Re: Coverity static analysis scanning
Am 8. November 2014 12:33:50 MEZ, schrieb Rainer Jung : >Am 27.09.2014 um 12:28 schrieb Felix Schumacher: >> Am 28.08.2014 um 23:15 schrieb Rainer Jung: >>> Am 28.08.2014 um 21:44 schrieb Felix Schumacher: I'd like to have a look. >>> >>> Invitation sent out. >> Would you mind to upgrade my account, so that I can update the status >of >> the defects? > >Sorry for chiming in late. Your role currently is Maintainer/Owner and >i >don't see anyone having a stronger role. I guess someone already >assigned the needed rights to you. Thanks for looking into it. Regards Felix > >Regards, > >Rainer > > >- >To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Am 27.09.2014 um 12:28 schrieb Felix Schumacher: Am 28.08.2014 um 23:15 schrieb Rainer Jung: Am 28.08.2014 um 21:44 schrieb Felix Schumacher: I'd like to have a look. Invitation sent out. Would you mind to upgrade my account, so that I can update the status of the defects? Sorry for chiming in late. Your role currently is Maintainer/Owner and i don't see anyone having a stronger role. I guess someone already assigned the needed rights to you. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Am 28.08.2014 um 23:15 schrieb Rainer Jung: Am 28.08.2014 um 21:44 schrieb Felix Schumacher: I'd like to have a look. Invitation sent out. Would you mind to upgrade my account, so that I can update the status of the defects? Felix Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
For code coverage, you need Cobertura to generate its report in XML. I tried: ant clean test -Dtest.cobertura=true -Dcobertura.report.format=xml > , but Cobertura fails to generate the XML report (whereas it's ok when it's generating it in HTML...). So as long as this doesn't work, you won't be able to get coverage... at least with Cobertura. Also, I hadn't noticed that you had changed the project key, so now you have 2 different projects on SQ: - The original one: https://analysis.apache.org/dashboard/index/org.apache.tomcat:tomcat-parent - From what I can see, looks like at some point of time, Tomcat was fully built with Maven? - The new one: https://analysis.apache.org/dashboard/index/apache:tomcat You should keep only one. I suggest that you: - delete <http://docs.codehaus.org/display/SONAR/Project+Administration#ProjectAdministration-DeletingaProject> the new one - and update the key <http://docs.codehaus.org/display/SONAR/Project+Administration#ProjectAdministration-UpdatingProjectKey> of the original one to "apache:tomcat" , this will you'll keep the (short) history of the original analyses. - Fabrice belling...@apache.org fabrice.belling...@sonarsource.com On Thu, Sep 11, 2014 at 1:20 PM, Olivier Lamy wrote: > thanks. > Looks better now except code coverage still doesn't work. Any idea? > > On 10 September 2014 22:12, Fabrice Bellingard > wrote: > > Hi Olivier, > > > > Looks like the configuration of the SQ build step is not fully correct. > From > > the following command line: > >> > >> [workspace] $ /x1/jenkins/sonar-runner/bin/sonar-runner > >> -Dsonar.jdbc.driver=com.mysql.jdbc.Driver > >> > >> -Dsonar.jdbc.url=jdbc:mysql:// > 192.168.0.64:3306/sonar?useUnicode=true&characterEncoding=utf8 > >> > >> -Dsonar.host.url=http://localhost:9090 > >> > >> > -Dsonar.projectBaseDir=/x1/jenkins/jenkins-master/jenkins-home/jobs/tomcat-trunk/workspace > >> "-Dsonar.projectName=Apache Tomcat" > >> -Dsonar.projectVersion=trunk > >> -Dsonar.libraries=output/classes > >> -Dsonar.projectKey=apache:tomcat > >> > -Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux > > > > , I can see that: > > > > sonar.binaries is missing (which is the reason why the Findbugs plugins > > fails) > > sonar.libraries is not correct (it points to the folder where classes are > > compiled, not to the dependencies) > > > > > > I made some tests on my box, and the following configuration should make > it: > > > >> sonar.projectKey=apache:tomcat > >> sonar.projectName=Apache Tomcat > >> sonar.projectVersion=trunk > >> > >> > sonar.sources=java,modules/bayeux/java,modules/jdbc-pool/src/main/java,modules/tomcat-lite/java > >> > >> > sonar.binaries=output/classes,modules/jdbc-pool/output/classes,modules/tomcat-lite/target/classes > > > > > > (I removed "sonar.libraries" because it depends on the "base.path" > property > > set for the build) > > > > > > One note: if you want to benefit from Findbugs analysis, all the classes > > need to compiled. For my tests, I run: > > > > "ant compile" at the root, which compiles into "output/classes" > > "ant" for both bayeux module, which compiles into "output/classes" as > well > > "ant" for jdbc-pool module, which compiles into > > "modules/jdbc-pool/output/classes" > > "mvn compile" for "tomcat-lite" module, which compiles into > > "modules/tomcat-lite/target/classes" > > > > All those build directories are therefore referenced in "sonar.binaries". > > > > > > HTH! > > > > - Fabrice > > belling...@apache.org > > fabrice.belling...@sonarsource.com > > > > On Wed, Sep 10, 2014 at 9:08 AM, Olivier Lamy wrote: > >> > >> I tried to get this working but got this error: > >> https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console > >> > >> Any help will be appreciate :-) > >> > >> > >> On 3 September 2014 22:07, Fabrice Bellingard > >> wrote: > >> > Hi guys, > >> > > >> > Tomcat had also been analyzed for a couple of months on the SonarQube > >> > instance of the ASF [1], but the last analysis is very old. The > analysis > >> > must be failing for some reasons, so I c
Re: Coverity static analysis scanning
thanks. Looks better now except code coverage still doesn't work. Any idea? On 10 September 2014 22:12, Fabrice Bellingard wrote: > Hi Olivier, > > Looks like the configuration of the SQ build step is not fully correct. From > the following command line: >> >> [workspace] $ /x1/jenkins/sonar-runner/bin/sonar-runner >> -Dsonar.jdbc.driver=com.mysql.jdbc.Driver >> >> -Dsonar.jdbc.url=jdbc:mysql://192.168.0.64:3306/sonar?useUnicode=true&characterEncoding=utf8 >> >> -Dsonar.host.url=http://localhost:9090 >> >> -Dsonar.projectBaseDir=/x1/jenkins/jenkins-master/jenkins-home/jobs/tomcat-trunk/workspace >> "-Dsonar.projectName=Apache Tomcat" >> -Dsonar.projectVersion=trunk >> -Dsonar.libraries=output/classes >> -Dsonar.projectKey=apache:tomcat >> -Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux > > , I can see that: > > sonar.binaries is missing (which is the reason why the Findbugs plugins > fails) > sonar.libraries is not correct (it points to the folder where classes are > compiled, not to the dependencies) > > > I made some tests on my box, and the following configuration should make it: > >> sonar.projectKey=apache:tomcat >> sonar.projectName=Apache Tomcat >> sonar.projectVersion=trunk >> >> sonar.sources=java,modules/bayeux/java,modules/jdbc-pool/src/main/java,modules/tomcat-lite/java >> >> sonar.binaries=output/classes,modules/jdbc-pool/output/classes,modules/tomcat-lite/target/classes > > > (I removed "sonar.libraries" because it depends on the "base.path" property > set for the build) > > > One note: if you want to benefit from Findbugs analysis, all the classes > need to compiled. For my tests, I run: > > "ant compile" at the root, which compiles into "output/classes" > "ant" for both bayeux module, which compiles into "output/classes" as well > "ant" for jdbc-pool module, which compiles into > "modules/jdbc-pool/output/classes" > "mvn compile" for "tomcat-lite" module, which compiles into > "modules/tomcat-lite/target/classes" > > All those build directories are therefore referenced in "sonar.binaries". > > > HTH! > > - Fabrice > belling...@apache.org > fabrice.belling...@sonarsource.com > > On Wed, Sep 10, 2014 at 9:08 AM, Olivier Lamy wrote: >> >> I tried to get this working but got this error: >> https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console >> >> Any help will be appreciate :-) >> >> >> On 3 September 2014 22:07, Fabrice Bellingard >> wrote: >> > Hi guys, >> > >> > Tomcat had also been analyzed for a couple of months on the SonarQube >> > instance of the ASF [1], but the last analysis is very old. The analysis >> > must be failing for some reasons, so I copy Olivier who's managing the >> > SQ >> > instance @ASF. He can certainly give you more information on how to get >> > the >> > analysis back to normal - and probably also how to get a login there. >> > >> > IMO, it's best to advertise and use this instance instead of Nemo - >> > which we >> > use @SonarSource mainly as a demo instance. >> > >> > [1] https://analysis.apache.org/dashboard/index/77101?did=1 >> > >> > >> > - Fabrice >> > belling...@apache.org >> > fabrice.belling...@sonarsource.com >> > >> > >> >> From: Henri Gomez >> >> Date: Wed, Aug 27, 2014 at 12:00 PM >> >> Subject: Re: Coverity static analysis scanning >> >> To: Tomcat Developers List , Fabrice Bellingard >> >> >> >> >> >> >> >> Fabrice Belingard, ASFer is working for Sonar. >> >> I add him in loop so he could give us more informations >> >> >> >> 2014-08-27 11:45 GMT+02:00 Mark Thomas : >> >> > On 26/08/2014 22:52, Henri Gomez wrote: >> >> >> Hi all >> >> >> >> >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ? >> >> >> >> >> >> >> >> >> http://nemo.sonarqube.org/dashboard/index/50544 >> >> >> >> >> >> 310 Blocker issues, 121 Critical issues. >> >> > >> >> > I took a quick look. The first 60 or so blocker issues I looked at >> >> > were >> >> > all false positives triggered by us catc
Re: Coverity static analysis scanning
Hi Olivier, Looks like the configuration of the SQ build step is not fully correct. >From the following command line: > [workspace] $ /x1/jenkins/sonar-runner/bin/sonar-runner > -Dsonar.jdbc.driver=com.mysql.jdbc.Driver > -Dsonar.jdbc.url=jdbc:mysql://192.168.0.64:3306/sonar?useUnicode=true&characterEncoding=utf8 > > -Dsonar.host.url=http://localhost:9090 > -Dsonar.projectBaseDir=/x1/jenkins/jenkins-master/jenkins-home/jobs/tomcat-trunk/workspace > "-Dsonar.projectName=Apache Tomcat" > -Dsonar.projectVersion=trunk > -Dsonar.libraries=output/classes > -Dsonar.projectKey=apache:tomcat > -Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux > > , I can see that: - sonar.binaries is missing (which is the reason why the Findbugs plugins fails) - sonar.libraries is not correct (it points to the folder where classes are compiled, not to the dependencies) I made some tests on my box, and the following configuration should make it: sonar.projectKey=apache:tomcat > sonar.projectName=Apache Tomcat > sonar.projectVersion=trunk > > sonar.sources=java,modules/bayeux/java,modules/jdbc-pool/src/main/java,modules/tomcat-lite/java > > sonar.binaries=output/classes,modules/jdbc-pool/output/classes,modules/tomcat-lite/target/classes > (I removed "sonar.libraries" because it depends on the "base.path" property set for the build) One note: if you want to benefit from Findbugs analysis, all the classes need to compiled. For my tests, I run: - "ant compile" at the root, which compiles into "output/classes" - "ant" for both bayeux module, which compiles into "output/classes" as well - "ant" for jdbc-pool module, which compiles into "modules/jdbc-pool/output/classes" - "mvn compile" for "tomcat-lite" module, which compiles into "modules/tomcat-lite/target/classes" All those build directories are therefore referenced in "sonar.binaries". HTH! - Fabrice belling...@apache.org fabrice.belling...@sonarsource.com On Wed, Sep 10, 2014 at 9:08 AM, Olivier Lamy wrote: > I tried to get this working but got this error: > https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console > > Any help will be appreciate :-) > > > On 3 September 2014 22:07, Fabrice Bellingard > wrote: > > Hi guys, > > > > Tomcat had also been analyzed for a couple of months on the SonarQube > > instance of the ASF [1], but the last analysis is very old. The analysis > > must be failing for some reasons, so I copy Olivier who's managing the SQ > > instance @ASF. He can certainly give you more information on how to get > the > > analysis back to normal - and probably also how to get a login there. > > > > IMO, it's best to advertise and use this instance instead of Nemo - > which we > > use @SonarSource mainly as a demo instance. > > > > [1] https://analysis.apache.org/dashboard/index/77101?did=1 > > > > > > - Fabrice > > belling...@apache.org > > fabrice.belling...@sonarsource.com > > > > > >> From: Henri Gomez > >> Date: Wed, Aug 27, 2014 at 12:00 PM > >> Subject: Re: Coverity static analysis scanning > >> To: Tomcat Developers List , Fabrice Bellingard > >> > >> > >> > >> Fabrice Belingard, ASFer is working for Sonar. > >> I add him in loop so he could give us more informations > >> > >> 2014-08-27 11:45 GMT+02:00 Mark Thomas : > >> > On 26/08/2014 22:52, Henri Gomez wrote: > >> >> Hi all > >> >> > >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ? > >> >> > >> >> > >> >> http://nemo.sonarqube.org/dashboard/index/50544 > >> >> > >> >> 310 Blocker issues, 121 Critical issues. > >> > > >> > I took a quick look. The first 60 or so blocker issues I looked at > were > >> > all false positives triggered by us catching Throwable for good > reasons. > >> > Can we get a login to this system to make them as false positives? > >> > > >> > Mark > >> > > >> > > >> >> > >> >> Wondering if Coverity will provides more informations than SonarQube > ? > >> >> > >> >> BTW, SonarQube is analysing major ASF projects for a long time now :) > >> >> > >> >> > >> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas :
Re: Coverity static analysis scanning
On 10/09/2014 08:08, Olivier Lamy wrote: > I tried to get this working but got this error: > https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console > > Any help will be appreciate :-) Disable the unit tests until you get this working. They add about an hour to the build time. Use "clean deploy" rather than "clean test". Looking at the Sonar config you have the following: -Dsonar.sources=java,modules/jdbc-pool,modules/tomcat-lite,modules/bayeux I'd change that to: -Dsonar.sources=java,modules/jdbc-pool Neither tomcat-lite nor bayeux are part of the standard Tomcat distribution. Try that and see what happens. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
I tried to get this working but got this error: https://analysis.apache.org/jenkins/job/tomcat-trunk/10/console Any help will be appreciate :-) On 3 September 2014 22:07, Fabrice Bellingard wrote: > Hi guys, > > Tomcat had also been analyzed for a couple of months on the SonarQube > instance of the ASF [1], but the last analysis is very old. The analysis > must be failing for some reasons, so I copy Olivier who's managing the SQ > instance @ASF. He can certainly give you more information on how to get the > analysis back to normal - and probably also how to get a login there. > > IMO, it's best to advertise and use this instance instead of Nemo - which we > use @SonarSource mainly as a demo instance. > > [1] https://analysis.apache.org/dashboard/index/77101?did=1 > > > - Fabrice > belling...@apache.org > fabrice.belling...@sonarsource.com > > >> From: Henri Gomez >> Date: Wed, Aug 27, 2014 at 12:00 PM >> Subject: Re: Coverity static analysis scanning >> To: Tomcat Developers List , Fabrice Bellingard >> >> >> >> Fabrice Belingard, ASFer is working for Sonar. >> I add him in loop so he could give us more informations >> >> 2014-08-27 11:45 GMT+02:00 Mark Thomas : >> > On 26/08/2014 22:52, Henri Gomez wrote: >> >> Hi all >> >> >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ? >> >> >> >> >> >> http://nemo.sonarqube.org/dashboard/index/50544 >> >> >> >> 310 Blocker issues, 121 Critical issues. >> > >> > I took a quick look. The first 60 or so blocker issues I looked at were >> > all false positives triggered by us catching Throwable for good reasons. >> > Can we get a login to this system to make them as false positives? >> > >> > Mark >> > >> > >> >> >> >> Wondering if Coverity will provides more informations than SonarQube ? >> >> >> >> BTW, SonarQube is analysing major ASF projects for a long time now :) >> >> >> >> >> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas : >> >>> All, >> >>> >> >>> I have been pinged off-list by Coverity to say that they have set up >> >>> Tomcat with a free account with their static code analysis service. >> >>> >> >>> I think I have the ability to send invitations so if anyone wants to >> >>> take a look at the results, just reply here. >> >>> >> >>> I have taken a quick look and they do appear to have found some valid >> >>> threading issues. There are ~350 issues in total and I don't yet have >> >>> a >> >>> feel for the false positive rate. >> >>> >> >>> Mark >> >>> >> >>> - >> >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >>> >> >> >> >> - >> >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> >> > >> > >> > - >> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> > For additional commands, e-mail: dev-h...@tomcat.apache.org >> > >> > -- Olivier Lamy http://twitter.com/olamy | http://linkedin.com/in/olamy - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Hi guys, Tomcat had also been analyzed for a couple of months on the SonarQube instance of the ASF [1], but the last analysis is very old. The analysis must be failing for some reasons, so I copy Olivier who's managing the SQ instance @ASF. He can certainly give you more information on how to get the analysis back to normal - and probably also how to get a login there. IMO, it's best to advertise and use this instance instead of Nemo - which we use @SonarSource mainly as a demo instance. [1] https://analysis.apache.org/dashboard/index/77101?did=1 - Fabrice belling...@apache.org fabrice.belling...@sonarsource.com From: Henri Gomez > Date: Wed, Aug 27, 2014 at 12:00 PM > Subject: Re: Coverity static analysis scanning > To: Tomcat Developers List , Fabrice Bellingard < > fabrice.belling...@sonarsource.com> > > > Fabrice Belingard, ASFer is working for Sonar. > I add him in loop so he could give us more informations > > 2014-08-27 11:45 GMT+02:00 Mark Thomas : > > On 26/08/2014 22:52, Henri Gomez wrote: > >> Hi all > >> > >> Are you aware SonarQube is analysing Tomcat in Nemo for years ? > >> > >> > >> http://nemo.sonarqube.org/dashboard/index/50544 > >> > >> 310 Blocker issues, 121 Critical issues. > > > > I took a quick look. The first 60 or so blocker issues I looked at were > > all false positives triggered by us catching Throwable for good reasons. > > Can we get a login to this system to make them as false positives? > > > > Mark > > > > > >> > >> Wondering if Coverity will provides more informations than SonarQube ? > >> > >> BTW, SonarQube is analysing major ASF projects for a long time now :) > >> > >> > >> 2014-08-26 11:20 GMT+02:00 Mark Thomas : > >>> All, > >>> > >>> I have been pinged off-list by Coverity to say that they have set up > >>> Tomcat with a free account with their static code analysis service. > >>> > >>> I think I have the ability to send invitations so if anyone wants to > >>> take a look at the results, just reply here. > >>> > >>> I have taken a quick look and they do appear to have found some valid > >>> threading issues. There are ~350 issues in total and I don't yet have a > >>> feel for the false positive rate. > >>> > >>> Mark > >>> > >>> - > >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: dev-h...@tomcat.apache.org > >>> > >> > >> - > >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: dev-h...@tomcat.apache.org > >> > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > >
Re: Coverity static analysis scanning
On 28/08/2014 15:44, Freddy Mallet wrote: > Hi Guys, > > I'm the leading the development of the SonarQube platform. If you want any > personal login/password to http://nemo.sonarqube.org/ and/or if you want us > to tune the set of coding rules used to analyze the Tomcat project, feel > free to ping me or I'd like an account to have a poke around the results - ma...@apache.org please > Obviously, if you're getting some false-positives, I'm also eager to get > your feedback to help us tuning our java analyser. False positives are expected. In the past the biggest problem I have found with code analysis systems is the hoops you have to jump through to mark something as a false positive. Cheers, Mark > > Thanks > - > twitter.com/FreddyMallet > SonarQube for Continuous Inspection > > > -- Forwarded message -- >> From: Henri Gomez >> Date: 2014-08-26 23:52 GMT+02:00 >> Subject: Re: Coverity static analysis scanning >> To: Tomcat Developers List >> >> >> Hi all >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ? >> >> >> http://nemo.sonarqube.org/dashboard/index/50544 >> >> 310 Blocker issues, 121 Critical issues. >> >> Wondering if Coverity will provides more informations than SonarQube ? >> >> BTW, SonarQube is analysing major ASF projects for a long time now :) >> >> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas : >>> All, >>> >>> I have been pinged off-list by Coverity to say that they have set up >>> Tomcat with a free account with their static code analysis service. >>> >>> I think I have the ability to send invitations so if anyone wants to >>> take a look at the results, just reply here. >>> >>> I have taken a quick look and they do appear to have found some valid >>> threading issues. There are ~350 issues in total and I don't yet have a >>> feel for the false positive rate. >>> >>> Mark >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >> >> > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Am 28.08.2014 um 21:44 schrieb Felix Schumacher: I'd like to have a look. Invitation sent out. Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
I'd like to have a look. Am 26.08.2014 um 11:20 schrieb Mark Thomas: All, I have been pinged off-list by Coverity to say that they have set up Tomcat with a free account with their static code analysis service. I think I have the ability to send invitations so if anyone wants to take a look at the results, just reply here. I have taken a quick look and they do appear to have found some valid threading issues. There are ~350 issues in total and I don't yet have a feel for the false positive rate. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Hi Guys, I'm the leading the development of the SonarQube platform. If you want any personal login/password to http://nemo.sonarqube.org/ and/or if you want us to tune the set of coding rules used to analyze the Tomcat project, feel free to ping me or Obviously, if you're getting some false-positives, I'm also eager to get your feedback to help us tuning our java analyser. Thanks - twitter.com/FreddyMallet SonarQube for Continuous Inspection -- Forwarded message -- > From: Henri Gomez > Date: 2014-08-26 23:52 GMT+02:00 > Subject: Re: Coverity static analysis scanning > To: Tomcat Developers List > > > Hi all > > Are you aware SonarQube is analysing Tomcat in Nemo for years ? > > > http://nemo.sonarqube.org/dashboard/index/50544 > > 310 Blocker issues, 121 Critical issues. > > Wondering if Coverity will provides more informations than SonarQube ? > > BTW, SonarQube is analysing major ASF projects for a long time now :) > > > 2014-08-26 11:20 GMT+02:00 Mark Thomas : > > All, > > > > I have been pinged off-list by Coverity to say that they have set up > > Tomcat with a free account with their static code analysis service. > > > > I think I have the ability to send invitations so if anyone wants to > > take a look at the results, just reply here. > > > > I have taken a quick look and they do appear to have found some valid > > threading issues. There are ~350 issues in total and I don't yet have a > > feel for the false positive rate. > > > > Mark > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > >
Re: Coverity static analysis scanning
2014-08-26 11:20 GMT+02:00 Mark Thomas : > All, > > I have been pinged off-list by Coverity to say that they have set up > Tomcat with a free account with their static code analysis service. > > I think I have the ability to send invitations so if anyone wants to > take a look at the results, just reply here. > > I have taken a quick look and they do appear to have found some valid > threading issues. There are ~350 issues in total and I don't yet have a > feel for the false positive rate. > > Ok, so since there was so much noise about it I had a look. I am not quite convinced (= I don't plan to actually fix anything meaningful), but at least it does seem to attempt to do something useful. Rémy
Re: Coverity static analysis scanning
Fabrice Belingard, ASFer is working for Sonar. I add him in loop so he could give us more informations 2014-08-27 11:45 GMT+02:00 Mark Thomas : > On 26/08/2014 22:52, Henri Gomez wrote: >> Hi all >> >> Are you aware SonarQube is analysing Tomcat in Nemo for years ? >> >> >> http://nemo.sonarqube.org/dashboard/index/50544 >> >> 310 Blocker issues, 121 Critical issues. > > I took a quick look. The first 60 or so blocker issues I looked at were > all false positives triggered by us catching Throwable for good reasons. > Can we get a login to this system to make them as false positives? > > Mark > > >> >> Wondering if Coverity will provides more informations than SonarQube ? >> >> BTW, SonarQube is analysing major ASF projects for a long time now :) >> >> >> 2014-08-26 11:20 GMT+02:00 Mark Thomas : >>> All, >>> >>> I have been pinged off-list by Coverity to say that they have set up >>> Tomcat with a free account with their static code analysis service. >>> >>> I think I have the ability to send invitations so if anyone wants to >>> take a look at the results, just reply here. >>> >>> I have taken a quick look and they do appear to have found some valid >>> threading issues. There are ~350 issues in total and I don't yet have a >>> feel for the false positive rate. >>> >>> Mark >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
On 26/08/2014 22:52, Henri Gomez wrote: > Hi all > > Are you aware SonarQube is analysing Tomcat in Nemo for years ? > > > http://nemo.sonarqube.org/dashboard/index/50544 > > 310 Blocker issues, 121 Critical issues. I took a quick look. The first 60 or so blocker issues I looked at were all false positives triggered by us catching Throwable for good reasons. Can we get a login to this system to make them as false positives? Mark > > Wondering if Coverity will provides more informations than SonarQube ? > > BTW, SonarQube is analysing major ASF projects for a long time now :) > > > 2014-08-26 11:20 GMT+02:00 Mark Thomas : >> All, >> >> I have been pinged off-list by Coverity to say that they have set up >> Tomcat with a free account with their static code analysis service. >> >> I think I have the ability to send invitations so if anyone wants to >> take a look at the results, just reply here. >> >> I have taken a quick look and they do appear to have found some valid >> threading issues. There are ~350 issues in total and I don't yet have a >> feel for the false positive rate. >> >> Mark >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
On 26/08/2014 22:26, Christopher Schultz wrote: > Mark, > > On 8/26/14, 5:20 AM, Mark Thomas wrote: >> I have been pinged off-list by Coverity to say that they have set up >> Tomcat with a free account with their static code analysis service. >> >> I think I have the ability to send invitations so if anyone wants to >> take a look at the results, just reply here. >> >> I have taken a quick look and they do appear to have found some valid >> threading issues. There are ~350 issues in total and I don't yet have a >> feel for the false positive rate. > > Wow, this is great. I've used FindBugs before both inside and outside of > ASF projects, but this is ... just amazing. It certainly appears to be an improvement on what was on offer the last time we were approach by one of the static code analysis firms. Personally, I'm withholding judgement until I get a better feel for what % of the issues raises are ones that are likely to cause problems for our users. > It does catch a lot of sanity-checks and complains about them. I get > DEAD CODE warnings all the time (in FindBugs) for especially JDBC code > when I've caught all possible exceptions and yet still have a finally > block that, for example, checks a Connection reference for null and > closes it in that case. While the code is technically dead, it's > future-proof against someone adding another call that throws a different > type of exception, re-ordering some of the operations, or making some > other change and forgetting to modify the finally block, etc. > > It would be nice to know what the consensus is amongst the team about > what to do in these cases: should all dead code segments be considered > logical oversights and corrected? Or is additional sanity-checking and > future-proofing a good idea? It depends :) I think there are some cases where I'd agree it is a good idea and some where I'd think it was a waste of time and code. > A good example is issue 45040 > (https://scan3.coverity.com:8443/reports.htm#v16818/p10363/fileInstanceId=567725&defectInstanceId=145101&mergedDefectId=45040): > a logical bug in HttpServlet that should probably remain as-is. It's in > the HttpServlet.doOptions method where we build a list of acceptable > HTTP verbs. /Technically/, if ALLOW_GET is set, then ALLOW_HEAD must be > set and therefore checking for "allow" (the string of verbs we're > building) for NULL is illogical. One could argue that ALLOW_HEAD should > be independent of ALLOW_GET -- why can't a servlet implement doHead but > not doGet -- but it probably always makes sense to check for null. > Stated differently: checking for NULL never hurt anybody. I disagree. In this case if the servlet extends HttpServlet and implements doGet(), HttpServlet provides the doHead() implementation. I'd clean that code up and remove the dead code. That said, if have other things higher up my priority list right now. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Hi all Are you aware SonarQube is analysing Tomcat in Nemo for years ? http://nemo.sonarqube.org/dashboard/index/50544 310 Blocker issues, 121 Critical issues. Wondering if Coverity will provides more informations than SonarQube ? BTW, SonarQube is analysing major ASF projects for a long time now :) 2014-08-26 11:20 GMT+02:00 Mark Thomas : > All, > > I have been pinged off-list by Coverity to say that they have set up > Tomcat with a free account with their static code analysis service. > > I think I have the ability to send invitations so if anyone wants to > take a look at the results, just reply here. > > I have taken a quick look and they do appear to have found some valid > threading issues. There are ~350 issues in total and I don't yet have a > feel for the false positive rate. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Mark, On 8/26/14, 5:20 AM, Mark Thomas wrote: > I have been pinged off-list by Coverity to say that they have set up > Tomcat with a free account with their static code analysis service. > > I think I have the ability to send invitations so if anyone wants to > take a look at the results, just reply here. > > I have taken a quick look and they do appear to have found some valid > threading issues. There are ~350 issues in total and I don't yet have a > feel for the false positive rate. Wow, this is great. I've used FindBugs before both inside and outside of ASF projects, but this is ... just amazing. It does catch a lot of sanity-checks and complains about them. I get DEAD CODE warnings all the time (in FindBugs) for especially JDBC code when I've caught all possible exceptions and yet still have a finally block that, for example, checks a Connection reference for null and closes it in that case. While the code is technically dead, it's future-proof against someone adding another call that throws a different type of exception, re-ordering some of the operations, or making some other change and forgetting to modify the finally block, etc. It would be nice to know what the consensus is amongst the team about what to do in these cases: should all dead code segments be considered logical oversights and corrected? Or is additional sanity-checking and future-proofing a good idea? A good example is issue 45040 (https://scan3.coverity.com:8443/reports.htm#v16818/p10363/fileInstanceId=567725&defectInstanceId=145101&mergedDefectId=45040): a logical bug in HttpServlet that should probably remain as-is. It's in the HttpServlet.doOptions method where we build a list of acceptable HTTP verbs. /Technically/, if ALLOW_GET is set, then ALLOW_HEAD must be set and therefore checking for "allow" (the string of verbs we're building) for NULL is illogical. One could argue that ALLOW_HEAD should be independent of ALLOW_GET -- why can't a servlet implement doHead but not doGet -- but it probably always makes sense to check for null. Stated differently: checking for NULL never hurt anybody. -chris signature.asc Description: OpenPGP digital signature
Re: Coverity static analysis scanning
Niki Dokovski | @nickytd On 26.08.2014, at 22:56, Mark Thomas wrote: > On 26/08/2014 20:49, Niki Dokovski wrote: >> The observer role does not see actual ‘defects’. Only general statistic is >> shown on the project dashboard. > > About as much use as a chocolate teapot then. > > I've upgraded all non-committers to contributor / viewer. Any better? Much better. Now the actual issues are visible. > Mark > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
On 26/08/2014 20:49, Niki Dokovski wrote: > The observer role does not see actual ‘defects’. Only general statistic is > shown on the project dashboard. About as much use as a chocolate teapot then. I've upgraded all non-committers to contributor / viewer. Any better? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Niki Dokovski | @nickytd On 26.08.2014, at 22:26, Niki Dokovski wrote: > > On 26.08.2014, at 22:19, Mark Thomas wrote: > >> On 26/08/2014 18:02, Filip Hanik wrote: >>> hook me up >> >> Done (and for everyone else who has asked). > > Thanks Mark. > >> >> It appears I now have admin karma for the Coverity's project for >> scanning Tomcat. >> >> The approach I am taking is Tomcat committers get the Maintainer/Owner >> role and everyone else gets the Observer role. The idea being that if >> someone contributes enough that we want to change their role we probably >> should make them a committer :) The observer role does not see actual ‘defects’. Only general statistic is shown on the project dashboard. >> >> Mark >> >> >>> >>> On Tuesday, August 26, 2014, Mark Thomas wrote: >>> All, I have been pinged off-list by Coverity to say that they have set up Tomcat with a free account with their static code analysis service. I think I have the ability to send invitations so if anyone wants to take a look at the results, just reply here. I have taken a quick look and they do appear to have found some valid threading issues. There are ~350 issues in total and I don't yet have a feel for the false positive rate. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >> >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
On 26.08.2014, at 22:19, Mark Thomas wrote: > On 26/08/2014 18:02, Filip Hanik wrote: >> hook me up > > Done (and for everyone else who has asked). Thanks Mark. > > It appears I now have admin karma for the Coverity's project for > scanning Tomcat. > > The approach I am taking is Tomcat committers get the Maintainer/Owner > role and everyone else gets the Observer role. The idea being that if > someone contributes enough that we want to change their role we probably > should make them a committer :) > > Mark > > >> >> On Tuesday, August 26, 2014, Mark Thomas wrote: >> >>> All, >>> >>> I have been pinged off-list by Coverity to say that they have set up >>> Tomcat with a free account with their static code analysis service. >>> >>> I think I have the ability to send invitations so if anyone wants to >>> take a look at the results, just reply here. >>> >>> I have taken a quick look and they do appear to have found some valid >>> threading issues. There are ~350 issues in total and I don't yet have a >>> feel for the false positive rate. >>> >>> Mark >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >>> >> > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
On 26/08/2014 18:02, Filip Hanik wrote: > hook me up Done (and for everyone else who has asked). It appears I now have admin karma for the Coverity's project for scanning Tomcat. The approach I am taking is Tomcat committers get the Maintainer/Owner role and everyone else gets the Observer role. The idea being that if someone contributes enough that we want to change their role we probably should make them a committer :) Mark > > On Tuesday, August 26, 2014, Mark Thomas wrote: > >> All, >> >> I have been pinged off-list by Coverity to say that they have set up >> Tomcat with a free account with their static code analysis service. >> >> I think I have the ability to send invitations so if anyone wants to >> take a look at the results, just reply here. >> >> I have taken a quick look and they do appear to have found some valid >> threading issues. There are ~350 issues in total and I don't yet have a >> feel for the false positive rate. >> >> Mark >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Hi, 2014-08-26 18:44 GMT+03:00 Rainer Jung : > > Hi Mark, > > Am 26.08.2014 um 11:20 schrieb Mark Thomas: > >> All, >> >> I have been pinged off-list by Coverity to say that they have set up >> Tomcat with a free account with their static code analysis service. >> >> I think I have the ability to send invitations so if anyone wants to >> take a look at the results, just reply here. >> >> I have taken a quick look and they do appear to have found some valid >> threading issues. There are ~350 issues in total and I don't yet have a >> feel for the false positive rate. > > > I'm interested as well, especially if they also scan our native code, and also if they do the scans regularly to check for changes between releases etc. For one of other open source projects where I participate I run their build tool by myself and then upload the results. Based on them they perform their analysis. So we can do the same for our native code. @Mark I was added successfully to the project. Violeta > > Thanks! > > Rainer > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org >
Re: Coverity static analysis scanning
hook me up On Tuesday, August 26, 2014, Mark Thomas wrote: > All, > > I have been pinged off-list by Coverity to say that they have set up > Tomcat with a free account with their static code analysis service. > > I think I have the ability to send invitations so if anyone wants to > take a look at the results, just reply here. > > I have taken a quick look and they do appear to have found some valid > threading issues. There are ~350 issues in total and I don't yet have a > feel for the false positive rate. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: Coverity static analysis scanning
Hi Mark, Am 26.08.2014 um 11:20 schrieb Mark Thomas: All, I have been pinged off-list by Coverity to say that they have set up Tomcat with a free account with their static code analysis service. I think I have the ability to send invitations so if anyone wants to take a look at the results, just reply here. I have taken a quick look and they do appear to have found some valid threading issues. There are ~350 issues in total and I don't yet have a feel for the false positive rate. I'm interested as well, especially if they also scan our native code, and also if they do the scans regularly to check for changes between releases etc. Thanks! Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
On Tue, Aug 26, 2014 at 11:20 AM, Mark Thomas wrote: > All, > > I have been pinged off-list by Coverity to say that they have set up > Tomcat with a free account with their static code analysis service. > > I think I have the ability to send invitations so if anyone wants to > take a look at the results, just reply here. > > I have taken a quick look and they do appear to have found some valid > threading issues. There are ~350 issues in total and I don't yet have a > feel for the false positive rate. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > Hi Mark, does the Coverity scan include "mod_jk", or does it need to be added to their list? I would be interested to look into that code base a bit deeper. Thanks Martin -- -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
Re: Coverity static analysis scanning
On 26/08/2014 11:38, Violeta Georgieva wrote: > Hi Mark, > > > 2014-08-26 12:20 GMT+03:00 Mark Thomas : >> >> All, >> >> I have been pinged off-list by Coverity to say that they have set up >> Tomcat with a free account with their static code analysis service. >> >> I think I have the ability to send invitations so if anyone wants to >> take a look at the results, just reply here. > > I'm interested also. > Can you tell me whether it is about https://scan.coverity.com ? > If so I think I can add the project to my dashboard by myself. It is. Let me know if you need an invite. Mark > > Thanks > Violeta > >> >> I have taken a quick look and they do appear to have found some valid >> threading issues. There are ~350 issues in total and I don't yet have a >> feel for the false positive rate. >> >> Mark >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Hi Mark, 2014-08-26 12:20 GMT+03:00 Mark Thomas : > > All, > > I have been pinged off-list by Coverity to say that they have set up > Tomcat with a free account with their static code analysis service. > > I think I have the ability to send invitations so if anyone wants to > take a look at the results, just reply here. I'm interested also. Can you tell me whether it is about https://scan.coverity.com ? If so I think I can add the project to my dashboard by myself. Thanks Violeta > > I have taken a quick look and they do appear to have found some valid > threading issues. There are ~350 issues in total and I don't yet have a > feel for the false positive rate. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org >
Re: Coverity static analysis scanning
On 26/08/2014 10:44, Niki Dokovski wrote: > Hi Mark, > > > On Tue, Aug 26, 2014 at 12:20 PM, Mark Thomas wrote: > >> All, >> >> I have been pinged off-list by Coverity to say that they have set up >> Tomcat with a free account with their static code analysis service. >> >> I think I have the ability to send invitations so if anyone wants to >> take a look at the results, just reply here. >> > > I'm interested. Done. It looks like Coverity will need to approve that invite. Don't know what they will do for a non-ASF e-mail address. Mar >> I have taken a quick look and they do appear to have found some valid >> threading issues. There are ~350 issues in total and I don't yet have a >> feel for the false positive rate. >> >> Mark >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Coverity static analysis scanning
Hi Mark, On Tue, Aug 26, 2014 at 12:20 PM, Mark Thomas wrote: > All, > > I have been pinged off-list by Coverity to say that they have set up > Tomcat with a free account with their static code analysis service. > > I think I have the ability to send invitations so if anyone wants to > take a look at the results, just reply here. > I'm interested. > > I have taken a quick look and they do appear to have found some valid > threading issues. There are ~350 issues in total and I don't yet have a > feel for the false positive rate. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Coverity static analysis scanning
All, I have been pinged off-list by Coverity to say that they have set up Tomcat with a free account with their static code analysis service. I think I have the ability to send invitations so if anyone wants to take a look at the results, just reply here. I have taken a quick look and they do appear to have found some valid threading issues. There are ~350 issues in total and I don't yet have a feel for the false positive rate. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org