Bill, I would like to see the output. How hard is it to setup?
Pat > -----Original Message----- > From: iotivity-dev-bounces at lists.iotivity.org [mailto:iotivity-dev- > bounces at lists.iotivity.org] On Behalf Of Dieter, William R > Sent: Tuesday, July 14, 2015 10:51 AM > To: iotivity-dev at lists.iotivity.org > Subject: [dev] Static Analysis > > One of the original plans for the Linux Foundation infrastructure was to use > Sonar to run the SonarQube C++ plug-in. We have run into a few problems using > the commercial plug-in, however there are several community plug-ins for > C/C++ code: > > * vera++ (for checking style) > * cppcheck (static analysis checking for buffer overflows, memory, and other > problems) > * RATS (checking for security problems, including buffer overflows) > > We could enable these checks to run through Jenkins during verification > builds. > The idea would be that the static analysis checkers could point out potential > problems and be an aid to code reviewers. The tools are all open source so > contributors could run them locally, too. > > The implementation plan would be to first make the static analysis information > available, but not have it give a +1 or -1. After some period (and tweaking > of > rules), if the community thinks it is helpful, Sonar could give a -1 when > certain > checks fail based on the observed track record. > > Before implementing this, we would like to know if there is community support > for it. Is this something people would find useful? Are there any > objections to > just making the analysis available (without automatic +/-1)? > > Thanks, > Bill. > > _______________________________________________ > iotivity-dev mailing list > iotivity-dev at lists.iotivity.org > https://lists.iotivity.org/mailman/listinfo/iotivity-dev
