static-analysis

问题 I am trying to use Fortify Source Code Analyzer for a research project at my school to test the security for open source Java web applications. I am currently working on Apache Lenya. I am working with the last stable release (Lenya v2.0.2). Inside the root directory there is a file named build.sh . This file is called to build Lenya using the version of Ant that ships with the release (in the tools/bin folder). I can build Lenya just fine when I run ./build.sh . So, it would be assumed that

问题 Our team is investigating various options for static analysis in our project, and have mixed opinions about whether we want our Continuous Integration build to fail because of warnings from static analysis. The argument against failing the build is that there are often exceptions to the rules, and attempting to work around them just to make the build succeed reduces productivity. A better approach would be to generate reports with the build, and regularly dedicate developer time to addressing

问题 I usually like to have a lot of warnings enabled when programming. However, some libraries contains code that easily causes warnings (.., python, Qt, ..). When compiling with gcc I can just use -isystem instead of -I to silence that. How can I do the same with the MS compiler? I know of the warning #pragma, but I would like a solution that does not involve compiler specific code all over the place. I also know that I can turn off specific warnings, but that is not what I want either. BTW:

问题 I usually like to have a lot of warnings enabled when programming. However, some libraries contains code that easily causes warnings (.., python, Qt, ..). When compiling with gcc I can just use -isystem instead of -I to silence that. How can I do the same with the MS compiler? I know of the warning #pragma, but I would like a solution that does not involve compiler specific code all over the place. I also know that I can turn off specific warnings, but that is not what I want either. BTW:

问题 I know there are a quite a few static analysis tools for C# or .Net around. See this question for a good list of available tools. I have used some of those in the past and they have a good way of detecting problems. I am currently looking for a way to automatically enforce some locking rules we have in our teams. For example I would like to enforce the following rules: "Every public method that uses member foo must acquire a lock on bar " Or "Every call to foobar event must be outside lock to

问题 I can't get clang's c++-analyzer to work on a toy C++ file. #include <iostream> using namespace std; int main() { int t[4]; int x,y; t[5]=1; if(x) y = 5; x = t[y]; } makefile is just all: t.cpp $(CXX) t.cpp scan-build make output: scan-build: 'clang' executable not found in '/usr/share/clang/scan-build/bin'. scan-build: Using 'clang' from path: /usr/bin/clang /usr/share/clang/scan-build/c++-analyzer t.cpp scan-build: Removing directory '/tmp/scan-build-2012-06-14-6' because it contains no

问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 5 years ago . Source code analysis and exploration tools for C and C++ seem to be sorely lacking. Are there any tools which I can use to gather information about C and/or C++ source files? cscope does part of what I would need, Doxygen looks closer. At a minimum list of all function, callers, callees, variable references etc.

问题 I wish to get a quick feeling for how much “copy and paste” coding we have, there are many tools for C# / Java to check for this type of thing. Are there any such tools that work well with VB.NET? (I have seen what looks like lots of repeated code, but wish to get some number to help me make a case for sorting it out) Update on progress. I have just tried Simian. It does not seem to be able to produce a nicely formatted report I can sent by email It does not cope when the names of local

问题 Is it possible to create a typeclass that can no longer admit new members (perhaps by using module boundaries)? I can refuse to export a function necessary for a complete instance definition, but that only results in a runtime error if someone produces an invalid instance. Can I make it a compile time error? 回答1: I believe the answer is a qualified yes, depending on what you're trying to achieve. You can refrain from exporting the type class name itself from your interface module 1 , while

问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 3 years ago . Tools like pep8 can check source code style, but they don't check if docstrings are fromatted according to pep257, pep287. Are there such tools? Update I decided to implement such a static analysis tool on my own, see: https://github.com/GreenSteam/pep257 Right now, most of pep257 is covered. Design was heavily