You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@felix.apache.org by Joel Schuster <jo...@gmx.com> on 2012/04/09 14:30:45 UTC
Coverity Static Analysis
I'm using Felix within a gov't project. Lately there has been a push to have
open source projects be scanned by 3rd party static analysis tools to show
the value of using OSS within gov't projects while showing that the risk is
in fact smaller than industry standard.
As you can see there are quite a few OSS projects that are already being
scanned, and a number of those projects are making explicit effort to make
sure that any bugs that are found are dealt with quickly.
http://scan.coverity.com/all-projects.html
I was wondering if the Felix project would be interested in pursuing being
scanned by Coverity and being placed on this list.
- Joel
Re: Coverity Static Analysis
Posted by Marcel Offermans <ma...@luminis.nl>.
On Apr 16, 2012, at 18:05 PM, Joel Schuster wrote:
> Two reasons...
>
> 1. Getting some free information through code scan might help inform making
> Felix more robust.
We have a good set of tests for most if not all code we release, we regularly run the TCK and we take every bug report we get very seriously.
> All it takes is a project member to register and the rest is done by Coverity.
Why do you need a project member to register? Like I said, this is open source, anybody can download and analyze our codebase.
> It's a low commitment to potentially get some good information.
All I have is your word for that, right now I have no clue what you will do and why it will improve our codebase.
> 2. Having the results on the Coverity site may increase the user base if
> people can easily see that the community is active in addressing and dealing
> with robustness issues.
You make it sound as if we're not addressing these issues already.
Don't get me wrong, I encourage everybody to read or use the code and give us feedback when they think they have discovered an issue. So far I don't see how signing up with Coverity will help us.
Greetings, Marcel
>
> - Joel
>
>
>> -----Original Message-----
>> From: Marcel Offermans [mailto:marcel.offermans@luminis.nl]
>> Sent: Monday, April 09, 2012 9:33 AM
>> To: users@felix.apache.org
>> Subject: Re: Coverity Static Analysis
>>
>> Hello Joel,
>>
>> On Apr 9, 2012, at 14:30 PM, Joel Schuster wrote:
>>
>>> I'm using Felix within a gov't project. Lately there has been a push
>>> to have open source projects be scanned by 3rd party static analysis
>>> tools to show the value of using OSS within gov't projects while
>>> showing that the risk is in fact smaller than industry standard.
>>>
>>> As you can see there are quite a few OSS projects that are already
>>> being scanned, and a number of those projects are making explicit
>>> effort to make sure that any bugs that are found are dealt with quickly.
>>>
>>> http://scan.coverity.com/all-projects.html
>>>
>>> I was wondering if the Felix project would be interested in pursuing
>>> being scanned by Coverity and being placed on this list.
>>
>> I looked at the link you supplied, but there is not much to see there
> other
>> than some metrics that are done in a way that I cannot reproduce. Why
>> should we as an open source project be interested in actively
> participating in
>> this?
>>
>> All our sourcecode is obviously available for anyone to examine, so I'm
> sure
>> that anybody who is interested in running it past the static analysis
> tools that
>> Coverity has can do so.
>>
>> Greetings, Marcel
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
>> For additional commands, e-mail: users-help@felix.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
RE: Coverity Static Analysis
Posted by Joel Schuster <jo...@gmx.com>.
Two reasons...
1. Getting some free information through code scan might help inform making
Felix more robust. All it takes is a project member to register and the rest
is done by Coverity. It's a low commitment to potentially get some good
information.
2. Having the results on the Coverity site may increase the user base if
people can easily see that the community is active in addressing and dealing
with robustness issues.
- Joel
> -----Original Message-----
> From: Marcel Offermans [mailto:marcel.offermans@luminis.nl]
> Sent: Monday, April 09, 2012 9:33 AM
> To: users@felix.apache.org
> Subject: Re: Coverity Static Analysis
>
> Hello Joel,
>
> On Apr 9, 2012, at 14:30 PM, Joel Schuster wrote:
>
> > I'm using Felix within a gov't project. Lately there has been a push
> > to have open source projects be scanned by 3rd party static analysis
> > tools to show the value of using OSS within gov't projects while
> > showing that the risk is in fact smaller than industry standard.
> >
> > As you can see there are quite a few OSS projects that are already
> > being scanned, and a number of those projects are making explicit
> > effort to make sure that any bugs that are found are dealt with quickly.
> >
> > http://scan.coverity.com/all-projects.html
> >
> > I was wondering if the Felix project would be interested in pursuing
> > being scanned by Coverity and being placed on this list.
>
> I looked at the link you supplied, but there is not much to see there
other
> than some metrics that are done in a way that I cannot reproduce. Why
> should we as an open source project be interested in actively
participating in
> this?
>
> All our sourcecode is obviously available for anyone to examine, so I'm
sure
> that anybody who is interested in running it past the static analysis
tools that
> Coverity has can do so.
>
> Greetings, Marcel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
> For additional commands, e-mail: users-help@felix.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org
Re: Coverity Static Analysis
Posted by Marcel Offermans <ma...@luminis.nl>.
Hello Joel,
On Apr 9, 2012, at 14:30 PM, Joel Schuster wrote:
> I'm using Felix within a gov't project. Lately there has been a push to have
> open source projects be scanned by 3rd party static analysis tools to show
> the value of using OSS within gov't projects while showing that the risk is
> in fact smaller than industry standard.
>
> As you can see there are quite a few OSS projects that are already being
> scanned, and a number of those projects are making explicit effort to make
> sure that any bugs that are found are dealt with quickly.
>
> http://scan.coverity.com/all-projects.html
>
> I was wondering if the Felix project would be interested in pursuing being
> scanned by Coverity and being placed on this list.
I looked at the link you supplied, but there is not much to see there other than some metrics that are done in a way that I cannot reproduce. Why should we as an open source project be interested in actively participating in this?
All our sourcecode is obviously available for anyone to examine, so I'm sure that anybody who is interested in running it past the static analysis tools that Coverity has can do so.
Greetings, Marcel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@felix.apache.org
For additional commands, e-mail: users-help@felix.apache.org