|
| From: | Paul Eggert |
| Subject: | Re: tar + cpio - covscan issues |
| Date: | Sun, 11 Apr 2021 12:50:36 -0700 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 |
On 4/10/21 11:40 AM, Bruno Haible wrote:
True. But it clutters up the source code. For tools that produce 5-10 times more false reports than good reports, I wouldn't do this.
Likewise. Static analysis tools come and go, but source code is forever.I like Bruno's suggestion of suppressing analysis of Gnulib-copied source files. That's longstanding practice when using Gnulib in other projects. For example, in Coreutils, './configure --enable-gcc-warnings' uses a different set of gcc -W flags for Gnulib-supplied code because Gnulib doesn't bother pacifying GCC about some issues where Coreutils does bother (they would all be false alarms anyway). You could do something similar with Coverity, cppcheck, etc.
| [Prev in Thread] | Current Thread | [Next in Thread] |