

The first year of Coverity Linux kernel scans - khc
http://codemonkey.org.uk/2014/08/13/year-coverity-linux-kernel-scans/

======
lelf
Examples of the actual errors found would be far more interesting.

~~~
justinmk
If it's anything like the Neovim coverity report, it's probably not
particularly interesting. But it is extremely helpful, and it's impressive
what static analysis can find in a legacy C codebase. Here's the Neovim clang
analysis:

[http://neovim.org/doc/build-reports/clang/](http://neovim.org/doc/build-
reports/clang/)

Click on any of the "View Report" links to see a line-by-line step-through of
each suspected bug.

(Coverity doesn't allow public access to reports AFAIK, so can't link to it.)

~~~
seren
Sorry to highjack the thread, but if I want to fix some neovim Coverity
issues, where should I register / who should I ask ? I have already had a look
to your waffle but it was not crystal clear. Just creating a Coverity account
will allow me to access the report ? Thanks in advance.

~~~
davis
Login then go to
[https://scan.coverity.com/projects/2227](https://scan.coverity.com/projects/2227)
and request access. If you want to fix Coverity issues, request access at the
Contributor level.

For more info on Coverity fixes and conventions, check out the Wiki page:
[https://github.com/neovim/neovim/wiki/Contributing#coverity](https://github.com/neovim/neovim/wiki/Contributing#coverity)

------
gwern
Has the use of Coverity on the kernel lead to any improvements in Coverity
itself, aside from the mentioned email feature request?

~~~
cperciva
I don't know about linux, but I've heard that they made lots of improvements
in Coverity after running it against FreeBSD (we were one of the first large
codebases they inspected); most notably in false-positive reduction, since it
provided them with an opportunity to see lots of idioms which are correct but
potentially confusing to a static analysis tool.

~~~
ddp
Is Coverity integrated into the FreeBSD build system? A quick search on
FreeBSD.org shows some activity back in 2006 but not much mention of it since.
I'd be interested in seeing the results in /usr/src/sys/netinet6 and netipsec.
Is there a reason why the scan results require committer access?

~~~
cperciva
_Is there a reason why the scan results require committer access?_

Coverity says that only "project members" can get access to the full bug
reports. IIRC there's also a rule about not posting verbatim Coverity reports
anywhere publicly visible.

I assume this is "stop the competition from seeing what we're doing", but I've
never asked.

~~~
khc
I think the bigger problem is that the issues are potentially security issues.

