On 4/15/21 1:07 PM, Kamil Dudka wrote:
People maintaining their own medium-size projects can easily play with this. I am in a different situation when I need to scan 3700 distinct projects and approx. 480 million lines of code with more or less the same manpower ;-)
I can appreciate the amount of work it takes to maintain all that scanning. Still, we have to be careful here not to let the tail wag the dog. The false-alarm rate from Coverity is too high for us to install patches needed only to pacify Coverity. Similarly for GCC with all its warning flags enabled.
we would have to maintain such exclusion lists per project.
My guess is that overall this would be less work, than the work of installing and reliably maintaining patches that pacify all combinations of Coverity and 'gcc -Wall -Wextra -Wetc' flags used by any downstream projects, without breaking or slowing down anything in any project. (But of course messing with exclusion lists would be work that you'd have to do, rather than us. :-)
