On 02/18/2016 10:37 PM, Greg Freemyer wrote:
I'm curious. Coverty has been sending out linux kernel reports since 2006 (10 years). With each scan I believe they report both still existing issues and newly identified issues.
Are you saying:
- Most of the still unfixed Coverty identified issues are BS.
- Most of the newly identified issues are BS
I can't tell neither for the Linux kernel not for glibc; we're using Coverity in the upstream coreutils project. There are many non-issues reported (which can be marked as "triaged" and therefore would show up as such in newer scan results), but certain warnings - like array-out- of-bounds messages or about resource leaks - are quite useful. OTOH, skimming through git log| grep -iC10 coverity there are ~90% of changes avoiding a "theoretical" issue or helping the scanner to interpret a situation correctly. Like with any other tool, you have to find a balance as to how much you want to obscure/annotate your code to help static analyzers or not. That means this is about pacifying a tool to avoid false positives. The plus I'm appreciating in Coverity is to see new warnings regarding changed code compared to the previous scan. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org