@bagder@mastodon.social Regardless of the size of your code static analysis is allowed no more than 10 false positives. Coverity needs to withdraw that update and fix the bugs.
I know that is a hard bar (there are many projects more complex than curl, or so I would expect, many are much larger in any case), but too many false positives means you just mark everything as a false positive. I dropped all support for one tool because I finally tracked down a bug and right next to the line at fault was the comment shutting off the static analyzer - which is to saw we no longer trusted that tool anyway and so just shut it up without investigation so there was no point. By keeping maximum rule at 10 I'm able to confidently say we have investigated every false positive and we overall still trust the tool.
@bluGill I wish we had that say about what Coverity should do and not. As a user of a free service I can of course stop using it if I don't like it and that's about it and I bet Coverity care very little about that...
bluGill
in reply to daniel:// stenberg:// • • •@bagder@mastodon.social Regardless of the size of your code static analysis is allowed no more than 10 false positives. Coverity needs to withdraw that update and fix the bugs.
I know that is a hard bar (there are many projects more complex than curl, or so I would expect, many are much larger in any case), but too many false positives means you just mark everything as a false positive. I dropped all support for one tool because I finally tracked down a bug and right next to the line at fault was the comment shutting off the static analyzer - which is to saw we no longer trusted that tool anyway and so just shut it up without investigation so there was no point. By keeping maximum rule at 10 I'm able to confidently say we have investigated every false positive and we overall still trust the tool.
daniel:// stenberg://
in reply to bluGill • • •