[Qgis-psc] 2025 Grant: Coverity Scan cleanup final report

Nyall Dawson nyall.dawson at gmail.com
Sun Nov 9 17:34:59 PST 2025 

Hi PSC,

I'd like to report the successful conclusion of the 2025 funding grant for
QEP 337: Coverity Scan
cleanup!

As detailed in the original proposal, this project has seen a massive
cleanup to the QGIS code base via hundreds of fixes to issues reported by
the Coverity Scan tool.

>From the original 1075 issues identified by Coverity Scan at the start of
the project, we are now down to 145 remaining outstanding issues. All false
positive issues have been marked accordingly, and many fixes submitted to
QGIS to remedy valid issues in the QGIS code.

The remaining issues are either non-trivial to fix (i.e. requiring large
architectural changes) or ambiguous (in that the original intention of the
code is not clear, and I'm unable to determine if the issues are valid or
working as expected). It is hoped that by clearing out the bulk of the
Coverity results, future bug fixing efforts will be able to focus attention
on these remaining issues and eventually lead to QGIS achieving "Coverity
Clean" status.

All applicable (and safe!) fixes have been backported to stable QGIS
releases too.

As part of this project, several downstream projects also saw fixes
submitted:

- The MDAL library is now completely "coverity clean", with no outstanding
issues remaining. Coverity Scan is now run on the MDAL codebase on a weekly
basis, in order to quickly identify and remedy any issues in any newly
introduced code.
- Fixes and performance improvements have been submitted to the laz-perf,
untwine, PDAL wrench and tinygltf libraries.

As detailed in the original proposal, an investigation was also conducted
to determine whether it is possible to automatically run the Coverity Scan
tool on a weekly basis as a GitHub action for QGIS. My finding was that
this is NOT possible to achieve via GitHub actions, as the compilation
using the coverity cov-build tool ends up exceeding the maximum available
space on the workflow runners. (see
https://github.com/nyalldawson/QGIS/tree/coverity_workflow for the
attempted workflow configuration).

While not part of the original proposal or grant, I will continue to run
Coverity Scan on an ad-hoc basis on the QGIS codebase in order to quickly
identify and resolve any newly introduced issues.

My thanks to the PSC and QGIS sponsors for making this work possible!

Kind regards,
Nyall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20251110/16176bdf/attachment-0001.htm>

More information about the QGIS-PSC mailing list