Re: C++ static analysis tools for CII badge
On Wed, 9 Jan 2019, Daniel Heckenberg wrote:
Are there any existing resources that demonstrate an automated static analysis of C++ code for CII badge requirements? I'm hoping for something like a specific set of clang-tidy checks that covers the CVSS v2 medium and high severity vulnerabilities.In the curl project (which is C, not C++) we run clang-tidy on every commit/PR using travis  (search for "tidy") and analyze it using lgtm . That's pretty easy to setup.
It can be noted that coverity is in my experience the undisputed leader of the static code analyzers for C/C++ - but isn't free, they offer a gratis service to scan code as a service for open source but that's not suitable for on-every-commit runs and since a few days ago the service "unexpectedly ceased operations" so we'll have to see where that goes in the future... Would be a hard blow to open source everywhere if it goes away.
 = https://github.com/curl/curl/blob/master/.travis.yml
 = https://github.com/curl/curl/blob/master/.lgtm.yml