activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiri Danek <jda...@redhat.com>
Subject [DISCUSS] Coverity Scan for Artemis
Date Thu, 23 Feb 2017 13:20:36 GMT
Hi folks, last week I submitted Artemis for inclusion into Coverity Scan.
Many Apache projects are there already, so you probably know about it. I
case you don't, it is a static code analysis as-a-service which is free of
charge for opensource.

The project is now approved by Coverity. You can open it and view the
analysis. You should be able to open https://scan.coverity.com/
projects/apache-activemq-artemis and click "Add me to project".

There are three visibility settings for the public. You can show either
nothing, show some basic stats like number of lines of code, number of
issues, and issues per kloc, or let anybody browse source and see
individual issues. I selected the second option.

There is a feature to sent e-mail with description of newly found issues to
a given e-mail address. I did not fill any address yet.

Currently, I am in "Admins" of the Coverity Scan project, with right to add
other users and submit project build for analysis*. This is something that
would need adjusting if you feel that Coverity Scan is useful and if
established people in the community step up wanting to take over (from me ;)

I uploaded all Artemis releases to date, ending with 2.0.0-snapshot from
last Friday, then looked at results and found that
1) It did not find the overflow I reported in
https://issues.apache.org/jira/browse/ARTEMIS-986; possible reason is that
this would be discovered by the FindBugs tool and in project settings it is
configured not to show FindBugs results (that is the default setting).
2) I tried to find some finds that are obviously not false positives, which
turned to be quite hard, but I got one
      - mismatched braces and indentation at https://scan7.coverity.com/
reports.htm#v25191/p14213/g25191g/fileInstanceId=9927190&defectInstanceId=
2438316&mergedDefectId=1409238&fileStart=251&fileEnd=500
(the whole if statement is weird, although since is in generated code, it
does not really count; I would probably still add the braces to the .jj
file, though)
3) Found obvious false positive where it is warning about a concurrent
modification of a concurrent hashset (because the hashset is implemented by
artemis and Coverity does not understand it is concurrent)
4) Most useful view of issues seems to be when I group issues by component
or filter out the "tests" and "test" components.

It would certainly require somebody who understands the code to review it
and decide if it is useful to have or not...

Cheers,

---------------------
* About submitting project build for analysis

The way I've been uploading the builds for analysis is by following their
quickstart ;) the only tricky part is the build command which I had to
struggle with a bit to disable errorprone

    /mnt/cov/cov-analysis-linux64-8.7.0/bin/cov-build --dir ../cov-int mvn
-Pexamples -DskipTests=true -Djavac-compiler-id=javac package

in addition, I had to go through pom.xml and artemis-selectors/pom.xml and
delete compiler args specific to errorprone; I did not find a way to do
this with maven options.

(cov-analysis-linux64-8.7.0 is just proprietary software downloaded from
Coverity that one needs to run)


-- 
Jiří Daněk,

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message