On Tue, 24 Apr 2018 12:31:33 +0200 Marcel Hollerbach <m...@bu5hm4n.de> wrote:
> (Additional Note) > > scanning through the results also shows that there is a massive > amount of false positives. Which can be marked as such. Which their devs will read comments and or look at false positives and make changes to the scanner as necessary. Definitely work to dial it in for EFL to get to the main stuff of concern. But there is stuff to address in there still. > Examples: > - > https://sonarcloud.io/project/issues?branch=devs%2Fstefan%2Fsonar-test&id=efl&open=AWL3Ai8c-pl6AHs2kvjz&resolved=false&severities=MAJOR This one I have already brought to their attention. It has issues with macro processing. Which they plan to switch to clangs llvm core. That was some of the only bugs for Entrance and Ecrire. It doesn't understand ECORE_GETOPT_VALUE. It has a similar problem with libcheck/check macro https://sonarcloud.io/project/issues?id=asspr&issues=AWH5L4_Xhcbw8NuCjRdd&open=AWH5L4_Xhcbw8NuCjRdd > https://sonarcloud.io/project/issues?branch=devs%2Fstefan%2Fsonar-test&id=efl&open=AWL3Ai7O-pl6AHs2kvhV&resolved=false&severities=BLOCKERreferences. > This link seems broken > - > https://sonarcloud.io/project/issues?branch=devs%2Fstefan%2Fsonar-test&id=efl&open=AWL3Ai89-pl6AHs2kvnI&resolved=false&severities=BLOCKER It is simply saying to review. I have seen cases where the memory was not free'd and I have seen cases where it was free'd later on in program. > > Looks like it does not understand when a variable is passed via > reference. Which will make it error on a lot of places on efl. Yes but also a lot of stuff that needs to be fixed as well. Maybe minor but does exist like https://sonarcloud.io/project/issues?branch=devs%2Fstefan%2Fsonar-test&id=efl&issues=AWL3Ai89-pl6AHs2kvm9&open=AWL3Ai89-pl6AHs2kvm9 Or labels with no goto that serve no purpose, seems a few of those https://sonarcloud.io/project/issues?branch=devs%2Fstefan%2Fsonar-test&id=efl&issues=AWL3Ai_J-pl6AHs2kvwY&open=AWL3Ai_J-pl6AHs2kvwY Switch missing default https://sonarcloud.io/project/issues?branch=devs%2Fstefan%2Fsonar-test&id=efl&issues=AWL3Ai-A-pl6AHs2kvrm&open=AWL3Ai-A-pl6AHs2kvrm I went through a bunch and it is mostly pointing out legit stuff. Though its debatable if that stuff is necessary or matters. Most will make the code cleaner if not better in that sense. If you all want to address those things that is up to you. Some of it is debatable like insecure functions. I understand EFL maybe using those in places for performance reasons. Though where performance is not needed likely best to use the safer versions with size parameter. strcpy -> strncpy sprintf -> snprintf Spoke to Carsten about that long ago when the security researched brought p use of strcpy in Tizen. Which seems a good deal is there for performance reasons thus not using strncpy. -- William L. Thomson Jr.
pgpdYFav3TRuk.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
