TL;DR -- ReviewBot supports Coverity Analysis as an analyzer for C/C++
Two years ago we have gradually introduced static-analysis during review phase,
at first in MozReview and moving on in Phabricator. We have started with
clang-tidy for C/C++, clang-format for C/C++/Objective{C,C++} coding style,
Mozlint (Python, JavaScript, etc) and as time passed by we’ve added Infer for
Java.
In parallel, Mozilla has been using Coverity for more than a decade. It found
an impressive number of defects (at least 1017, see meta bug 1230156). Coverity
is an accurate and comprehensive static analysis and static application
security testing (SAST) solution that finds critical defects and security
vulnerabilities.
In comparison with the previous tools that we have implemented in the review
pipeline, Coverity provides advanced checkers which are able to detect more
complex issues (with the cost of having false positives).
We are excited to announce that we now have Coverity at review phase for C/C++
on Firefox.
An example of such analysis can be found at:
https://phabricator.services.mozilla.com/D23099#inline-134606
<https://phabricator.services.mozilla.com/D23099#inline-134606>
Unlike the other checkers, please be aware that Coverity checkers have false
positives, some checkers are usually correct, some others aren’t.
We await for your feedback, and we are eager to learn from you what checkers
will prove to be useful and what are ignored.
We already have a few next steps in mind:
Annotate results produced by checkers to detail the false positive ratio;
Enable Coverity support for Java and potentially JavaScript;
Add static analysis at review phase for other projects, like NSS.
If you encounter any issues with this new analyzer please report bugs at
https://mzl.la/2EbaYho <https://mzl.la/2EbaYho>.
I also take this opportunity to thank our colleagues who made this possible,
Sylvestre, Bastien, Marco and all of whom contributed to this.
Thanks,
ANdi
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
