[postgis-devel] Static Analysis
Mark Cave-Ayland
mark.cave-ayland at ilande.co.uk
Fri May 6 01:55:50 PDT 2016
On 05/05/16 19:06, Paul Ramsey wrote:
> Hey Devs,
>
> Are we interested in receiving static analysis reports (Coverity) on
> the PostGIS code base?
>
> The folks at CrunchyData are willing to stick-handle the bureaucracy
> around getting Coverity account for the project and a system set up to
> regularly pass the PostGIS code base through Coverity static analysis.
> Coverity provides free (as in beer) accounts for open source projects,
> so the actual Coverity "account" would be the PostGIS project's and
> the PSC would control it.
>
> Anyways, other than providing an annoying list of things we should do
> (gah!) I see no downside to having some more information on our code
> cleanliness/security. Unlike the transifex stuff, there'd be no
> dependencies on a foreign system, since if Coverity ever shut off our
> access we'd be no worse off than we are right now.
>
> Thoughts?
Definitely! I suspect that there will be a number of things to check
after the first scan which may take some time. Note that Coverity does
produce false positives, so perhaps some thought should be given to as
to whether we should aim for a "clean" scan to the point where we can
add annotations to the code for cases like these.
ATB,
Mark.
More information about the postgis-devel
mailing list