scan.coverity is a static code analysis engine. They provide a tool that is free to use for open source software, and a website and defect management interface is available to track defects.
The defect management web interface is a bit hard to use.
On the scan.coverity.com website, you can select the 'add me to the project' button in order to be an Observer (can view the defect summary), a Defect viewer (can view all of the defects), a Contributor/Member (can triage defects) or an Admin (can submit new builds).
scan.coverity supports what they call "models", short chunks of code that can indicate to the scan engine that a particular defect is intentional. The obvious example is not freeing memory before an exit. Rather than classify these memory leaks as intentional, it is better to create a "model" and prevent the defects entirely.
Website for Tcl: https://scan.coverity.com/projects/tcl?tab=overview
The Tcl code was updated after a three year hiatus on 2018-11-13.
The currently triaged defects classified as false positives are not false positives and need to be re-reviewed. Many of the triaged defects that have been dismissed do not have good explanations.
Andreak Kupris, Jan Nijtmans, Donal K Fellows, Brad Harder, Brad Lanam
When triaging a defect be sure to add notes on exactly why the classification for the defect was chosen. Explain what happens and why the defect exists. Remember that the next person working on the defects doesn't know your thought process.
The scan.coverity code is quite robust and false positives are rare. Unless you can prove a false positive, do not choose it as a classification.
When fixing a bug, be sure to reference the scan.coverity CID number in the check-in comments.
This is a sample build script using the coverity static analysis tool. Note that the script removes the pkgs/ sub-directory, as the analysis is for Tcl, not sqlite, tclodbc* or the thread package.
Test Script for Coverity#!/bin/sh ver=8.6.9 sver=869 rc=rc4 set -x test -d tcl${ver} && rm -rf tcl${ver} unzip -q tcl${sver}${rc}.zip PATH=$PATH:$HOME/cov/cov-analysis-linux64-2017.07/bin cd tcl${ver} test -d pkgs && rm -rf pkgs cd unix make distclean ./configure --prefix=$HOME/cov/tcl-inst make distclean ./configure --prefix=$HOME/cov/tcl-inst cov-build --dir cov-int make
This is an example script to submit a build to Coverity.
The submission script should be modified to set the version and description to what is wanted.
submission script#!/bin/bash ver=8.6.9 rc=rc4 desc="${ver}${rc} test" cd tcl${ver} cd unix test -f conv-int.tgz && rm -f cov-int.tgz tar cfz cov-int.tgz cov-int curl --form token=COVERITYTOKEN \ --form email=YOUREMAILADDRESS \ --form [email protected] \ --form version="${ver}${rc}" \ --form description="${desc}" \ https://scan.coverity.com/builds?project=tcl