scan.coverity

Difference between version 1 and 3 - Previous - Next

scan.coverity is a static code analysis engine.
They provide a tool that is free to use for open source software,
and a website and defect management interface is available to
track defects.

The defect management web interface is a bit hard to use.
Website for Tcl: https://scan.coverity.com/projects/tcl?tab=overview

The Tcl code was updated after a three year hiatus on 2018-11-13.

On the scan.coverity.com website, you can select the 'add me to the project'
button in order to be an Observer (can view the defect summary), a Defect viewer
(can view all of the defects), a Contributor/Member (can triage defects) or
an Admin (can submit new builds).
***Pscan.coverity supports what they call "models", s***hort chunks of code that
can indicate to the scan engine that a particular defect is intentional.
The obvious example is not freeing memory before an exit.  Rather than
classify these memory leaks as intentional, it is better to create a "model"
and prevent the defects entirely.
***TBDcl on scan.coverity***
Website for Tcl: https://scan.coverity.com/projects/tcl?tab=overview

The Tcl code was updated after a three year hiatus on 2018-11-13.

The currently triaged defects classified as false positives are 
not false positives and need to be re-reviewed.  Many of the triaged 
defects that have been dismissed do not have good explanations.

****Administrators****

Andreak Kupris, Jan Nijtmans, Donal K Fellows, Brad Harder, Brad Lanam

****Process****

When triaging a defect be sure to add notes on exactly why the classification for
the defect was chosen.  Explain what happens and why the defect exists.  Remember
that the next person working on the defects doesn't know your thought process.

The scan.coverity code is quite robust and false positives are rare.  Unless you
can prove a false positive, do not choose it as a classification.

When fixing a bug, be sure to reference the scan.coverity CID number in the
check-in comments.  

****Sample Scripts for Administrators****

This is a sample build script using the coverity static analysis tool.
Note that the script removes the pkgs/ sub-directory, as the analysis
is for Tcl, not sqlite, tclodbc* or the thread package.

<<discussion>>Test Script for Coverity======sh
#!/bin/sh

ver=8.6.9
sver=869
rc=rc4

set -x
test -d tcl${ver} && rm -rf tcl${ver}
unzip -q tcl${sver}${rc}.zip
PATH=$PATH:$HOME/cov/cov-analysis-linux64-2017.07/bin
cd tcl${ver}
test -d pkgs && rm -rf pkgs
cd unix
make distclean
./configure --prefix=$HOME/cov/tcl-inst
make distclean
./configure --prefix=$HOME/cov/tcl-inst
cov-build --dir cov-int make
======
<<enddiscussion>>

This is an example script to submit a build to Coverity.

The submission script should be modified to set the version and description
to what is wanted.

<<discussion>>submission script======sh
#!/bin/bash

ver=8.6.9
rc=rc4
desc="${ver}${rc} test"

cd tcl${ver}
cd unix
test -f conv-int.tgz && rm -f cov-int.tgz
tar cfz cov-int.tgz cov-int

curl --form token=COVERITYTOKEN \
  --form email=YOUREMAILADDRESS \
  --form [email protected] \
  --form version="${ver}${rc}" \
  --form description="${desc}" \
  https://scan.coverity.com/builds?project=tcl

======
<<enddiscussion>>