James Carlson <[EMAIL PROTECTED]> wrote:
> Kyle McDonald writes:
> > I don' t know for sure, but Coverity's competitor KlokWork
> > (www.klocwork.com) probably also does Opensource scans, and might be
> > willing to scan a project that Coverity had rejected. Personally I
> > prefer KlocWork, but really any static analysis is better than none.
>
> Both security and static correctness checks are done on OpenSolaris
> code regularly using lint. It's not as if there are just "none."
>
> What Coverity offers (and what I'd expect Klockwork does; I've never
> used their tool) is a deeper analysis of code paths and variable
> usage. In my experience, it's hard stuff to use: it can run for days
> on 'non-trivial' code, and even with tweaking it produces a fair
> number of false-positives.
>
> On the plus side, there are nuggets of gold buried in the voluminous
> reports generated. The question is whether you want to invest your
> time and money into eyeballing those (and teaching all developers how
> to cope with slow run times and complicated output), or put more
> effort into traditional design and code reviews.
It took me ~ 3 days to work on the Coverity results for cdrtools.
166000 lines of code -> 144 reports that include ~ 40 false positives
and many coding style matches.
In total, it did find ~ 20 important problems. None of them was a real
security problem.
If you like to scan Solaris ON and work on the results, this would take
probably one man year.
Jörg
--
EMail:[EMAIL PROTECTED] (home) Jörg Schilling D-13353 Berlin
[EMAIL PROTECTED] (uni)
[EMAIL PROTECTED] (work) Blog: http://schily.blogspot.com/
URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
_______________________________________________
opensolaris-code mailing list
opensolaris-code@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
