[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tar + cpio - covscan issues

From: Bruno Haible
Subject: Re: tar + cpio - covscan issues
Date: Sat, 10 Apr 2021 15:58:57 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-206-generic; KDE/5.18.0; x86_64; ; )

Kamil Dudka wrote:

> > When we get Coverity reports, we fix the things that are valid complaints
> > about the code, but we do NOT change the code to reduce the number of
> > reported issues. That is because
> If you have enough time to manually review the same false positives over and 
> over, this might work well for you.  Not everybody is in the same situation.

Paul and I receive a mail with the *new* issues once a week. We never review
the same issue more than once.

> So you have access to this UI, not everybody does.  Some developers prefer 
> terminal-based workflow over web-based UI.

I didn't know a different workflow was possible.

But in that workflow, in which you control everything yourself (no SaaS),
you can surely commit into the repo
  - either the list of issues produced by the last run, or
  - a list of issues that you have found to be false ones,
and use that information to limit what you have to review in the next run?

No one forces you to review the same false positives over and over again.

> > 2) About 80%
> > to 90% of the reported issues are false issues. We would be seriously
> > contorting the source code if we attempted to change the code to avoid the
> > reports.
> If you keep fixing real issues and ignoring false positives, such a situation 
> is kind of expected.

So you are in favour of adding workarounds such as the proposed

      if (copy != NULL)
          data = NULL;
          return copy;
        return data;

in 5 to 10 places, in order to get a useful warning in 1 place? I am not.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]