Re: C++ static analysis tools for CII badge

Daniel Stenberg

On Wed, 9 Jan 2019, Daniel Heckenberg wrote:

Are there any existing resources that demonstrate an automated static analysis of C++ code for CII badge requirements?  I'm hoping for something like a specific set of clang-tidy checks that covers the CVSS v2 medium and high severity vulnerabilities.  
In the curl project (which is C, not C++) we run clang-tidy on every commit/PR using travis [1] (search for "tidy") and analyze it using lgtm [2]. That's pretty easy to setup.

It can be noted that coverity is in my experience the undisputed leader of the static code analyzers for C/C++ - but isn't free, they offer a gratis service to scan code as a service for open source but that's not suitable for on-every-commit runs and since a few days ago the service "unexpectedly ceased operations" so we'll have to see where that goes in the future... Would be a hard blow to open source everywhere if it goes away.

[1] =
[2] =



Join to automatically receive all group messages.