at one of the open items on Coverity, fix it and submit it for review at reviews.apache.org.
Cheers,
Hugo
Re: Coverity static code analysis
Posted by John Kinsella <jl...@stratosec.co>.
I'll guess Coverity counts executable lines. LOC can be a little tricky to calculate…comments, whitespace, things like include statements usually don't count (from a licensing POV).
John
On Nov 4, 2013, at 8:55 AM, Sebastien Goasguen <ru...@gmail.com>>
wrote:
On Nov 4, 2013, at 11:39 AM, Hugo Trippaers <hu...@trippaers.nl>> wrote:
Hey all,
At CloudOpen in Edinburgh i joined a presentation on Coverity, a static code analysis tool. Some of you may have heard of it already, it is famous for doing the code analysis on the Linux kernel for quite some years already. They added support for the java language quite a while back. The presenter dropped by our CloudStack booth and we had a nice chat on static code analysis.
You might have guessed the next step, i added CloudStack to the Coverity scanning service at scan.coverity.com<http://scan.coverity.com>: http://scan.coverity.com/projects/943.
- 1.044.609 lines of code
why does Ohloh lists 4.2 M loc when coverty only 1M ?
- 6.70 defect density
- 6997 outstanding defects
The reasoning is obviously that anything that will help us improve quality should be considered. However just adding the CloudStack sources to the scan isn’t going to solve anything. For that we all need to pitch in an help out with getting the scan results triaged, assigned and fixed. So signup en-masse and go fix ;-)
Note to new and aspiring CloudStack developers, don’t know where to start but you want to help out? This is a great way to get to know the code and the community. Have a look at one of the open items on Coverity, fix it and submit it for review at reviews.apache.org<http://reviews.apache.org>.
Cheers,
Hugo
Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>
Re: Coverity static code analysis
Posted by Sebastien Goasguen <ru...@gmail.com>.
On Nov 4, 2013, at 11:39 AM, Hugo Trippaers <hu...@trippaers.nl> wrote:
> Hey all,
>
> At CloudOpen in Edinburgh i joined a presentation on Coverity, a static code analysis tool. Some of you may have heard of it already, it is famous for doing the code analysis on the Linux kernel for quite some years already. They added support for the java language quite a while back. The presenter dropped by our CloudStack booth and we had a nice chat on static code analysis.
>
> You might have guessed the next step, i added CloudStack to the Coverity scanning service at scan.coverity.com: http://scan.coverity.com/projects/943.
> - 1.044.609 lines of code
why does Ohloh lists 4.2 M loc when coverty only 1M ?
> - 6.70 defect density
> - 6997 outstanding defects
>
> The reasoning is obviously that anything that will help us improve quality should be considered. However just adding the CloudStack sources to the scan isn’t going to solve anything. For that we all need to pitch in an help out with getting the scan results triaged, assigned and fixed. So signup en-masse and go fix ;-)
>
> Note to new and aspiring CloudStack developers, don’t know where to start but you want to help out? This is a great way to get to know the code and the community. Have a look at one of the open items on Coverity, fix it and submit it for review at reviews.apache.org.
>
> Cheers,
>
> Hugo
>
>
>