Details
-
Task
-
Resolution: Out of scope
-
P2: Important
-
None
-
None
Description
How to get the most out of Coverity, decreasing the amount of invalid issues it brings up? We can:
- exclude analysis of 3rd-party code, examples and tests
- annotate false-positives - just prepend line with // coverity[event_tag_id]
- develop modeling files for patterns that trigger false positives https://scan.coverity.com/tune
Some links
- Quick Start Guide: cov-configure, cov-build and cov-commit
- Coverity Checker Reference Documentation https://scan3.coverity.com/doc/en/cov_checker_ref.html
- https://community.synopsys.com/s/article/How-to-write-a-function-model-to-eliminate-a-false-positive-in-a-C-applilcation
- https://devguide.python.org/coverity/ (python)
- https://github.com/qemu/qemu/blob/master/scripts/coverity-model.c (qemu's model)
- https://events.static.linuxfound.org/sites/events/files/slides/LinuxCon-EU-2015-Coverity.pdf
- Travis-CI integration: https://scan.coverity.com/travis_ci https://docs.travis-ci.com/user/coverity-scan/
- Github Actions Integration: https://community.synopsys.com/s/article/Synopsys-Detect-GitHub-Action https://www.synopsys.com/blogs/software-security/synopsys-detect-github-action-sast-sca/ example on Ruby repo
- Gitlab-CI https://www.synopsys.com/blogs/software-security/integrating-coverity-scan-with-gitlab-ci/
