[postgis-devel] Static Analysis
Paul Norman
penorman at mac.com
Fri May 6 17:30:36 PDT 2016
On 5/5/2016 11:06 AM, Paul Ramsey wrote:
> Hey Devs,
>
> Are we interested in receiving static analysis reports (Coverity) on
> the PostGIS code base?
>
> The folks at CrunchyData are willing to stick-handle the bureaucracy
> around getting Coverity account for the project and a system set up to
> regularly pass the PostGIS code base through Coverity static analysis.
> Coverity provides free (as in beer) accounts for open source projects,
> so the actual Coverity "account" would be the PostGIS project's and
> the PSC would control it.
>
> Anyways, other than providing an annoying list of things we should do
> (gah!) I see no downside to having some more information on our code
> cleanliness/security. Unlike the transifex stuff, there'd be no
> dependencies on a foreign system, since if Coverity ever shut off our
> access we'd be no worse off than we are right now.
We've used Coverity with osm2pgsql, both when it was a C project and
with the new C++ code. Once you get it set up properly, there's a
reasonably low false positive rate. I suspect PostGIS will require a
modeling file (https://scan.coverity.com/tune) for some stuff
implemented in PostgreSQL.
I found Clang's static analysis more useful, but less comprehensive.
Another effort that was done at about the same time was to compile with
-Wall -Werror to enforce having zero warnings, and that caught a lot of
problems that I think Coverity would have also spotted.
More information about the postgis-devel
mailing list