Kyle McDonald writes: > I don' t know for sure, but Coverity's competitor KlokWork > (www.klocwork.com) probably also does Opensource scans, and might be > willing to scan a project that Coverity had rejected. Personally I > prefer KlocWork, but really any static analysis is better than none.
Both security and static correctness checks are done on OpenSolaris code regularly using lint. It's not as if there are just "none." What Coverity offers (and what I'd expect Klockwork does; I've never used their tool) is a deeper analysis of code paths and variable usage. In my experience, it's hard stuff to use: it can run for days on 'non-trivial' code, and even with tweaking it produces a fair number of false-positives. On the plus side, there are nuggets of gold buried in the voluminous reports generated. The question is whether you want to invest your time and money into eyeballing those (and teaching all developers how to cope with slow run times and complicated output), or put more effort into traditional design and code reviews. Added on top of that is the fact that we've already got thousands of unfixed bugs in the database. The only thing a static checker can really do is add more bug reports. If we're not reducing the ones found by traditional testing to zero, then what's the use in adding more to the list? I don't think it's as simple a trade-off as you might expect, though if someone offered something for "free," it'd be hard to say "no." -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ opensolaris-code mailing list opensolaris-code@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
