struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Cooper" <>
Subject Re: Coverity Scan
Date Thu, 17 Jan 2008 18:25:53 GMT
On Jan 17, 2008 4:10 AM, Ted Husted <> wrote:

> There's a company that's been scanning open source project codebases
> for static flaws. In November 2007, they announced that Java projects
> are being added.
>  *
> There's been the odd email about using these projects foundation-wide,
> possibly by running them locally. But, the core service descibed by
> this press release seems to be external.
> I couldn't find a list of Java projects on the website. The next step
> seems to be to send an email to <>.
> If we are not already on the list, my question is whether we would
> like to opt-in now or not?

It looks like it might be worth investigating further, at least. My two
concerns at this point are:

1) How, and how often, do they pull the source code? We've seen issues in
the past related to external organisations trying to be helpful but -
perhaps inadvertently - beating up rather heavily on the ASF infrastructure.

2) It appears that there are NDAs involved at higher "levels" of the
process. I'd want to be sure that either we are in a position to sign such
NDAs or that we wouldn't be stuck at some lower level because we can't, and
having the project look bad because we cannot reach the higher levels.

If we can reach a satisfactory resolution on these points, I'd be in favour
of giving it a go.

Martin Cooper

My thought is that we might want to be proactive. In the alternative,
> we are like to find one day that Coverity has started to scan us
> unilaterally, and then be surprised by a lot of new fixes to make.
> Since Struts is an approved framework for several government agencies
> (DoD, VA, and so forth), I would think that we would be on the short
> list anyway.
> -Ted.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message