天道酬勤,学无止境

How do I ignore /usr/include in Coverity Scan?

I've set up a project to use Coverity Scan.

Under Analysis Settings→Project Components I have

Component name  Pattern              Ignore in analysis     
cxxopts         .*/src/cxxopts.hpp         Yes  
STL             /usr/include/c++/.*        Yes  

but still when I go to View defects I see 9 issues, all from files like /usr/include/c++/5.4.1/functional. How do I actually exclude them?


Confusingly, the Overview tab shows

12 Total defects
2 Outstanding
7 Dismissed
3 Fixed

even though View defects shows 9 issues (is that the 7+2? Why are some outstanding and some dismissed, when all should be ignored?)

标签

评论

It looks like a regex pattern, in which case the "++" likely needs some form of escaping. I'm not sure which form, because I don't know how the strings are being interpreted or what kind of regex syntax is being used, but some variant of the following should work:

/usr/include/c\+\+/.*
/usr/include/c\\+\\+/.*
/usr/include/c\\\+\\\+/.*

If none of these work, I'd suggest contacting scan-admin@coverity.com (listed as the contact email for questions on the scan website).

This would also explain why the overview shows results from these files at all.

受限制的 HTML

  • 允许的HTML标签:<a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • 自动断行和分段。
  • 网页和电子邮件地址自动转换为链接。

相关推荐
  • 如何设置 Travis/Rails 项目以提交给 Coverity Scan?(How to setup a Travis/Rails project to submit to Coverity Scan?)
    问题 我正在为 rails 应用程序寻找 std travis 覆盖设置。 我当前的 .travis.yml 文件如下所示: # environment settings env: - DB=sqlite - DB=mysql - DB=postgresql env: global: # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created # via the "travis encrypt" command using the project repo's public key - secure: "<SECURE>" # project language language: ruby rvm: - 2.3.1 # branches to build (whitelist) branches: only: - master - coverity_scan - testing # command to run before install before_install: - echo -n | openssl s_client -connect scan.coverity.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
  • How to setup a Travis/Rails project to submit to Coverity Scan?
    I'm looking for a std travis coverity setup for a rails application. My current .travis.yml file looks like this: # environment settings env: - DB=sqlite - DB=mysql - DB=postgresql env: global: # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created # via the "travis encrypt" command using the project repo's public key - secure: "<SECURE>" # project language language: ruby rvm: - 2.3.1 # branches to build (whitelist) branches: only: - master - coverity_scan - testing # command to run before install before_install: - echo -n | openssl s_client -connect scan.coverity.com:443 | sed
  • 如何从coverity-scan中删除项目(how to remove a project from coverity-scan)
    问题 我过去用coverity-scan注册了一个项目。 我现在想从coverity-scan(或至少从我的仪表板中删除该项目;但我最好完全删除该项目)。 我被卡住了,因为网络界面中似乎没有这样的选项。 我错过了什么吗? 回答1 你不能。 我刚刚要求 Coverity 的支持删除一个并得到答复: 我们通常不会从 SCAN 中删除项目,因为我们会保留项目的汇总指标。 回答2 在“项目设置”页面的最底部有一个“删除您的项目”按钮。 回答3 删除您的项目按钮仅对项目管理员可用,并且仅当构建尚未提交进行分析时才可用。
  • Coverity Scan 无法构建定义了 _GNU_SOURCE(Coverity Scan fails to build <stdlib.h> with _GNU_SOURCE defined)
    问题 当_GNU_SOURCE被定义时,Coverity Scan Build Tool 无法在 Ubuntu 18.04 上编译任何包含<stdlib.h> C 文件: $ cat > main.c #include <stdlib.h> int main() { } $ $ gcc -D_GNU_SOURCE=1 -o main main.c $ $ /opt/cov-analysis/bin/cov-build --dir cov-int gcc -D_GNU_SOURCE=1 -o main main.c Coverity Build Capture (64-bit) version 2017.07 on Linux 4.15.0-20-generic x86_64 ... [WARNING] Emitted 0 C/C++ compilation units (0%) successfully ... $ 相同的构建在 Ubuntu 16.04 或没有_GNU_SOURCE定义的情况下_GNU_SOURCE : $ /volatile/local/cov-analysis/bin/cov-build --dir cov-int gcc -o main main.c Coverity Build Capture (64-bit) version 2017.07 on
  • how to remove a project from coverity-scan
    I've registered a project with coverity-scan in the past. I would now like to remove that project from coverity-scan (or at least from my dashboard; but preferrably i'd like to remove the project entirely). I'm stuck as there seems to be no such option in the web-interface. am i missing something?
  • 为每个Travis拉取请求构建运行Coverity扫描(Run Coverity scan for every Travis pull request build)
    问题 我想尽可能地使学生作业评分系统自动化。 理想情况下,提交作业时将采取这些步骤。 学生分叉我的Github存储库并修改文件学生将本地代码推送到其存储库并创建请求请求 Travis CI检测到拉取请求并运行拉取请求构建如果代码构建成功, Coverity将对提取请求运行静态代码分析学生从Github拉取请求页面获取构建状态 我已经为我的回购中的每个拉取请求成功设置了Travis构建。 我已经通过Travis成功为仓库中的每个提交运行了Coverity扫描。 但是我无法触发Coverity扫描来获取拉取请求,仅运行Travis构建。 我可以解决此问题并为每个拉取请求维护Coverity扫描报告吗? 这是我的.travis.yml language: c compiler: gcc env: global: # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created # via the "travis encrypt" command using the project repo's public key - secure: "WHkT1bLbpz8VA8tl
  • TravisCI / Coverity:警告 - 未发出任何文件(TravisCI / Coverity: Warning - No files were emitted)
    问题 我有一个中等大小的 github 存储库,我为其配置了 Travis-CI/Coverity 工具。 大约一个月前,我的设置运行良好:Travis 编译并构建了我的应用程序,然后执行 Coverity 扫描,我可以在我的 Coverity 页面上看到结果。 但是,最近,Coverity 分析停止工作。 我查看了 Travis 日志文件,并在构建成功时与旧日志进行了比较,这就是我发现的: 在日志的末尾,失败的版本包含下一个警告: [警告] 未发出任何文件。 这可能是由于您的配置存在问题,或者因为您的构建命令实际上没有编译任何文件。 请确保您已经配置了编译中实际使用的编译器。 更多详情请查看:/home/travis/build/name/repo-name/build/cov-int/build-log.txt 正在提取 0 个文件的 SCM 数据... ... 因此, Travis 构建正在通过,但没有为 Coverity 生成任何内容。 我检查了我的 Travis 配置文件,它与 Coverity 构建成功时的提交相同。 为了实验,我克隆了我的项目存储库,在构建成功时回滚到版本并为它们设置 Travis/Coverity。 你猜怎么着? 同样的警告! 因此,过去(大约 35 天前)有效的相同设置不再有效。 因此,我得出结论,由于 Travis 没有生成某些文件
  • Can't get Coverity Scan to work (Java/Kotlin/Gradle 3.3 on Windows and Travis)
    UPDATE: See the solution in Caleb's answer I am trying really hard to make Coverity work for my build, but so far with little success. First the details: My project is run of the mill java library (no web or fancy containers), very few compile-only dependencies, built using Gradle The production code is written in Java and Kotlin The complete project is available on github: https://github.com/ddimtirov/nuggets And on Coverity Scan: https://scan.coverity.com/projects/ddimtirov-nuggets?tab=project_settings My development environment is Windows 10, Java 1.8.0_92, Gradle 3.3, CMD shell (though I
  • Run Coverity scan for every Travis pull request build
    I want to automate student assignment grading system as much as possible. Ideally these steps will be taken when submitting the assignment. Student forks my Github repository and modifies files Student pushes the local code to his repository and creates pull request Travis CI detects pull request and run Pull Request build If code builds successfully, Coverity runs static code analysis for the pull request Student gets build status from the Github pull request page I've successfully set Travis builds for every pull request in my repo. I have successfully run Coverity scan via Travis for every
  • 无法使用 Coverity Scan(Windows 和 Travis 上的 Java/Kotlin/Gradle 3.3)(Can't get Coverity Scan to work (Java/Kotlin/Gradle 3.3 on Windows and Travis))
    问题 更新:请参阅 Caleb 的答案中的解决方案 我真的很努力地让 Coverity 为我的构建工作,但到目前为止收效甚微。 先说细节: 我的项目运行的是 Mill Java 库(没有 web 或花哨的容器),只有很少的编译依赖项,使用 Gradle 构建生产代码是用 Java 和 Kotlin 编写的完整的项目可在 github 上找到:https://github.com/ddimtirov/nuggets 关于 Coverity Scan:https://scan.coverity.com/projects/ddimtirov-nuggets?tab=project_settings 我的开发环境是 Windows 10、Java 1.8.0_92、Gradle 3.3、CMD shell(虽然我也尝试过 Cygwin 和 Mingw Bash) Linux 上也有 Travis 构建 我首先从以下位置下载一个包:https://scan.coverity.com/download/java/win64 然后我将 bin 目录添加到我的路径中,转到我的项目根目录并运行以下命令。 $ set PATH=%PATH%;C:\Users\dimit\sandbox\cov-analysis\bin $ gradlew clean $ cov-build --dir cov-int
  • TravisCI / Coverity: Warning - No files were emitted
    I have a medium size github repository for which I configured Travis-CI/Coverity tools. About a month ago my setup had worked just fine: Travis compiled and built my application, and then performed the Coverity scan and I could see the results on my Coverity page. However, lately, the Coverity analysis stopped working. I looked through the Travis log files and compared to the old logs when the builds were successful and that's what I found: At the end of the log, the failed version contains the next warning: [WARNING] No files were emitted. This may be due to a problem with your configuration
  • Coverity Scan fails to build <stdlib.h> with _GNU_SOURCE defined
    The Coverity Scan Build Tool fails to compile any C file that includes <stdlib.h> on Ubuntu 18.04 when _GNU_SOURCE is defined: $ cat > main.c #include <stdlib.h> int main() { } $ $ gcc -D_GNU_SOURCE=1 -o main main.c $ $ /opt/cov-analysis/bin/cov-build --dir cov-int gcc -D_GNU_SOURCE=1 -o main main.c Coverity Build Capture (64-bit) version 2017.07 on Linux 4.15.0-20-generic x86_64 ... [WARNING] Emitted 0 C/C++ compilation units (0%) successfully ... $ The same build works perfectly on Ubuntu 16.04 or without _GNU_SOURCE defined: $ /volatile/local/cov-analysis/bin/cov-build --dir cov-int gcc -o
  • Coverity 为使用“cov-build”的构建定义了哪些预处理器符号?(What preprocessor symbols does Coverity define for a build using 'cov-build'?)
    问题 我们将 Coverity 的 Scan Build 服务用于免费和开源项目。 我正在研究有关受污染参数( TAINTED_SCALAR )的两个 Coverity 调查结果。 污点是误报,因此我尝试使用 Coverity 的__coverity_tainted_data_sanitize__检测代码以清除问题。 我想保护需要使用__coverity_tainted_data_sanitize__的代码,因为该函数仅与使用 Coverity 的 cov-build 工具的分析构建一起使用。 也就是说,我想做类似的事情: void Foo(std::istream& is, ...) { std::string name; is >> name; #if <SOME_COVERITY_PREPROCESSOR_MACRO> __coverity_tainted_data_sanitize__(name); #endif ... } Coverity 有几个关于使用__coverity_tainted_data_sanitize__的示例,但它们没有展示如何保护它。 例如,参见污染标量的函数模型示例和显式记录参数传递机制。 在询问预处理器时我也找不到它(见下文)。 Coverity 定义了哪些预处理器宏来确定分析构建? 预处理器输出 $ cov-build --dir ~/temp
  • What preprocessor symbols does Coverity define for a build using 'cov-build'?
    We use Coverity's Scan Build service for free and open source projects. I am working through two Coverity findings on tainted parameters (TAINTED_SCALAR). The taint is a false positive, so I am trying to instrument the code with Coverity's __coverity_tainted_data_sanitize__ to clear the issue. I want to guard the code that needs to use __coverity_tainted_data_sanitize__ because the function is only used with analysis builds using Coverity's cov-build tool. That is, I want to do something like: void Foo(std::istream& is, ...) { std::string name; is >> name; #if <SOME_COVERITY_PREPROCESSOR_MACRO
  • 在 clang-tidy 中忽略系统标题(Ignore system headers in clang-tidy)
    问题 tldr;> 如何在 clang-tidy 中隐藏来自系统标题的警告? 我有以下最小的示例源文件,它会在系统标头中触发 clang-tidy 警告: #include <future> int main() { std::promise<int> p; p.set_value(3); } 在 Ubuntu 17.04 上使用 clang-tidy 4.0.0 使用 libstdc++ 7.0.1 调用它: $ clang-tidy main.cpp -extra-arg=-std=c++14 产量 Running without flags. 1 warning generated. /usr/lib/gcc/x86_64-linux-gnu/7.0.1/../../../../include/c++/7.0.1/mutex:693:5: warning: Address of stack memory associated with local variable '__callable' is still referred to by the global variable '__once_callable' upon returning to the caller. This will be a dangling reference [clang-analyzer
  • 如何正确引用 GNU readline 库来扫描终端输入?(How do I properly reference the GNU readline library to scan terminal input?)
    问题 我正在尝试编译在 GNU readline 中使用以下内容的 C 代码。 #include <readline/readline.h>; #include <readline/history.h>; 我尝试将<>更改为""并使用和不使用-lreadline选项进行编译。 似乎没有任何效果。 在gcc下不使用-lreadline进行编译时,编译时会生成以下内容(详细): Reading specs from /software/gcc-3.4.6-0/pkg/lib/gcc/i386-unknown-freebsd6.1/3.4.6/specs Configured with: ../gcc-3.4.6/configure --prefix=/software/gcc-3.4.6-0/pkg --disable-dependency-tracking --localstatedir=/var --disable-nls --program-suffix=34 --enable-shared --enable-version-specific-runtime-libs Thread model: posix gcc version 3.4.6 /software/gcc-3.4.6-0/pkg/libexec/gcc/i386-unknown-freebsd6.1/3.4.6
  • How do I properly reference the GNU readline library to scan terminal input?
    I am attempting to compile C code that utilizes the following within GNU readline. #include <readline/readline.h>; #include <readline/history.h>; I've tried changing the <> to "" and compiling both with and without the -lreadline options. Nothing seems to work. When compiling without -lreadline under gcc results in the following being generated while compiling (verbose): Reading specs from /software/gcc-3.4.6-0/pkg/lib/gcc/i386-unknown-freebsd6.1/3.4.6/specs Configured with: ../gcc-3.4.6/configure --prefix=/software/gcc-3.4.6-0/pkg --disable-dependency-tracking --localstatedir=/var --disable
  • C 中的受污染字符串(Tainted string in C)
    问题 我在我的文件操作函数中运行 Coverity 工具并收到以下错误。 正如您在下面看到的,我在将此变量传递给错误消息中显示的行号之前使用了 snprintf()。 我想必须对字符串进行一些清理,作为 snprintf() 的一部分。 但仍然显示警告。 Error:TAINTED_STRING (TAINTED string "fn" was passed to a tainted string sink content.) [coverity] char fn[100]; int id = 0; char* id_str = getenv("ID"); if (id_str) { id = atoi(id_str); } memset(fn, '\0', sizeof(fn)); snprintf(fn, 100, LOG_FILE, id); if(fn[100-1] != '\0') { fn[100-1] = '\0'; } log_fp = fopen (fn, "a"); 任何帮助将不胜感激。 回答1 请尝试以下操作: char* id_str = getenv("ID"); if (id_str) { id_str = strdup(id_str); id = atoi(id_str); free( id_str ); } 传递给 fopen
  • 上传构建进行分析后出现“上次构建状态:失败”("Last Build Status: Failed" after uploading a build for analysis)
    问题 我们对免费和开源项目使用 Coverity 的免费扫描服务。 在过去两个月左右的时间里,我们一直无法使用该服务。 在服务失败之前,我们进行了六次左右的良好分析。 提交扫描结果: 上次构建状态:失败。 由于以下原因,您的构建失败。 请修复错误并重新上传构建。 错误详细信息::无法检索 tar 文件 Coverity 非常擅长提供复制/粘贴说明,我们虔诚地复制/粘贴了它们。 我们验证没有构建错误,并验证构建以“131 个 C/C++ 编译单元 (100%) 已准备好进行分析”和“cov-build 实用程序成功完成”结尾。 我们已尝试通过验证来自服务的“失败电子邮件”响应中提供的此通用解决方案中的内容来解决此问题。 我们验证或执行了所有这些,除了第四个。 我们没有执行第四项,因为 Coverity 的文档很糟糕(这与他们出色的扫描服务完全相反)。 因为没有要阅读的说明或 RTFM,我们不知道应该为bin/cov-configure转动哪些旋钮。 我们不想弄乱它,因为它过去有效。 我们还尝试了以下方法: 使用网络提交表单和浏览器从命令行使用 curl 将cov-int/打包成 tarball 将cov-int/打包成 zip 文件项目名称全部使用小写将项目名称的第一个字母大写 即使使用 ZIP 文件,我们也总是收到相同的消息( “无法检索 tar 文件” )。 回想一下,在大约 6
  • 如何以编程方式检测 GitHub 存储库中的非活动分支?(How can I programmatically detect inactive branches in GitHub repositories?)
    问题 我在 GitHub 存储库中有十几个存储库。 存储库结构如下所示: + project1 +------- trunk +------- tags +------- branches + ------- releases + project2 .... 我们的政策要求在 30 天不活动后删除任何活动分支。 但是,没有自动检测这种非活动分支的方法。 偶尔,我有一些不活动的分支可以存活超过 30 天。 是否有一个脚本可以列出所有 GitHub 存储库中的分支以及它们的最后提交日期? Edit1 - 还有一种方法可以通过 API 获取多少组织和他们所拥有的项目吗? 回答1 GitHub Repository API应该能够帮助你解决这个问题。 列出分支机构 语法: GET /repos/:owner/:repo/branches 示例: https : //api.github.com/repos/libgit2/libgit2sharp/branches 获取有关分支的详细信息 语法: GET /repos/:owner/:repo/branches/:branch 示例: https : //api.github.com/repos/libgit2/libgit2sharp/branches/coverity 此调用方法公开分支的尖端(即最新提交),您可以从中检索提交日期。