天道酬勤,学无止境

coverity

Coverity Scan does not release name of deleted project

I maintain coverity for nanodbc project at https://scan.coverity.com/projects/lexicalunit-nanodbc I also registered new project for nanodbc at https://scan.coverity.com/projects/nanodbc-nanodbc that points to new location of git repository at GitHub. I realised I can rename the old existing project pointing to that new location. I went to Coverity Scan > nanodbc/nanodbc > Project Settings and deleted the project. Yes, there was Delete button - apparently, it is available for projects which have not submitted any builds yet. I went to Coverity Scan > lexicalunit/nanodbc > Project Settings > hit

2022-04-28 18:54:14    分类:问答    github   coverity

Race condition with stat and mkdir in sequence

Coverity complains of . toctou: Calling function mkdir that uses DIR after a check function. This can cause a time-of-check, time-of-use race condition if (stat(DIR, &st) != 0) { if (mkdir(DIR, 0755) < 0) { return ERROR; } } Is it good enough to change the code to ,I was using stat only for file exist check if (mkdir(NDUID_DIR, 0755) < 0) { if(errno != EEXIST) { return ERROR; } } Is there a better way to fix the code?

2022-02-10 22:05:44    分类:问答    mkdir   stat   coverity

Coverity finding: Not restoring ostream format (STREAM_FORMAT_STATE)

We are catching a Coverity finding CID 156014: Not restoring ostream format (STREAM_FORMAT_STATE) (text below and image at the end). 938 const std::streamsize oldp = cout.precision(6); 5. format_changed: setf changes the format state of std::cout for category floatfield. 939 const std::ios::fmtflags oldf = cout.setf(std::ios::fixed, std::ios::floatfield); 940 cout << " Maurer Randomness Test returned value " << mv << endl; 6. format_changed: precision changes the format state of std::cout for category precision. 941 cout.precision(oldp); 7. format_restored: setf changes the format state of std

2022-02-10 18:37:05    分类:问答    c++   precision   coverity

C++ : Coverity reports leaks for peculiar use of references and containers

Coverity reports leaks for the following code. I would like some help understanding the errors and to re-write this code to be error free. ( The errors are annotated as comments in the code below ) int main() { ... B* b = ... // (1) Coverity: Storage is returned from // allocation function operator new // (2) Coverity: Assigning ... A* a = new A(); // (3) Coverity: noescape: Resource a is not freed // or pointed-to in add_a_to_b b->add_a_to_b( *a ); ... // (4) Coverity: Resource leak: Variable a going out // of scope leaks the storage it points to. } class B { public: std::vector<A> a_vector

2022-02-10 06:41:17    分类:问答    c++   memory-leaks   coverity

如何在 Coverity Scan 中忽略 /usr/include?(How do I ignore /usr/include in Coverity Scan?)

问题 我已经建立了一个项目来使用 Coverity Scan。 在分析设置→项目组件下我有 Component name Pattern Ignore in analysis cxxopts .*/src/cxxopts.hpp Yes STL /usr/include/c++/.* Yes 但是当我去查看缺陷时,我仍然看到 9 个问题,全部来自/usr/include/c++/5.4.1/functional等文件。 我实际上如何排除它们? 令人困惑的是,概述选项卡显示 12 Total defects 2 Outstanding 7 Dismissed 3 Fixed 即使View 缺陷显示 9 个问题(那是 7+2 吗?为什么有些突出,有些被驳回,什么时候都应该忽略?) 回答1 它看起来像一个正则表达式模式,在这种情况下,“++”可能需要某种形式的转义。 我不确定哪种形式,因为我不知道如何解释字符串或使用哪种正则表达式语法,但以下一些变体应该可以工作: /usr/include/c\+\+/.* /usr/include/c\\+\\+/.* /usr/include/c\\\+\\\+/.* 如果这些都不起作用,我建议联系 scan-admin@coverity.com(在扫描网站上列为问题的联系电子邮件)。 这也可以解释为什么概览显示这些文件的结果。

2022-01-22 21:19:26    分类:技术分享    coverity

How do I ignore /usr/include in Coverity Scan?

I've set up a project to use Coverity Scan. Under Analysis Settings→Project Components I have Component name Pattern Ignore in analysis cxxopts .*/src/cxxopts.hpp Yes STL /usr/include/c++/.* Yes but still when I go to View defects I see 9 issues, all from files like /usr/include/c++/5.4.1/functional. How do I actually exclude them? Confusingly, the Overview tab shows 12 Total defects 2 Outstanding 7 Dismissed 3 Fixed even though View defects shows 9 issues (is that the 7+2? Why are some outstanding and some dismissed, when all should be ignored?)

2022-01-21 16:12:45    分类:问答    coverity

Coverity 为使用“cov-build”的构建定义了哪些预处理器符号?(What preprocessor symbols does Coverity define for a build using 'cov-build'?)

问题 我们将 Coverity 的 Scan Build 服务用于免费和开源项目。 我正在研究有关受污染参数( TAINTED_SCALAR )的两个 Coverity 调查结果。 污点是误报,因此我尝试使用 Coverity 的__coverity_tainted_data_sanitize__检测代码以清除问题。 我想保护需要使用__coverity_tainted_data_sanitize__的代码,因为该函数仅与使用 Coverity 的 cov-build 工具的分析构建一起使用。 也就是说,我想做类似的事情: void Foo(std::istream& is, ...) { std::string name; is >> name; #if <SOME_COVERITY_PREPROCESSOR_MACRO> __coverity_tainted_data_sanitize__(name); #endif ... } Coverity 有几个关于使用__coverity_tainted_data_sanitize__的示例,但它们没有展示如何保护它。 例如,参见污染标量的函数模型示例和显式记录参数传递机制。 在询问预处理器时我也找不到它(见下文)。 Coverity 定义了哪些预处理器宏来确定分析构建? 预处理器输出 $ cov-build --dir ~/temp

2022-01-16 12:48:35    分类:技术分享    c++   macros   c-preprocessor   coverity