Hi David,
To generate a static report from Coverity, run cov-format-errors.
This command generates a set of HTML pages which contain all the issues
found in the last run.
Yair
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Hartman
Sent: Monday, January 09, 2006 11:19 PM
To: Andy Polyakov; openssl-dev@openssl.org
Cc: Andrew Schnable
Subject: RE: Problems Identified in Static Source Analysis
Hi Andy,
It turns out there was no easy way to give you the Coverity test results
directly. For the runs to be useful, you really need a viewer, and we
are limited by the licenses as to who can use the viewer.
We have a copy of 0.9.8a in our source tree, and I made the changes to
our copy of 0.9.8a. I attached the diffs.
I apologize for making these changes against our own copy of the
sources, that means the resulting diffs can't be used directly as a
patch against your CVS repository since the file revisions will be
different. Hopefully this is still useful as you can still use the file
names and line numbers.
I will work on getting rsynch set up and getting a local copy of your
CVS repository so I can submit proper patches in the future.
-David
> -----Original Message-----
> From: Andy Polyakov [mailto:[EMAIL PROTECTED]
> Sent: Sunday, December 18, 2005 7:41 AM
> To: openssl-dev@openssl.org; David Hartman
> Cc: Andrew Schnable
> Subject: Re: Problems Identified in Static Source Analysis
>
> Hi,
>
> > We recently ran Coverity, a static source analysis tool, against
OpenSSL
> > 0.9.7 and 0.9.8. We found a number of problems such as the
potential to
> > access null pointers, lack of error checking on return codes, etc.
> > There are in the neighborhood of 25 errors that we considered worth
> fixing.
> >
> > Would you like us to contribute these fixes back to the project?
>
> Yes.
>
> > If so,
> > what would be the best format for submitting them?
>
> Coverity report itself by all means preferred, as more eyeballs on
> deciding on what's worth fixing and in which branch is better. If
> disclosure on public list such as openssl-dev is not appropriate, send
> it to openssl-team.
>
> > Would you like the diffs or raw sources?
>
> See "HOW TO CONTRIBUTE TO OpenSSL" paragraph in ./README for
formalized
> description.
>
> > Also, which branch would be best?
>
> The normal workflow goes as following: 1. HEAD [see
> http://www.openssl.org/source/repos.html], 2. backport to released
> versions. Backports to 0.9.8 are currently very common, while
backports
> to 0.9.7 are rather rare. Meaning that HEAD is by all means preferred,
> but as long as we're not talking about changed functionality or new
> features, 0.9.8 is OK for the moment, as it has not diverged too much.
A.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
