[OPEN-ILS-DEV] Integrating automated code analysis tools into regular practice?

Scott McKellar mck9 at swbell.net
Thu Nov 22 00:08:35 EST 2007


--- Dan Scott <denials at gmail.com> wrote:

> I was pondering a few possibilities for helping to tighten up our
> code
> in a more automated fashion today. I thought I would throw the ideas
> out there to see if there's interest or support for them...

<snip: info about code-scanning tools>

Mod parent up.

I have stumbled across various problems (security vulnerabilities,
memory leaks, etc.) in the course of doing other things, but I
haven't been looking for them systematically.  I've probably 
overlooked more than I've found, even if you don't count the code 
that I haven't looked at yet.  No doubt the automated tools can find
more stuff faster.  It's the difference between working with a pick 
and shovel and working with a backhoe.

Don't forget good old lint.  I haven't used it yet on this project
because I've been finding enough to keep me busy with the pick-and-
shovel approach.  However my experience is that lint usually finds
at least a few forehead-slappers.

My one reservation is about the idea of posting the results on the
web.  The point is not that I don't want to air our dirty linens
in public -- it's all open source, after all -- but I wouldn't want
to erect needless barriers to the code scans.  If it takes ten
minutes to run the scans, and three hours to update the website, then
we probably won't run the scans as often as we should.  I'd rather
have more scans than prettier web pages.

Hence I suggest that any publication of the scan results involve
minimal work, because the reporting is rudimentary, automated,
or both.

I note that Coverity's website already publishes defect counts on the
projects it covers.

Scott McKellar
http://home.swbell.net/mck9/ct/



More information about the Open-ils-dev mailing list