scan.coverity is a static code analysis engine. They provide a tool that is free to use for open source software, and a website and defect management interface is available to track defects.
The defect management web interface is a bit hard to use.
On the scan.coverity.com website, you can select the 'add me to the project' button in order to be an Observer (can view the defect summary), a Defect viewer (can view all of the defects), a Contributor/Member (can triage defects) or an Admin (can submit new builds).
scan.coverity supports what they call "models", short chunks of code that can indicate to the scan engine that a particular defect is intentional. The obvious example is not freeing memory before an exit. Rather than classify these memory leaks as intentional, it is better to create a "model" and prevent the defects entirely.
Website for Tcl: https://scan.coverity.com/projects/tcl?tab=overview
The Tcl code was updated after a three year hiatus on 2018-11-13.
The currently triaged defects classified as false positives are not false positives and need to be re-reviewed. Many of the triaged defects that have been dismissed do not have good explanations.
Andreak Kupris, Jan Nijtmans, Donal K Fellows, Brad Harder, Brad Lanam
When triaging a defect be sure to add notes on exactly why the classification for the defect was chosen. Explain what happens and why the defect exists. Remember that the next person working on the defects doesn't know your thought process.
The scan.coverity code is quite robust and false positives are rare. Unless you can prove a false positive, do not choose it as a classification.
When fixing a bug, be sure to reference the scan.coverity CID number in the check-in comments.
This is a sample build script using the coverity static analysis tool. Note that the script removes the pkgs/ sub-directory, as the analysis is for Tcl, not sqlite, tclodbc* or the thread package.
Test Script for Coverity#!/bin/sh
ver=8.6.9
sver=869
rc=rc4
set -x
test -d tcl${ver} && rm -rf tcl${ver}
unzip -q tcl${sver}${rc}.zip
PATH=$PATH:$HOME/cov/cov-analysis-linux64-2017.07/bin
cd tcl${ver}
test -d pkgs && rm -rf pkgs
cd unix
make distclean
./configure --prefix=$HOME/cov/tcl-inst
make distclean
./configure --prefix=$HOME/cov/tcl-inst
cov-build --dir cov-int makeThis is an example script to submit a build to Coverity.
The submission script should be modified to set the version and description to what is wanted.
submission script#!/bin/bash
ver=8.6.9
rc=rc4
desc="${ver}${rc} test"
cd tcl${ver}
cd unix
test -f conv-int.tgz && rm -f cov-int.tgz
tar cfz cov-int.tgz cov-int
curl --form token=COVERITYTOKEN \
--form email=YOUREMAILADDRESS \
--form [email protected] \
--form version="${ver}${rc}" \
--form description="${desc}" \
https://scan.coverity.com/builds?project=tcl