mpg
commented
4 years ago Does it have a low enough rate of false positives? That's usually the issue with static analysis tools that makes it hard to run them as part of the CI.
Open gilles-peskine-arm opened 4 years ago
mpg
commented
4 years ago Does it have a low enough rate of false positives? That's usually the issue with static analysis tools that makes it hard to run them as part of the CI.
Cppcheck is a static analysis tool for C (and C++). We should run it on our CI.
In my limited experience, Cppcheck doesn't find much compared to other tools we're already using, in particular ASan+UBSan and Coverity. But those tools only analyze a specific compile-time configuration (Coverity) or only cases that are hit by test code in a few compile-time configurations (ASan+UBSan). Cppcheck is a rare tool that tries analyzes all possible preprocessor configurations. It can find issues in “exotic” or untested configurations such as https://github.com/ARMmbed/mbedtls/pull/3310.
There's an Ubuntu package so we could fairly easily arrange to run it on Travis, however it may be a little too CPU-hungry. It's not at all expensive by the standards of what we run on Jenkins, but installing an additional package is a bit more of a hassle there.