Did I mention that the core of Sonar is FOSS and Coverity is proprietary? That means you can create your own scanner, your own quality profiles, your own scan rules, etc. https://docs.sonarqube.org/display/SONAR/Quality+Profiles https://docs.sonarqube.org/display/SONAR/Rules
You can also see what they are changing in the defaults https://sonarcloud.io/organizations/obsidian-studiosinc-github/quality_profiles/changelog?language=c&name=Sonar+way On Sun, 22 Apr 2018 14:22:45 +0900 Carsten Haitzler (The Rasterman) <[email protected]> wrote: > On Sat, 21 Apr 2018 12:26:03 -0400 "William L. Thomson Jr." > <[email protected]> said: > > > First off thanks to the E/EFL community for making me aware of > > Coverity. I had not heard of it before I came to E, and noticed it > > was in use. I quickly put it to use for any apps I was working on. > > Though I found some things to be less than desirable. > > > > Like the whole getenv tainted var situation. Which there is more > > than one way to fix, but the scanner seem to only like one way.... > > That one is super annoying from Coverity!!! > > you canm always dismiss a bug and tell coverity to ignore it. keep a > log why so that in future if people look at that again they can see a > reason why it was dismissed. Same in Sonar, and from interacting with Sonar. Their devs actually look at those comments and look to make changes to the engine to correct false positives. Sonar is very responsive to feedback! They make a contact form readily available in SonarCloud... https://about.sonarcloud.io/contact/ Unlike these jerks... "Technical question: Post your technical question at StackOverflow" https://scan.coverity.com/contact Because we cannot be bothered with such technical questions... Or email us at our email address... Email the scan-admin nazi... Rather Sonar runs a community they respond to with others. https://groups.google.com/forum/#!forum/sonarqube > coverity isnt going to be perfect. no such analyzer will be. they > will miss things and get false positives. the more paranoid they are > the more false positives you get. Coverity nor scan-build failed to pointed out many things like conditionals that never change, and other actual issues. Not to mention code improvements when other functions should be used instead. Sonar is helping me address many issues Coverity never brought up... > my experience is coverity is really good in the signal to noise ratio > department and often finds bizarre things you may never have > realized, but sometimes is a bit too keen on other things, but > overall the signal to noise is good. Real issues were NOT reported by Coverity or scan-build. This is not about false positives. This is about actual issues that both those missed. I have improved code so much more with Sonar than I ever did with Coverity. Tremendous improvements... Hundreds of commits after I fixed everything under Coverity... This is about the quality of end code. Not my happiness or liking one tool. Sonar points out more stuff than others. Far more stuff. Not all is critical, but all has relevance. Not like code is better without such most times. > > Another super annoying thing about Coverity, it gives you NO clue > > as to what to do to fix something. Nor any reason why you should. > > Unlike Sonar which shows you how to fix an issue it points out, and > > gives you reference documents to support why. > > i have never had an issue with that. i have learned to read coverity > reports as to why the thing is an issue... you sometimes have to > follow the code flow it's showing traces off - which branches it > takes and why etc. Coverity could be making up why they want you to do that stuff. Yes following code tends to make sense. But they never refer to like MISRA or other references on coding rules. Again if you look at Sonar. You can see for others it can be extremely beneficial. Not all may have your skills. Or understand why they should use a reentrant function over a non. Or why to not use strcpy vs strncpy, and other things etc. I have learned a considerable amount more from Sonar. If you google lots of others looking at times for Coverity solutions. Never have to waste time with such. Plus Sonar gives you an estimated time to fixing anything it points out. > it doesn't tell you how to fix it.. but i've never had a problem > figuring out a way to fix things except in very rare cases. If you have run into the getenv/tainted var thing. You know what I mean there. There is more than one way to sanitized and untaint. It only wants a strdup vs like a snprintf or direc allocated memory etc. This is crazy how many people are looking for a solution to this common issue under Coverity... https://duckduckgo.com/?q=coverity+getenv&t=ffab&ia=software > > Click the 3 dots at end of text describing issue. Brings up window > > in bottom, with description > > https://sonarcloud.io/project/issues?id=entrance&issues=AWFzBrrtjU3w4cAunX4i&open=AWFzBrrtjU3w4cAunX4i > > > > Some like this will show you additional references, MISRA, etc > > https://sonarcloud.io/project/issues?id=entrance&issues=AWFzBrrcjU3w4cAunX4K&open=AWFzBrrcjU3w4cAunX4K > > > > Coverity is SUPER picky on who they approve scanning for. If you are > > not a member of a project or directly affiliated, you cannot scan. > > That is you fork a project, or just want to scan some existing FOSS > > project that is not scanned by Coverity. Their scan admin nazi will > > reject it. I even had them remove one I had setup for months for > > Clipboard module. Which is a fork for e21+, with the other I got it > > from focusing on E17/Moska. Yet Coverity could not understand this > > difference... > > hasn't been a problem for us ... :) Because you are part of a project. It gives no paths for outsiders to become contributors etc. Many times people will join a project via small contributions. Running a scanner, seeing some obvious issues to address is one such path. Depends on if you think about others scenarios or just your own. FOSS isn't about any one owning the code. Thus is an entity allows FOSS apps to be scanned. That should not be restrictive. > i guess we had different experiences... i've had great ones with > coverity and haven't had a need to look elsewhere for a long time. Doesn't mean Coverity is the best, just means you haven't looked at any alternatives. Which may point out stuff Coverity doesn't. I would guarantee Sonar would find issues Coverity did not. Maybe a lot of minor stuff, but I bet there are code paths not followed, etc. I find Coverity all but useless after Sonar. > now while you seem to have a bad day with coverity, as above, my > experience is otherwise, but i think it's great there are other > options. knowing about them is a great thing and thanks for bringing > this up. :) Hardly me... Main GnuPG dev... Why do they not use Coverity? Not only did they try, but I did as well.... https://dev.gnupg.org/T2905#110314 Yet... which I could do gnupg as well... https://sonarcloud.io/dashboard?id=pinentry I have exchanged many emails with Sonar. They are a great company compared to Coverity. They are very responsive to feedback. Not restrictive like Coverity. They provide upgrade paths for you to scan private projects. I find it way more beneficial than Coverity. If others check it out, that is there call. By the way lets not forget Coverity was down for 2/3s of a month, and after they came back up. Still had some outages... https://twitter.com/CoverityScan/status/966068113941979136 I think that right there says a lot and how much they care about making their resources available to others and FOSS. I was using Sonar during that entire outage. Exchanging emails with Sonar staff... I have had numerous always pleasant interactions with Sonar. Coverity on the other hand, acts without any communication. I have exchanged like 4 maybe 5 emails. 3 of which were around projects that were not approved. They removed clipboard without any mention to me... rude... -- William L. Thomson Jr.
pgpLMWNgnozXT.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
