On Wed, 8 Jun 2022 08:35:45 +0000 "Mcnamara, John" <john.mcnam...@intel.com> wrote:
> > -----Original Message----- > > From: Thomas Monjalon <tho...@monjalon.net> > > Sent: Wednesday, June 8, 2022 9:23 AM > > To: Stephen Hemminger <step...@networkplumber.org> > > Cc: dev@dpdk.org; Mcnamara, John <john.mcnam...@intel.com>; > > david.march...@redhat.com > > Subject: Re: Lgtm scan of DPDK > > > > 28/05/2022 01:12, Stephen Hemminger: > > > I just discovered that there is another tool similar to Coverity for > > scanning. > > > It gives different results, and might be useful. > > > The scans of github open source projects is already done. > > > > > > See: https://lgtm.com/projects/g/DPDK/dpdk > > > > > > Shows 19 errors, 263 warnings and 111 recommendations. > > > > > > Of course, some of these are bogus. For example, tool thinks are scripts > > are Python 2. > > > > The problem is that we already invest some time in Coverity triage to mark > > false positives. > > Can you check whether this tool has some false positives? > > We looked at this tool a few years ago. > > Some of the good points were: > > * It is automatic and runs independently > * It did find some genuine issues > * Issues have the commit ID associated with them so you could assign them > to > > One of the main disadvantages was: > > * False positives can only be marked with a comment in the code > > Nevertheless it is probably worth folks evaluating the issues in their own > areas of code and in particular any of the Errors. > > John Some background on why I looked at this. LGTM became Codeql which is now owned by Microsoft. Our internal build system now runs Codeql on all builds, mostly as a security scan. Long term would like to make DPDK upstream clean (so the team doesn't get false warnings) and engage Codeql if possible to resolve the issues on their side (like the Python noise). For now, will try to filter out anything that gets marked
