On Wed, 2014-07-30 at 00:41 -0700, Bryce Harrington wrote:
On Tue, Jul 29, 2014 at 11:11:13PM +0200, Johan Engelen wrote:
Hi all, Is this something we want to sign up to? https://continuousassurance.org/
After a quick browse around their website, they seem to offer a platform that runs static analysis tools. We can run them ourselves (and have done so not so long ago), but it is nice to have a website do it for all of us. (unfortunately, not many of us compile with clang; I gave up the fight on Windows a while back, and will have to try again later)
Perhaps you could drop them a line and see if they have special offers for open source / non-profit projects like us? Coverity has done this for various projects.
In any case, before forming an opinion on this I'd want to know the ballpark cost, and what the results/output looks like.
I just looked, it's free.
From past experience I know that the trick with static analysis tools is
less in the actual running of them, and more in following up on getting the discovered issues resolved, so another question would be if we have volunteers interested in working on those issues.
I think this looks quite interesting. I would help out.
I also suspect that 90% of the benefit will be gained from the first run, since it'll flag a ton of issues. Once we've addressed all those, the amount of new issues that crop up over time should be much smaller. So if it ends up being very expensive, we could consider signing up for the minimum amount of time just to get the raw list of issues.
Tav