Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] Now what? Glibc bug, vulnerability
On 02/18/2016 10:37 PM, Greg Freemyer wrote:
I'm curious. Coverty has been sending out linux kernel reports since
2006 (10 years). With each scan I believe they report both still
existing issues and newly identified issues.

Are you saying:

- Most of the still unfixed Coverty identified issues are BS.

- Most of the newly identified issues are BS

I can't tell neither for the Linux kernel not for glibc; we're using
Coverity in the upstream coreutils project. There are many non-issues
reported (which can be marked as "triaged" and therefore would show up
as such in newer scan results), but certain warnings - like array-out-
of-bounds messages or about resource leaks - are quite useful.

OTOH, skimming through
git log| grep -iC10 coverity
there are ~90% of changes avoiding a "theoretical" issue or helping
the scanner to interpret a situation correctly.

Like with any other tool, you have to find a balance as to how much
you want to obscure/annotate your code to help static analyzers or not.
That means this is about pacifying a tool to avoid false positives.
The plus I'm appreciating in Coverity is to see new warnings regarding
changed code compared to the previous scan.

Have a nice day,
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >