
Show HN: Cloud-based Static Code Analysis for Java - maratb
https://code-spotter.com/
======
froh42
What is the benefit of this over findbugs, checkstyle, pmd, etc?

~~~
pjmlp
I tried to search for information why this over Sonar and found nothing.

~~~
maratb
Sonar _used_ to be just about running other open source tools, such as
FindBugs, PMD, and Checkstyle. (BTW, Code Spotter runs FindBugs alongside
Coverity analysis to complement the results). Sonar later added its own rule
engine (Squid). More recently, I've come across SSLR - SonarSource Language
Recognizer - which looks like a library for building custom coding rules.

Still, Coverity analyzer (which is what's behind Code Spotter) does deep
interprocedural analysis and finds very different kinds of issues. I think the
best way to see the difference is to try it out on a sample project.

------
eloisant
So you have to launch it locally? Can't it observe changes on a public git
repository and run it after each commit?

~~~
maratb
You can run on a hosted continuous integration service, such as Travis CI. The
documentation is a little thin right now, but we will add this to the docs
soon.

~~~
pron
Why upload the code if you can git clone it?

~~~
maratb
Only if it comes from a repo that's hosted somewhere (i.e., not behind a
firewall). Code Spotter is not restricted to GitHub, git, or any other
particular SCM. If the code can be built, it can be analyzed.

~~~
pron
Sure, but _if_ the code is already hosted on a public git, it would be more
convenient if you could simply clone it.

~~~
maratb
There's a bit more to it. It's not enough to point Code Spotter / Coverity to
a pile of code, it needs to observe the actual build in order to know
precisely what is built and how it is built. While for some projects you can
extract that information from the build files (e.g., maven poms), there are
cases where this will fail. (For example, when the build generates some of the
source files.) The most reliable way to understand how a project is
constructed is to observe an actual build.

This is particularly true for C/C++ and C#, which are not yet supported on
Code Spotter, but will be in the future. This precise understanding of a
project's composition is one of the many reasons Coverity false positive rate
is relatively low.

------
pron
It's a little strange for a Coverity product to appear as a "Show HN".

~~~
maratb
Why? It is a new product (though based on the existing technology), a new
model (cloud-based vs traditional Coverity on-premise), it is in free and
unlimited beta, and we are soliciting feedback. Seems like a reasonable "Show
HN", no?

~~~
dang
It is indeed a reasonable Show HN.

[https://news.ycombinator.com/showhn.html](https://news.ycombinator.com/showhn.html).

A new feature normally wouldn't qualify. A new product is fine, as long as
people are able to try it out.

