You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2014/08/26 11:20:54 UTC
Coverity static analysis scanning
All,
I have been pinged off-list by Coverity to say that they have set up
Tomcat with a free account with their static code analysis service.
I think I have the ability to send invitations so if anyone wants to
take a look at the results, just reply here.
I have taken a quick look and they do appear to have found some valid
threading issues. There are ~350 issues in total and I don't yet have a
feel for the false positive rate.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Violeta Georgieva <mi...@gmail.com>.
Hi,
2014-08-26 18:44 GMT+03:00 Rainer Jung <ra...@kippdata.de>:
>
> Hi Mark,
>
> Am 26.08.2014 um 11:20 schrieb Mark Thomas:
>
>> All,
>>
>> I have been pinged off-list by Coverity to say that they have set up
>> Tomcat with a free account with their static code analysis service.
>>
>> I think I have the ability to send invitations so if anyone wants to
>> take a look at the results, just reply here.
>>
>> I have taken a quick look and they do appear to have found some valid
>> threading issues. There are ~350 issues in total and I don't yet have a
>> feel for the false positive rate.
>
>
> I'm interested as well, especially if they also scan our native code, and
also if they do the scans regularly to check for changes between releases
etc.
For one of other open source projects where I participate I run their build
tool by myself and then upload the results. Based on them they perform
their analysis.
So we can do the same for our native code.
@Mark I was added successfully to the project.
Violeta
>
> Thanks!
>
> Rainer
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: Coverity static analysis scanning
Posted by Rainer Jung <ra...@kippdata.de>.
Hi Mark,
Am 26.08.2014 um 11:20 schrieb Mark Thomas:
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
I'm interested as well, especially if they also scan our native code,
and also if they do the scans regularly to check for changes between
releases etc.
Thanks!
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Martin Knoblauch <kn...@gmail.com>.
On Tue, Aug 26, 2014 at 11:20 AM, Mark Thomas <ma...@apache.org> wrote:
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
> Hi Mark,
does the Coverity scan include "mod_jk", or does it need to be added to
their list? I would be interested to look into that code base a bit deeper.
Thanks
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
Re: Coverity static analysis scanning
Posted by Fabrice Bellingard <be...@gmail.com>.
For code coverage, you need Cobertura to generate its report in XML. I
tried:
ant clean test -Dtest.cobertura=true -Dcobertura.report.format=xml
>
, but Cobertura fails to generate the XML report (whereas it's ok when it's
generating it in HTML...). So as long as this doesn't work, you won't be
able to get coverage... at least with Cobertura.
Also, I hadn't noticed that you had changed the project key, so now you
have 2 different projects on SQ:
- The original one:
https://analysis.apache.org/dashboard/index/org.apache.tomcat:tomcat-parent
- From what I can see, looks like at some point of time, Tomcat was
fully built with Maven?
- The new one:
https://analysis.apache.org/dashboard/index/apache:tomcat
You should keep only one. I suggest that you:
- delete
<http://docs.codehaus.org/display/SONAR/Project+Administration#ProjectAdministration-DeletingaProject>
the new one
- and update the key
<http://docs.codehaus.org/display/SONAR/Project+Administration#ProjectAdministration-UpdatingProjectKey>
of the original one to "apache:tomcat"
, this will you'll keep the (short) history of the original analyses.
- Fabrice
bellingard@apache.org
fabrice.bellingard@sonarsource.com
On Thu, Sep 11, 2014 at 1:20 PM, Olivier Lamy <ol...@apache.org> wrote:
> thanks.
> Looks better now except code coverage still doesn't work. Any idea?
>
> On 10 September 2014 22:12, Fabrice Bellingard <be...@gmail.com>
> wrote:
> > Hi Olivier,
> >
> > Looks like the configuration of the SQ build step is not fully correct.
> From
> > the following command line:
> >>
> >> [workspace] $ /x1/jenkins/sonar-runner/bin/sonar-runner
> >> -Dsonar.jdbc.driver=com.mysql.jdbc.Driver
> >>
> >> -Dsonar.jdbc.url=jdbc:mysql://
> 192.168.0.64:3306/sonar?useUnicode=true&characterEncoding=utf8
> >> ******** ********
> >> -Dsonar.host.url=http://localhost:9090 ******** ********
> >>
> >>
> -Dsonar.projectBaseDir=/x1/jenkins/jenkins-master/jenkins-home/jobs/tomcat-trunk/workspace
> >> "-Dsonar.projectName=Apache Tomcat"
> >> -Dsonar.projectVersion=trunk
> >> -Dsonar.libraries=output/classes
> >> -Dsonar.projectKey=apache:tomcat
> >>
> -Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux
> >
> > , I can see that:
> >
> > sonar.binaries is missing (which is the reason why the Findbugs plugins
> > fails)
> > sonar.libraries is not correct (it points to the folder where classes are
> > compiled, not to the dependencies)
> >
> >
> > I made some tests on my box, and the following configuration should make
> it:
> >
> >> sonar.projectKey=apache:tomcat
> >> sonar.projectName=Apache Tomcat
> >> sonar.projectVersion=trunk
> >>
> >>
> sonar.sources=java,modules/bayeux/java,modules/jdbc-pool/src/main/java,modules/tomcat-lite/java
> >>
> >>
> sonar.binaries=output/classes,modules/jdbc-pool/output/classes,modules/tomcat-lite/target/classes
> >
> >
> > (I removed "sonar.libraries" because it depends on the "base.path"
> property
> > set for the build)
> >
> >
> > One note: if you want to benefit from Findbugs analysis, all the classes
> > need to compiled. For my tests, I run:
> >
> > "ant compile" at the root, which compiles into "output/classes"
> > "ant" for both bayeux module, which compiles into "output/classes" as
> well
> > "ant" for jdbc-pool module, which compiles into
> > "modules/jdbc-pool/output/classes"
> > "mvn compile" for "tomcat-lite" module, which compiles into
> > "modules/tomcat-lite/target/classes"
> >
> > All those build directories are therefore referenced in "sonar.binaries".
> >
> >
> > HTH!
> >
> > - Fabrice
> > bellingard@apache.org
> > fabrice.bellingard@sonarsource.com
> >
> > On Wed, Sep 10, 2014 at 9:08 AM, Olivier Lamy <ol...@apache.org> wrote:
> >>
> >> I tried to get this working but got this error:
> >> https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console
> >>
> >> Any help will be appreciate :-)
> >>
> >>
> >> On 3 September 2014 22:07, Fabrice Bellingard <be...@gmail.com>
> >> wrote:
> >> > Hi guys,
> >> >
> >> > Tomcat had also been analyzed for a couple of months on the SonarQube
> >> > instance of the ASF [1], but the last analysis is very old. The
> analysis
> >> > must be failing for some reasons, so I copy Olivier who's managing the
> >> > SQ
> >> > instance @ASF. He can certainly give you more information on how to
> get
> >> > the
> >> > analysis back to normal - and probably also how to get a login there.
> >> >
> >> > IMO, it's best to advertise and use this instance instead of Nemo -
> >> > which we
> >> > use @SonarSource mainly as a demo instance.
> >> >
> >> > [1] https://analysis.apache.org/dashboard/index/77101?did=1
> >> >
> >> >
> >> > - Fabrice
> >> > bellingard@apache.org
> >> > fabrice.bellingard@sonarsource.com
> >> >
> >> >
> >> >> From: Henri Gomez <he...@gmail.com>
> >> >> Date: Wed, Aug 27, 2014 at 12:00 PM
> >> >> Subject: Re: Coverity static analysis scanning
> >> >> To: Tomcat Developers List <de...@tomcat.apache.org>, Fabrice
> Bellingard
> >> >> <fa...@sonarsource.com>
> >> >>
> >> >>
> >> >> Fabrice Belingard, ASFer is working for Sonar.
> >> >> I add him in loop so he could give us more informations
> >> >>
> >> >> 2014-08-27 11:45 GMT+02:00 Mark Thomas <ma...@apache.org>:
> >> >> > On 26/08/2014 22:52, Henri Gomez wrote:
> >> >> >> Hi all
> >> >> >>
> >> >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
> >> >> >>
> >> >> >>
> >> >> >> http://nemo.sonarqube.org/dashboard/index/50544
> >> >> >>
> >> >> >> 310 Blocker issues, 121 Critical issues.
> >> >> >
> >> >> > I took a quick look. The first 60 or so blocker issues I looked at
> >> >> > were
> >> >> > all false positives triggered by us catching Throwable for good
> >> >> > reasons.
> >> >> > Can we get a login to this system to make them as false positives?
> >> >> >
> >> >> > Mark
> >> >> >
> >> >> >
> >> >> >>
> >> >> >> Wondering if Coverity will provides more informations than
> SonarQube
> >> >> >> ?
> >> >> >>
> >> >> >> BTW, SonarQube is analysing major ASF projects for a long time now
> >> >> >> :)
> >> >> >>
> >> >> >>
> >> >> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
> >> >> >>> All,
> >> >> >>>
> >> >> >>> I have been pinged off-list by Coverity to say that they have set
> >> >> >>> up
> >> >> >>> Tomcat with a free account with their static code analysis
> service.
> >> >> >>>
> >> >> >>> I think I have the ability to send invitations so if anyone wants
> >> >> >>> to
> >> >> >>> take a look at the results, just reply here.
> >> >> >>>
> >> >> >>> I have taken a quick look and they do appear to have found some
> >> >> >>> valid
> >> >> >>> threading issues. There are ~350 issues in total and I don't yet
> >> >> >>> have
> >> >> >>> a
> >> >> >>> feel for the false positive rate.
> >> >> >>>
> >> >> >>> Mark
> >> >> >>>
> >> >> >>>
> >> >> >>>
> ---------------------------------------------------------------------
> >> >> >>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> >> >>> For additional commands, e-mail: dev-help@tomcat.apache.org
> >> >> >>>
> >> >> >>
> >> >> >>
> >> >> >>
> ---------------------------------------------------------------------
> >> >> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> >> >> For additional commands, e-mail: dev-help@tomcat.apache.org
> >> >> >>
> >> >> >
> >> >> >
> >> >> >
> ---------------------------------------------------------------------
> >> >> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> >> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >> >> >
> >> >>
> >> >
> >>
> >>
> >>
> >> --
> >> Olivier Lamy
> >> http://twitter.com/olamy | http://linkedin.com/in/olamy
> >
> >
>
>
>
> --
> Olivier Lamy
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
Re: Coverity static analysis scanning
Posted by Olivier Lamy <ol...@apache.org>.
thanks.
Looks better now except code coverage still doesn't work. Any idea?
On 10 September 2014 22:12, Fabrice Bellingard <be...@gmail.com> wrote:
> Hi Olivier,
>
> Looks like the configuration of the SQ build step is not fully correct. From
> the following command line:
>>
>> [workspace] $ /x1/jenkins/sonar-runner/bin/sonar-runner
>> -Dsonar.jdbc.driver=com.mysql.jdbc.Driver
>>
>> -Dsonar.jdbc.url=jdbc:mysql://192.168.0.64:3306/sonar?useUnicode=true&characterEncoding=utf8
>> ******** ********
>> -Dsonar.host.url=http://localhost:9090 ******** ********
>>
>> -Dsonar.projectBaseDir=/x1/jenkins/jenkins-master/jenkins-home/jobs/tomcat-trunk/workspace
>> "-Dsonar.projectName=Apache Tomcat"
>> -Dsonar.projectVersion=trunk
>> -Dsonar.libraries=output/classes
>> -Dsonar.projectKey=apache:tomcat
>> -Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux
>
> , I can see that:
>
> sonar.binaries is missing (which is the reason why the Findbugs plugins
> fails)
> sonar.libraries is not correct (it points to the folder where classes are
> compiled, not to the dependencies)
>
>
> I made some tests on my box, and the following configuration should make it:
>
>> sonar.projectKey=apache:tomcat
>> sonar.projectName=Apache Tomcat
>> sonar.projectVersion=trunk
>>
>> sonar.sources=java,modules/bayeux/java,modules/jdbc-pool/src/main/java,modules/tomcat-lite/java
>>
>> sonar.binaries=output/classes,modules/jdbc-pool/output/classes,modules/tomcat-lite/target/classes
>
>
> (I removed "sonar.libraries" because it depends on the "base.path" property
> set for the build)
>
>
> One note: if you want to benefit from Findbugs analysis, all the classes
> need to compiled. For my tests, I run:
>
> "ant compile" at the root, which compiles into "output/classes"
> "ant" for both bayeux module, which compiles into "output/classes" as well
> "ant" for jdbc-pool module, which compiles into
> "modules/jdbc-pool/output/classes"
> "mvn compile" for "tomcat-lite" module, which compiles into
> "modules/tomcat-lite/target/classes"
>
> All those build directories are therefore referenced in "sonar.binaries".
>
>
> HTH!
>
> - Fabrice
> bellingard@apache.org
> fabrice.bellingard@sonarsource.com
>
> On Wed, Sep 10, 2014 at 9:08 AM, Olivier Lamy <ol...@apache.org> wrote:
>>
>> I tried to get this working but got this error:
>> https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console
>>
>> Any help will be appreciate :-)
>>
>>
>> On 3 September 2014 22:07, Fabrice Bellingard <be...@gmail.com>
>> wrote:
>> > Hi guys,
>> >
>> > Tomcat had also been analyzed for a couple of months on the SonarQube
>> > instance of the ASF [1], but the last analysis is very old. The analysis
>> > must be failing for some reasons, so I copy Olivier who's managing the
>> > SQ
>> > instance @ASF. He can certainly give you more information on how to get
>> > the
>> > analysis back to normal - and probably also how to get a login there.
>> >
>> > IMO, it's best to advertise and use this instance instead of Nemo -
>> > which we
>> > use @SonarSource mainly as a demo instance.
>> >
>> > [1] https://analysis.apache.org/dashboard/index/77101?did=1
>> >
>> >
>> > - Fabrice
>> > bellingard@apache.org
>> > fabrice.bellingard@sonarsource.com
>> >
>> >
>> >> From: Henri Gomez <he...@gmail.com>
>> >> Date: Wed, Aug 27, 2014 at 12:00 PM
>> >> Subject: Re: Coverity static analysis scanning
>> >> To: Tomcat Developers List <de...@tomcat.apache.org>, Fabrice Bellingard
>> >> <fa...@sonarsource.com>
>> >>
>> >>
>> >> Fabrice Belingard, ASFer is working for Sonar.
>> >> I add him in loop so he could give us more informations
>> >>
>> >> 2014-08-27 11:45 GMT+02:00 Mark Thomas <ma...@apache.org>:
>> >> > On 26/08/2014 22:52, Henri Gomez wrote:
>> >> >> Hi all
>> >> >>
>> >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
>> >> >>
>> >> >>
>> >> >> http://nemo.sonarqube.org/dashboard/index/50544
>> >> >>
>> >> >> 310 Blocker issues, 121 Critical issues.
>> >> >
>> >> > I took a quick look. The first 60 or so blocker issues I looked at
>> >> > were
>> >> > all false positives triggered by us catching Throwable for good
>> >> > reasons.
>> >> > Can we get a login to this system to make them as false positives?
>> >> >
>> >> > Mark
>> >> >
>> >> >
>> >> >>
>> >> >> Wondering if Coverity will provides more informations than SonarQube
>> >> >> ?
>> >> >>
>> >> >> BTW, SonarQube is analysing major ASF projects for a long time now
>> >> >> :)
>> >> >>
>> >> >>
>> >> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
>> >> >>> All,
>> >> >>>
>> >> >>> I have been pinged off-list by Coverity to say that they have set
>> >> >>> up
>> >> >>> Tomcat with a free account with their static code analysis service.
>> >> >>>
>> >> >>> I think I have the ability to send invitations so if anyone wants
>> >> >>> to
>> >> >>> take a look at the results, just reply here.
>> >> >>>
>> >> >>> I have taken a quick look and they do appear to have found some
>> >> >>> valid
>> >> >>> threading issues. There are ~350 issues in total and I don't yet
>> >> >>> have
>> >> >>> a
>> >> >>> feel for the false positive rate.
>> >> >>>
>> >> >>> Mark
>> >> >>>
>> >> >>>
>> >> >>> ---------------------------------------------------------------------
>> >> >>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> >> >>> For additional commands, e-mail: dev-help@tomcat.apache.org
>> >> >>>
>> >> >>
>> >> >>
>> >> >> ---------------------------------------------------------------------
>> >> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> >> >> For additional commands, e-mail: dev-help@tomcat.apache.org
>> >> >>
>> >> >
>> >> >
>> >> > ---------------------------------------------------------------------
>> >> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> >> > For additional commands, e-mail: dev-help@tomcat.apache.org
>> >> >
>> >>
>> >
>>
>>
>>
>> --
>> Olivier Lamy
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Fabrice Bellingard <be...@gmail.com>.
Hi Olivier,
Looks like the configuration of the SQ build step is not fully correct.
>From the following command line:
> [workspace] $ /x1/jenkins/sonar-runner/bin/sonar-runner -Dsonar.jdbc.driver=com.mysql.jdbc.Driver
> -Dsonar.jdbc.url=jdbc:mysql://192.168.0.64:3306/sonar?useUnicode=true&characterEncoding=utf8 ******** ********
> -Dsonar.host.url=http://localhost:9090 ******** ********
> -Dsonar.projectBaseDir=/x1/jenkins/jenkins-master/jenkins-home/jobs/tomcat-trunk/workspace
> "-Dsonar.projectName=Apache Tomcat"
> -Dsonar.projectVersion=trunk
> -Dsonar.libraries=output/classes
> -Dsonar.projectKey=apache:tomcat
> -Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux
>
> , I can see that:
- sonar.binaries is missing (which is the reason why the Findbugs
plugins fails)
- sonar.libraries is not correct (it points to the folder where classes
are compiled, not to the dependencies)
I made some tests on my box, and the following configuration should make it:
sonar.projectKey=apache:tomcat
> sonar.projectName=Apache Tomcat
> sonar.projectVersion=trunk
>
> sonar.sources=java,modules/bayeux/java,modules/jdbc-pool/src/main/java,modules/tomcat-lite/java
>
> sonar.binaries=output/classes,modules/jdbc-pool/output/classes,modules/tomcat-lite/target/classes
>
(I removed "sonar.libraries" because it depends on the "base.path" property
set for the build)
One note: if you want to benefit from Findbugs analysis, all the classes
need to compiled. For my tests, I run:
- "ant compile" at the root, which compiles into "output/classes"
- "ant" for both bayeux module, which compiles into "output/classes" as
well
- "ant" for jdbc-pool module, which compiles into
"modules/jdbc-pool/output/classes"
- "mvn compile" for "tomcat-lite" module, which compiles into
"modules/tomcat-lite/target/classes"
All those build directories are therefore referenced in "sonar.binaries".
HTH!
- Fabrice
bellingard@apache.org
fabrice.bellingard@sonarsource.com
On Wed, Sep 10, 2014 at 9:08 AM, Olivier Lamy <ol...@apache.org> wrote:
> I tried to get this working but got this error:
> https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console
>
> Any help will be appreciate :-)
>
>
> On 3 September 2014 22:07, Fabrice Bellingard <be...@gmail.com>
> wrote:
> > Hi guys,
> >
> > Tomcat had also been analyzed for a couple of months on the SonarQube
> > instance of the ASF [1], but the last analysis is very old. The analysis
> > must be failing for some reasons, so I copy Olivier who's managing the SQ
> > instance @ASF. He can certainly give you more information on how to get
> the
> > analysis back to normal - and probably also how to get a login there.
> >
> > IMO, it's best to advertise and use this instance instead of Nemo -
> which we
> > use @SonarSource mainly as a demo instance.
> >
> > [1] https://analysis.apache.org/dashboard/index/77101?did=1
> >
> >
> > - Fabrice
> > bellingard@apache.org
> > fabrice.bellingard@sonarsource.com
> >
> >
> >> From: Henri Gomez <he...@gmail.com>
> >> Date: Wed, Aug 27, 2014 at 12:00 PM
> >> Subject: Re: Coverity static analysis scanning
> >> To: Tomcat Developers List <de...@tomcat.apache.org>, Fabrice Bellingard
> >> <fa...@sonarsource.com>
> >>
> >>
> >> Fabrice Belingard, ASFer is working for Sonar.
> >> I add him in loop so he could give us more informations
> >>
> >> 2014-08-27 11:45 GMT+02:00 Mark Thomas <ma...@apache.org>:
> >> > On 26/08/2014 22:52, Henri Gomez wrote:
> >> >> Hi all
> >> >>
> >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
> >> >>
> >> >>
> >> >> http://nemo.sonarqube.org/dashboard/index/50544
> >> >>
> >> >> 310 Blocker issues, 121 Critical issues.
> >> >
> >> > I took a quick look. The first 60 or so blocker issues I looked at
> were
> >> > all false positives triggered by us catching Throwable for good
> reasons.
> >> > Can we get a login to this system to make them as false positives?
> >> >
> >> > Mark
> >> >
> >> >
> >> >>
> >> >> Wondering if Coverity will provides more informations than SonarQube
> ?
> >> >>
> >> >> BTW, SonarQube is analysing major ASF projects for a long time now :)
> >> >>
> >> >>
> >> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
> >> >>> All,
> >> >>>
> >> >>> I have been pinged off-list by Coverity to say that they have set up
> >> >>> Tomcat with a free account with their static code analysis service.
> >> >>>
> >> >>> I think I have the ability to send invitations so if anyone wants to
> >> >>> take a look at the results, just reply here.
> >> >>>
> >> >>> I have taken a quick look and they do appear to have found some
> valid
> >> >>> threading issues. There are ~350 issues in total and I don't yet
> have
> >> >>> a
> >> >>> feel for the false positive rate.
> >> >>>
> >> >>> Mark
> >> >>>
> >> >>>
> ---------------------------------------------------------------------
> >> >>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> >>> For additional commands, e-mail: dev-help@tomcat.apache.org
> >> >>>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> >> For additional commands, e-mail: dev-help@tomcat.apache.org
> >> >>
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >> >
> >>
> >
>
>
>
> --
> Olivier Lamy
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 10/09/2014 08:08, Olivier Lamy wrote:
> I tried to get this working but got this error:
> https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console
>
> Any help will be appreciate :-)
Disable the unit tests until you get this working. They add about an
hour to the build time. Use "clean deploy" rather than "clean test".
Looking at the Sonar config you have the following:
-Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux
I'd change that to:
-Dsonar.sources=java,modules/jdbc-pool
Neither tomcat-lite nor bayeux are part of the standard Tomcat distribution.
Try that and see what happens.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Olivier Lamy <ol...@apache.org>.
I tried to get this working but got this error:
https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console
Any help will be appreciate :-)
On 3 September 2014 22:07, Fabrice Bellingard <be...@gmail.com> wrote:
> Hi guys,
>
> Tomcat had also been analyzed for a couple of months on the SonarQube
> instance of the ASF [1], but the last analysis is very old. The analysis
> must be failing for some reasons, so I copy Olivier who's managing the SQ
> instance @ASF. He can certainly give you more information on how to get the
> analysis back to normal - and probably also how to get a login there.
>
> IMO, it's best to advertise and use this instance instead of Nemo - which we
> use @SonarSource mainly as a demo instance.
>
> [1] https://analysis.apache.org/dashboard/index/77101?did=1
>
>
> - Fabrice
> bellingard@apache.org
> fabrice.bellingard@sonarsource.com
>
>
>> From: Henri Gomez <he...@gmail.com>
>> Date: Wed, Aug 27, 2014 at 12:00 PM
>> Subject: Re: Coverity static analysis scanning
>> To: Tomcat Developers List <de...@tomcat.apache.org>, Fabrice Bellingard
>> <fa...@sonarsource.com>
>>
>>
>> Fabrice Belingard, ASFer is working for Sonar.
>> I add him in loop so he could give us more informations
>>
>> 2014-08-27 11:45 GMT+02:00 Mark Thomas <ma...@apache.org>:
>> > On 26/08/2014 22:52, Henri Gomez wrote:
>> >> Hi all
>> >>
>> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
>> >>
>> >>
>> >> http://nemo.sonarqube.org/dashboard/index/50544
>> >>
>> >> 310 Blocker issues, 121 Critical issues.
>> >
>> > I took a quick look. The first 60 or so blocker issues I looked at were
>> > all false positives triggered by us catching Throwable for good reasons.
>> > Can we get a login to this system to make them as false positives?
>> >
>> > Mark
>> >
>> >
>> >>
>> >> Wondering if Coverity will provides more informations than SonarQube ?
>> >>
>> >> BTW, SonarQube is analysing major ASF projects for a long time now :)
>> >>
>> >>
>> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
>> >>> All,
>> >>>
>> >>> I have been pinged off-list by Coverity to say that they have set up
>> >>> Tomcat with a free account with their static code analysis service.
>> >>>
>> >>> I think I have the ability to send invitations so if anyone wants to
>> >>> take a look at the results, just reply here.
>> >>>
>> >>> I have taken a quick look and they do appear to have found some valid
>> >>> threading issues. There are ~350 issues in total and I don't yet have
>> >>> a
>> >>> feel for the false positive rate.
>> >>>
>> >>> Mark
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> >>> For additional commands, e-mail: dev-help@tomcat.apache.org
>> >>>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: dev-help@tomcat.apache.org
>> >>
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: dev-help@tomcat.apache.org
>> >
>>
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Fabrice Bellingard <be...@gmail.com>.
Hi guys,
Tomcat had also been analyzed for a couple of months on the SonarQube
instance of the ASF [1], but the last analysis is very old. The analysis
must be failing for some reasons, so I copy Olivier who's managing the SQ
instance @ASF. He can certainly give you more information on how to get the
analysis back to normal - and probably also how to get a login there.
IMO, it's best to advertise and use this instance instead of Nemo - which
we use @SonarSource mainly as a demo instance.
[1] https://analysis.apache.org/dashboard/index/77101?did=1
- Fabrice
bellingard@apache.org
fabrice.bellingard@sonarsource.com
From: Henri Gomez <he...@gmail.com>
> Date: Wed, Aug 27, 2014 at 12:00 PM
> Subject: Re: Coverity static analysis scanning
> To: Tomcat Developers List <de...@tomcat.apache.org>, Fabrice Bellingard <
> fabrice.bellingard@sonarsource.com>
>
>
> Fabrice Belingard, ASFer is working for Sonar.
> I add him in loop so he could give us more informations
>
> 2014-08-27 11:45 GMT+02:00 Mark Thomas <ma...@apache.org>:
> > On 26/08/2014 22:52, Henri Gomez wrote:
> >> Hi all
> >>
> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
> >>
> >>
> >> http://nemo.sonarqube.org/dashboard/index/50544
> >>
> >> 310 Blocker issues, 121 Critical issues.
> >
> > I took a quick look. The first 60 or so blocker issues I looked at were
> > all false positives triggered by us catching Throwable for good reasons.
> > Can we get a login to this system to make them as false positives?
> >
> > Mark
> >
> >
> >>
> >> Wondering if Coverity will provides more informations than SonarQube ?
> >>
> >> BTW, SonarQube is analysing major ASF projects for a long time now :)
> >>
> >>
> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
> >>> All,
> >>>
> >>> I have been pinged off-list by Coverity to say that they have set up
> >>> Tomcat with a free account with their static code analysis service.
> >>>
> >>> I think I have the ability to send invitations so if anyone wants to
> >>> take a look at the results, just reply here.
> >>>
> >>> I have taken a quick look and they do appear to have found some valid
> >>> threading issues. There are ~350 issues in total and I don't yet have a
> >>> feel for the false positive rate.
> >>>
> >>> Mark
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: dev-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: dev-help@tomcat.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
>
>
Re: Coverity static analysis scanning
Posted by Henri Gomez <he...@gmail.com>.
Fabrice Belingard, ASFer is working for Sonar.
I add him in loop so he could give us more informations
2014-08-27 11:45 GMT+02:00 Mark Thomas <ma...@apache.org>:
> On 26/08/2014 22:52, Henri Gomez wrote:
>> Hi all
>>
>> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
>>
>>
>> http://nemo.sonarqube.org/dashboard/index/50544
>>
>> 310 Blocker issues, 121 Critical issues.
>
> I took a quick look. The first 60 or so blocker issues I looked at were
> all false positives triggered by us catching Throwable for good reasons.
> Can we get a login to this system to make them as false positives?
>
> Mark
>
>
>>
>> Wondering if Coverity will provides more informations than SonarQube ?
>>
>> BTW, SonarQube is analysing major ASF projects for a long time now :)
>>
>>
>> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
>>> All,
>>>
>>> I have been pinged off-list by Coverity to say that they have set up
>>> Tomcat with a free account with their static code analysis service.
>>>
>>> I think I have the ability to send invitations so if anyone wants to
>>> take a look at the results, just reply here.
>>>
>>> I have taken a quick look and they do appear to have found some valid
>>> threading issues. There are ~350 issues in total and I don't yet have a
>>> feel for the false positive rate.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 26/08/2014 22:52, Henri Gomez wrote:
> Hi all
>
> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
>
>
> http://nemo.sonarqube.org/dashboard/index/50544
>
> 310 Blocker issues, 121 Critical issues.
I took a quick look. The first 60 or so blocker issues I looked at were
all false positives triggered by us catching Throwable for good reasons.
Can we get a login to this system to make them as false positives?
Mark
>
> Wondering if Coverity will provides more informations than SonarQube ?
>
> BTW, SonarQube is analysing major ASF projects for a long time now :)
>
>
> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
>> All,
>>
>> I have been pinged off-list by Coverity to say that they have set up
>> Tomcat with a free account with their static code analysis service.
>>
>> I think I have the ability to send invitations so if anyone wants to
>> take a look at the results, just reply here.
>>
>> I have taken a quick look and they do appear to have found some valid
>> threading issues. There are ~350 issues in total and I don't yet have a
>> feel for the false positive rate.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 28/08/2014 15:44, Freddy Mallet wrote:
> Hi Guys,
>
> I'm the leading the development of the SonarQube platform. If you want any
> personal login/password to http://nemo.sonarqube.org/ and/or if you want us
> to tune the set of coding rules used to analyze the Tomcat project, feel
> free to ping me or
I'd like an account to have a poke around the results - markt@apache.org
please
> Obviously, if you're getting some false-positives, I'm also eager to get
> your feedback to help us tuning our java analyser.
False positives are expected. In the past the biggest problem I have
found with code analysis systems is the hoops you have to jump through
to mark something as a false positive.
Cheers,
Mark
>
> Thanks
> -----
> twitter.com/FreddyMallet
> SonarQube for Continuous Inspection
>
>
> ---------- Forwarded message ----------
>> From: Henri Gomez <he...@gmail.com>
>> Date: 2014-08-26 23:52 GMT+02:00
>> Subject: Re: Coverity static analysis scanning
>> To: Tomcat Developers List <de...@tomcat.apache.org>
>>
>>
>> Hi all
>>
>> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
>>
>>
>> http://nemo.sonarqube.org/dashboard/index/50544
>>
>> 310 Blocker issues, 121 Critical issues.
>>
>> Wondering if Coverity will provides more informations than SonarQube ?
>>
>> BTW, SonarQube is analysing major ASF projects for a long time now :)
>>
>>
>> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
>>> All,
>>>
>>> I have been pinged off-list by Coverity to say that they have set up
>>> Tomcat with a free account with their static code analysis service.
>>>
>>> I think I have the ability to send invitations so if anyone wants to
>>> take a look at the results, just reply here.
>>>
>>> I have taken a quick look and they do appear to have found some valid
>>> threading issues. There are ~350 issues in total and I don't yet have a
>>> feel for the false positive rate.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Freddy Mallet <fr...@gmail.com>.
Hi Guys,
I'm the leading the development of the SonarQube platform. If you want any
personal login/password to http://nemo.sonarqube.org/ and/or if you want us
to tune the set of coding rules used to analyze the Tomcat project, feel
free to ping me or
Obviously, if you're getting some false-positives, I'm also eager to get
your feedback to help us tuning our java analyser.
Thanks
-----
twitter.com/FreddyMallet
SonarQube for Continuous Inspection
---------- Forwarded message ----------
> From: Henri Gomez <he...@gmail.com>
> Date: 2014-08-26 23:52 GMT+02:00
> Subject: Re: Coverity static analysis scanning
> To: Tomcat Developers List <de...@tomcat.apache.org>
>
>
> Hi all
>
> Are you aware SonarQube is analysing Tomcat in Nemo for years ?
>
>
> http://nemo.sonarqube.org/dashboard/index/50544
>
> 310 Blocker issues, 121 Critical issues.
>
> Wondering if Coverity will provides more informations than SonarQube ?
>
> BTW, SonarQube is analysing major ASF projects for a long time now :)
>
>
> 2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
> > All,
> >
> > I have been pinged off-list by Coverity to say that they have set up
> > Tomcat with a free account with their static code analysis service.
> >
> > I think I have the ability to send invitations so if anyone wants to
> > take a look at the results, just reply here.
> >
> > I have taken a quick look and they do appear to have found some valid
> > threading issues. There are ~350 issues in total and I don't yet have a
> > feel for the false positive rate.
> >
> > Mark
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
>
>
Re: Coverity static analysis scanning
Posted by Henri Gomez <he...@gmail.com>.
Hi all
Are you aware SonarQube is analysing Tomcat in Nemo for years ?
http://nemo.sonarqube.org/dashboard/index/50544
310 Blocker issues, 121 Critical issues.
Wondering if Coverity will provides more informations than SonarQube ?
BTW, SonarQube is analysing major ASF projects for a long time now :)
2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 26/08/2014 22:26, Christopher Schultz wrote:
> Mark,
>
> On 8/26/14, 5:20 AM, Mark Thomas wrote:
>> I have been pinged off-list by Coverity to say that they have set up
>> Tomcat with a free account with their static code analysis service.
>>
>> I think I have the ability to send invitations so if anyone wants to
>> take a look at the results, just reply here.
>>
>> I have taken a quick look and they do appear to have found some valid
>> threading issues. There are ~350 issues in total and I don't yet have a
>> feel for the false positive rate.
>
> Wow, this is great. I've used FindBugs before both inside and outside of
> ASF projects, but this is ... just amazing.
It certainly appears to be an improvement on what was on offer the last
time we were approach by one of the static code analysis firms.
Personally, I'm withholding judgement until I get a better feel for what
% of the issues raises are ones that are likely to cause problems for
our users.
> It does catch a lot of sanity-checks and complains about them. I get
> DEAD CODE warnings all the time (in FindBugs) for especially JDBC code
> when I've caught all possible exceptions and yet still have a finally
> block that, for example, checks a Connection reference for null and
> closes it in that case. While the code is technically dead, it's
> future-proof against someone adding another call that throws a different
> type of exception, re-ordering some of the operations, or making some
> other change and forgetting to modify the finally block, etc.
>
> It would be nice to know what the consensus is amongst the team about
> what to do in these cases: should all dead code segments be considered
> logical oversights and corrected? Or is additional sanity-checking and
> future-proofing a good idea?
It depends :)
I think there are some cases where I'd agree it is a good idea and some
where I'd think it was a waste of time and code.
> A good example is issue 45040
> (https://scan3.coverity.com:8443/reports.htm#v16818/p10363/fileInstanceId=567725&defectInstanceId=145101&mergedDefectId=45040):
> a logical bug in HttpServlet that should probably remain as-is. It's in
> the HttpServlet.doOptions method where we build a list of acceptable
> HTTP verbs. /Technically/, if ALLOW_GET is set, then ALLOW_HEAD must be
> set and therefore checking for "allow" (the string of verbs we're
> building) for NULL is illogical. One could argue that ALLOW_HEAD should
> be independent of ALLOW_GET -- why can't a servlet implement doHead but
> not doGet -- but it probably always makes sense to check for null.
> Stated differently: checking for NULL never hurt anybody.
I disagree. In this case if the servlet extends HttpServlet and
implements doGet(), HttpServlet provides the doHead() implementation.
I'd clean that code up and remove the dead code. That said, if have
other things higher up my priority list right now.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 8/26/14, 5:20 AM, Mark Thomas wrote:
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
Wow, this is great. I've used FindBugs before both inside and outside of
ASF projects, but this is ... just amazing.
It does catch a lot of sanity-checks and complains about them. I get
DEAD CODE warnings all the time (in FindBugs) for especially JDBC code
when I've caught all possible exceptions and yet still have a finally
block that, for example, checks a Connection reference for null and
closes it in that case. While the code is technically dead, it's
future-proof against someone adding another call that throws a different
type of exception, re-ordering some of the operations, or making some
other change and forgetting to modify the finally block, etc.
It would be nice to know what the consensus is amongst the team about
what to do in these cases: should all dead code segments be considered
logical oversights and corrected? Or is additional sanity-checking and
future-proofing a good idea?
A good example is issue 45040
(https://scan3.coverity.com:8443/reports.htm#v16818/p10363/fileInstanceId=567725&defectInstanceId=145101&mergedDefectId=45040):
a logical bug in HttpServlet that should probably remain as-is. It's in
the HttpServlet.doOptions method where we build a list of acceptable
HTTP verbs. /Technically/, if ALLOW_GET is set, then ALLOW_HEAD must be
set and therefore checking for "allow" (the string of verbs we're
building) for NULL is illogical. One could argue that ALLOW_HEAD should
be independent of ALLOW_GET -- why can't a servlet implement doHead but
not doGet -- but it probably always makes sense to check for null.
Stated differently: checking for NULL never hurt anybody.
-chris
Re: Coverity static analysis scanning
Posted by Rémy Maucherat <re...@apache.org>.
2014-08-26 11:20 GMT+02:00 Mark Thomas <ma...@apache.org>:
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
>
> Ok, so since there was so much noise about it I had a look. I am not quite
convinced (= I don't plan to actually fix anything meaningful), but at
least it does seem to attempt to do something useful.
Rémy
Re: Coverity static analysis scanning
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 8. November 2014 12:33:50 MEZ, schrieb Rainer Jung <ra...@kippdata.de>:
>Am 27.09.2014 um 12:28 schrieb Felix Schumacher:
>> Am 28.08.2014 um 23:15 schrieb Rainer Jung:
>>> Am 28.08.2014 um 21:44 schrieb Felix Schumacher:
>>>> I'd like to have a look.
>>>
>>> Invitation sent out.
>> Would you mind to upgrade my account, so that I can update the status
>of
>> the defects?
>
>Sorry for chiming in late. Your role currently is Maintainer/Owner and
>i
>don't see anyone having a stronger role. I guess someone already
>assigned the needed rights to you.
Thanks for looking into it.
Regards
Felix
>
>Regards,
>
>Rainer
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Rainer Jung <ra...@kippdata.de>.
Am 27.09.2014 um 12:28 schrieb Felix Schumacher:
> Am 28.08.2014 um 23:15 schrieb Rainer Jung:
>> Am 28.08.2014 um 21:44 schrieb Felix Schumacher:
>>> I'd like to have a look.
>>
>> Invitation sent out.
> Would you mind to upgrade my account, so that I can update the status of
> the defects?
Sorry for chiming in late. Your role currently is Maintainer/Owner and i
don't see anyone having a stronger role. I guess someone already
assigned the needed rights to you.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 28.08.2014 um 23:15 schrieb Rainer Jung:
> Am 28.08.2014 um 21:44 schrieb Felix Schumacher:
>> I'd like to have a look.
>
> Invitation sent out.
Would you mind to upgrade my account, so that I can update the status of
the defects?
Felix
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Rainer Jung <ra...@kippdata.de>.
Am 28.08.2014 um 21:44 schrieb Felix Schumacher:
> I'd like to have a look.
Invitation sent out.
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Felix Schumacher <fe...@internetallee.de>.
I'd like to have a look.
Am 26.08.2014 um 11:20 schrieb Mark Thomas:
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 26/08/2014 10:44, Niki Dokovski wrote:
> Hi Mark,
>
>
> On Tue, Aug 26, 2014 at 12:20 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> All,
>>
>> I have been pinged off-list by Coverity to say that they have set up
>> Tomcat with a free account with their static code analysis service.
>>
>> I think I have the ability to send invitations so if anyone wants to
>> take a look at the results, just reply here.
>>
>
> I'm interested.
Done. It looks like Coverity will need to approve that invite. Don't
know what they will do for a non-ASF e-mail address.
Mar
>> I have taken a quick look and they do appear to have found some valid
>> threading issues. There are ~350 issues in total and I don't yet have a
>> feel for the false positive rate.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Niki Dokovski <ni...@gmail.com>.
Hi Mark,
On Tue, Aug 26, 2014 at 12:20 PM, Mark Thomas <ma...@apache.org> wrote:
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
I'm interested.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 26/08/2014 11:38, Violeta Georgieva wrote:
> Hi Mark,
>
>
> 2014-08-26 12:20 GMT+03:00 Mark Thomas <ma...@apache.org>:
>>
>> All,
>>
>> I have been pinged off-list by Coverity to say that they have set up
>> Tomcat with a free account with their static code analysis service.
>>
>> I think I have the ability to send invitations so if anyone wants to
>> take a look at the results, just reply here.
>
> I'm interested also.
> Can you tell me whether it is about https://scan.coverity.com ?
> If so I think I can add the project to my dashboard by myself.
It is. Let me know if you need an invite.
Mark
>
> Thanks
> Violeta
>
>>
>> I have taken a quick look and they do appear to have found some valid
>> threading issues. There are ~350 issues in total and I don't yet have a
>> feel for the false positive rate.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Violeta Georgieva <mi...@gmail.com>.
Hi Mark,
2014-08-26 12:20 GMT+03:00 Mark Thomas <ma...@apache.org>:
>
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
I'm interested also.
Can you tell me whether it is about https://scan.coverity.com ?
If so I think I can add the project to my dashboard by myself.
Thanks
Violeta
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: Coverity static analysis scanning
Posted by Niki Dokovski <ni...@gmail.com>.
Niki Dokovski | @nickytd
On 26.08.2014, at 22:56, Mark Thomas <ma...@apache.org> wrote:
> On 26/08/2014 20:49, Niki Dokovski wrote:
>> The observer role does not see actual ‘defects’. Only general statistic is shown on the project dashboard.
>
> About as much use as a chocolate teapot then.
>
> I've upgraded all non-committers to contributor / viewer. Any better?
Much better. Now the actual issues are visible.
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 26/08/2014 20:49, Niki Dokovski wrote:
> The observer role does not see actual ‘defects’. Only general statistic is shown on the project dashboard.
About as much use as a chocolate teapot then.
I've upgraded all non-committers to contributor / viewer. Any better?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Niki Dokovski <ni...@gmail.com>.
Niki Dokovski | @nickytd
On 26.08.2014, at 22:26, Niki Dokovski <ni...@gmail.com> wrote:
>
> On 26.08.2014, at 22:19, Mark Thomas <ma...@apache.org> wrote:
>
>> On 26/08/2014 18:02, Filip Hanik wrote:
>>> hook me up
>>
>> Done (and for everyone else who has asked).
>
> Thanks Mark.
>
>>
>> It appears I now have admin karma for the Coverity's project for
>> scanning Tomcat.
>>
>> The approach I am taking is Tomcat committers get the Maintainer/Owner
>> role and everyone else gets the Observer role. The idea being that if
>> someone contributes enough that we want to change their role we probably
>> should make them a committer :)
The observer role does not see actual ‘defects’. Only general statistic is shown on the project dashboard.
>>
>> Mark
>>
>>
>>>
>>> On Tuesday, August 26, 2014, Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> All,
>>>>
>>>> I have been pinged off-list by Coverity to say that they have set up
>>>> Tomcat with a free account with their static code analysis service.
>>>>
>>>> I think I have the ability to send invitations so if anyone wants to
>>>> take a look at the results, just reply here.
>>>>
>>>> I have taken a quick look and they do appear to have found some valid
>>>> threading issues. There are ~350 issues in total and I don't yet have a
>>>> feel for the false positive rate.
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org <javascript:;>
>>>> For additional commands, e-mail: dev-help@tomcat.apache.org <javascript:;>
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Niki Dokovski <ni...@gmail.com>.
On 26.08.2014, at 22:19, Mark Thomas <ma...@apache.org> wrote:
> On 26/08/2014 18:02, Filip Hanik wrote:
>> hook me up
>
> Done (and for everyone else who has asked).
Thanks Mark.
>
> It appears I now have admin karma for the Coverity's project for
> scanning Tomcat.
>
> The approach I am taking is Tomcat committers get the Maintainer/Owner
> role and everyone else gets the Observer role. The idea being that if
> someone contributes enough that we want to change their role we probably
> should make them a committer :)
>
> Mark
>
>
>>
>> On Tuesday, August 26, 2014, Mark Thomas <ma...@apache.org> wrote:
>>
>>> All,
>>>
>>> I have been pinged off-list by Coverity to say that they have set up
>>> Tomcat with a free account with their static code analysis service.
>>>
>>> I think I have the ability to send invitations so if anyone wants to
>>> take a look at the results, just reply here.
>>>
>>> I have taken a quick look and they do appear to have found some valid
>>> threading issues. There are ~350 issues in total and I don't yet have a
>>> feel for the false positive rate.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org <javascript:;>
>>> For additional commands, e-mail: dev-help@tomcat.apache.org <javascript:;>
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Mark Thomas <ma...@apache.org>.
On 26/08/2014 18:02, Filip Hanik wrote:
> hook me up
Done (and for everyone else who has asked).
It appears I now have admin karma for the Coverity's project for
scanning Tomcat.
The approach I am taking is Tomcat committers get the Maintainer/Owner
role and everyone else gets the Observer role. The idea being that if
someone contributes enough that we want to change their role we probably
should make them a committer :)
Mark
>
> On Tuesday, August 26, 2014, Mark Thomas <ma...@apache.org> wrote:
>
>> All,
>>
>> I have been pinged off-list by Coverity to say that they have set up
>> Tomcat with a free account with their static code analysis service.
>>
>> I think I have the ability to send invitations so if anyone wants to
>> take a look at the results, just reply here.
>>
>> I have taken a quick look and they do appear to have found some valid
>> threading issues. There are ~350 issues in total and I don't yet have a
>> feel for the false positive rate.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org <javascript:;>
>> For additional commands, e-mail: dev-help@tomcat.apache.org <javascript:;>
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Coverity static analysis scanning
Posted by Filip Hanik <fi...@hanik.com>.
hook me up
On Tuesday, August 26, 2014, Mark Thomas <ma...@apache.org> wrote:
> All,
>
> I have been pinged off-list by Coverity to say that they have set up
> Tomcat with a free account with their static code analysis service.
>
> I think I have the ability to send invitations so if anyone wants to
> take a look at the results, just reply here.
>
> I have taken a quick look and they do appear to have found some valid
> threading issues. There are ~350 issues in total and I don't yet have a
> feel for the false positive rate.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org <javascript:;>
> For additional commands, e-mail: dev-help@tomcat.apache.org <javascript:;>
>
>