Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.) To view the defects, you need to connect with your Github account (or create one with Coverity) and request 'Add me to project' (which I shall then approve). Coverity provides overall metrics like defect density (Geany scores an impressive 0.23), but also classifies uncovered bugs by type and severity, and provides a nice UI trying to explain to the devels the specifics of the bug and how to address it (e.g. where it happens, why it's an issue, etc.)
This tool is being used by heavyweights like LibreOffice, the Linux Kernel, Firefox or Python to improve the robustness of their code base. I suspect that Coverity could prove invaluable when trying to hunt down frustrating implementation issues causing obscure bugs.
In any case the identified bugs are now ready for inspection by the devels, so feel free to drop by!
Regards, Liviu
Am 2015-02-12 22:21, schrieb Liviu Andronic:
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.) To view the defects, you need to connect with your Github account (or create one with Coverity) and request 'Add me to project' (which I shall then approve). Coverity provides overall metrics like defect density (Geany scores an impressive 0.23), but also classifies uncovered bugs by type and severity, and provides a nice UI trying to explain to the devels the specifics of the bug and how to address it (e.g. where it happens, why it's an issue, etc.)
This tool is being used by heavyweights like LibreOffice, the Linux Kernel, Firefox or Python to improve the robustness of their code base. I suspect that Coverity could prove invaluable when trying to hunt down frustrating implementation issues causing obscure bugs.
In any case the identified bugs are now ready for inspection by the devels, so feel free to drop by!
Any chance to get the info w/o creating an account?
Cheers, Frank
On Fri, Feb 13, 2015 at 1:01 PM, Frank Lanitz frank@frank.uvena.de wrote:
Am 2015-02-12 22:21, schrieb Liviu Andronic:
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.) To view the defects, you need to connect with your Github account (or create one with Coverity) and request 'Add me to project' (which I shall then approve). Coverity provides overall metrics like defect density (Geany scores an impressive 0.23), but also classifies uncovered bugs by type and severity, and provides a nice UI trying to explain to the devels the specifics of the bug and how to address it (e.g. where it happens, why it's an issue, etc.)
This tool is being used by heavyweights like LibreOffice, the Linux Kernel, Firefox or Python to improve the robustness of their code base. I suspect that Coverity could prove invaluable when trying to hunt down frustrating implementation issues causing obscure bugs.
In any case the identified bugs are now ready for inspection by the devels, so feel free to drop by!
Any chance to get the info w/o creating an account?
Well, not easily. Coverity forces users to sign a user agreement that would prevent you from creating competitor products using what you've learned from how their Scan works, or so I've heard. But more practically, their web-interface allows devels to easily understand the bugs, where they're located, what needs to be fixed, etc. Of course I could send you screenshots privately, say, but I don't think that would be an efficient approach.
And since all our devels have github accounts, it's a breeze to sign into Coverity using that account...
Regards, Liviu
Cheers, Frank _______________________________________________ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
On 12/02/2015 21:21, Liviu Andronic wrote:
Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.)
Thanks. Some of this should be useful, but AFAICT some of the serious items seem to occur when certain assertions have failed, e.g. TagManager Assert, which cause a lot of false positives.
On Wed, Feb 18, 2015 at 2:57 PM, Nick Treleaven nick.treleaven@btinternet.com wrote:
On 12/02/2015 21:21, Liviu Andronic wrote:
Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.)
Thanks. Some of this should be useful, but AFAICT some of the serious items seem to occur when certain assertions have failed, e.g. TagManager Assert, which cause a lot of false positives.
Coverity has some facilities to deal with false positives. For instance, it is possible to classify an identified issue as "false positive" or "intentional", meaning that Coverity shall ignore it in future code scans.
But more usefully we can specify a Modeling File: "Static code analysis has some limitations in its ability to understand certain dynamic operations. This limitation may result in falsely detecting defects. Since most false-positive defects are caused by few functions in your code base, Coverity allows you to tell the analysis engine to treat these functions differently. This is called a Modeling File. By providing a modeling file, most projects reduce their false-positive rate to the ballpark of 10%."
Maybe we should look into that?
Cheers, Liviu
Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Hey,
Le 12/02/2015 22:21, Liviu Andronic a écrit :
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement.
More, just for the fun:
"“Confidential Information” means: […] (d) any results of operation from use of the Software or the Service;"
"Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone."
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
So… really?
Regards, Colomban
PS: Of course one will tell me that "in practice" they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens.
Le 26/02/2015 19:18, Colomban Wendling a écrit :
[…]
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list.
OK, someone gave me the argument "well but it's just to avoid security vulnerability disclosure", but even if it was true (the UA really isn't specific on this), as the UA is written I don't think we could *ever* talk about *anything* we see there. Not even days after an actual bugs was found, nor ever -- which in addition of being silly disallows discussion on how not to reproduce it in the future.
[…]
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
Hum, I tried to register with my GitHub account just to see if I'd get a link to these mythical Scan Terms of Use during the process, and… I didn't have to accept *anything*, no nothing, like click and boom "you're registered". So apparently now I do have an account there -- but I still can't find these Scan Term of Use.
Colomban
Hi Colomban,
On Thu, Feb 26, 2015 at 10:55 PM, Colomban Wendling lists.ban@herbesfolles.org wrote:
Le 26/02/2015 19:18, Colomban Wendling a écrit :
[…]
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list.
OK, someone gave me the argument "well but it's just to avoid security vulnerability disclosure", but even if it was true (the UA really isn't specific on this), as the UA is written I don't think we could *ever* talk about *anything* we see there. Not even days after an actual bugs was found, nor ever -- which in addition of being silly disallows discussion on how not to reproduce it in the future.
Nice catch. I sent a request for clarification to the Scanner admins.
[…]
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
Hum, I tried to register with my GitHub account just to see if I'd get a link to these mythical Scan Terms of Use during the process, and… I didn't have to accept *anything*, no nothing, like click and boom "you're registered". So apparently now I do have an account there -- but I still can't find these Scan Term of Use.
I guess you're looking for this: http://www.coverity.com/terms-of-use/
They seem broad enough to cover the Scanner, too.
Liviu
Colomban _______________________________________________ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling lists.ban@herbesfolles.org wrote:
Hey,
Le 12/02/2015 22:21, Liviu Andronic a écrit :
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement.
More, just for the fun:
"“Confidential Information” means: […] (d) any results of operation from use of the Software or the Service;"
"Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone."
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
So… really?
Regards, Colomban
PS: Of course one will tell me that "in practice" they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens.
I haven't gotten any reply to my request for clarification. But I've also discussed this issue with LyX devels.
The opinion there is that it's common sense to simply ignore the overly restrictive aspects of Coverity's User Agreement. It's highly unlikely that they'll come chasing for discussing a bug on the ML, and if they do, this shall be incredibly negative PR for them given all the efforts that they make to attract the open-source community. Given that very big projects use Coverity regularly, like LibreOffice or the Linux Kernel, perhaps it's not worth stressing too much about this.
Of course Geany maintainers are free to choose their stance on this issue. And if you're unhappy with the current situation, I could as well try to ask them to remove Geany from their service. Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA.
Cheers, Liviu
Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
On 15-03-07 12:59 PM, Liviu Andronic wrote:
On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling lists.ban@herbesfolles.org wrote:
Hey,
Le 12/02/2015 22:21, Liviu Andronic a écrit :
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement.
More, just for the fun:
"“Confidential Information” means: […] (d) any results of operation from use of the Software or the Service;"
"Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone."
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
So… really?
Regards, Colomban
PS: Of course one will tell me that "in practice" they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens.
I haven't gotten any reply to my request for clarification. But I've also discussed this issue with LyX devels.
The opinion there is that it's common sense to simply ignore the overly restrictive aspects of Coverity's User Agreement. It's highly unlikely that they'll come chasing for discussing a bug on the ML, and if they do, this shall be incredibly negative PR for them given all the efforts that they make to attract the open-source community. Given that very big projects use Coverity regularly, like LibreOffice or the Linux Kernel, perhaps it's not worth stressing too much about this.
Of course Geany maintainers are free to choose their stance on this issue. And if you're unhappy with the current situation, I could as well try to ask them to remove Geany from their service. Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA.
Hi,
It's unclear what advantage Coverity has over just running Clang Static Analyzer and their various sanitizers. Is it just for the web UI or something?
Cheers, Matthew Brush
On Sat, Mar 7, 2015 at 10:30 PM, Matthew Brush mbrush@codebrainz.ca wrote:
On 15-03-07 12:59 PM, Liviu Andronic wrote:
On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling lists.ban@herbesfolles.org wrote:
Hey,
Le 12/02/2015 22:21, Liviu Andronic a écrit :
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement.
More, just for the fun:
"“Confidential Information” means: […] (d) any results of operation from use of the Software or the Service;"
"Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone."
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
So… really?
Regards, Colomban
PS: Of course one will tell me that "in practice" they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens.
I haven't gotten any reply to my request for clarification. But I've also discussed this issue with LyX devels.
The opinion there is that it's common sense to simply ignore the overly restrictive aspects of Coverity's User Agreement. It's highly unlikely that they'll come chasing for discussing a bug on the ML, and if they do, this shall be incredibly negative PR for them given all the efforts that they make to attract the open-source community. Given that very big projects use Coverity regularly, like LibreOffice or the Linux Kernel, perhaps it's not worth stressing too much about this.
Of course Geany maintainers are free to choose their stance on this issue. And if you're unhappy with the current situation, I could as well try to ask them to remove Geany from their service. Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA.
Hi,
It's unclear what advantage Coverity has over just running Clang Static Analyzer and their various sanitizers. Is it just for the web UI or something?
People say it's "powerful"... I guess it's capable of detecting issues other tools don't. It also helps devels quite a bit understand the underlying issue and how to address it.
From the other projects that are on Coverity, I hear nice things
overall from the devels, namely that it's "useful". In other instances, it mainly identifies "trivial" coding issues (which, hopefully, points to the coding base being robust).
Cheers, Liviu
Cheers, Matthew Brush
Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA.
Dedicated private lists is not the way to go with open source projects, almost everything, especially development, should be open to all.
Selectively ignoring UAs also sends entirely the wrong message, perhaps its ok to ignore the GPL as well?
Essentially the Coverity UA does not seem to be compatible with the Geany (and much open source) development model. Thats sad but thats life.
Cheers Lex
Cheers, Liviu
Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
-- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library _______________________________________________ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel