> The main ideia is to monitor repositories, and when a new package or > a new version of an existent package is released, we download the package > source code, > and run several static analyzers on it. Each monitored distribution will be a > kiskadee > plugin, that implements an interface that we will define. The result of these > analyses, which is parsed using the Fedora Firehose project, will be > stored in a relational database (this idea has been discussed a while ago in > the > devel mailing lists, by the guys in the Static Analysis SIG [2]). With this > database several analyses can be made, and by using several static analyzers > we > want to find heuristics to identify false positives (this is not part of GSoC > though).
Having myself recently found a bug in zlib thanks to static analysis I was a bit surprised that such a critical library wouldn't get more "static" eyes on it. > A similar tool exists in the Debian distribution, but it is way > dependent on their infrastructure, and one of our objetives is to keep > kiskadee > simple, and extensible. Naive question, but wouldn't it be interesting to piggyback on release-monitoring.org and fedmsg for the monitoring part? And start static analysis when notified of new upstream releases? Interesting project all the same! Dridi _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
