On Sat, 18 Jul 2020, Brad House wrote:
> I haven't yet analyzed your result. But I don't personally have problems
> with accepting PRs that silence analyzer warnings, even if they are false
> positives.
As long as such changes improve the project, I agree completely. However the
nature of false postives is that as they are false, and the work-around to
silense them can sometimes be quirky and I personally don't agree to "messing
things up" in order to silence a tool that is wrong.
> Conversely, if you've ever messed with Coverity, its impossible to silence
> some of their false positives my modifying code, you have to use their
> dashboard, I never could figure that one out :/
In my view and experiences from curl, Coverity is the king among static code
analyzers for C (we regularly use seven different ones) - for us Coverity
detects the most ones and it offers the best explanations for how to reach
them. I've never had any problems to silence false positives with their
dashboard - and I prefer out-of-source means to silence warnings - as
otherwise we can easily end up in a situation where the different analyzers
will insist in different work-arounds for their false positives. For me, the
largest downside with Coverity is that isn't an open tool, just a free (to
some) service.
-- / daniel.haxx.seReceived on 2020-07-19