Re: C++ static analysis tools for CII badge

Daniel Stenberg
 

On Wed, 9 Jan 2019, Daniel Heckenberg wrote:

Are there any existing resources that demonstrate an automated static analysis of C++ code for CII badge requirements?  I'm hoping for something like a specific set of clang-tidy checks that covers the CVSS v2 medium and high severity vulnerabilities.  
In the curl project (which is C, not C++) we run clang-tidy on every commit/PR using travis [1] (search for "tidy") and analyze it using lgtm [2]. That's pretty easy to setup.

It can be noted that coverity is in my experience the undisputed leader of the static code analyzers for C/C++ - but isn't free, they offer a gratis service to scan code as a service for open source but that's not suitable for on-every-commit runs and since a few days ago the service "unexpectedly ceased operations" so we'll have to see where that goes in the future... Would be a hard blow to open source everywhere if it goes away.

[1] = https://github.com/curl/curl/blob/master/.travis.yml
[2] = https://github.com/curl/curl/blob/master/.lgtm.yml

--

/ daniel.haxx.se

Join CII-badges@lists.coreinfrastructure.org to automatically receive all group messages.