Coverity scan defect density: 0.00

A couple of days ago I decided to stop slacking and grab this long dangling item in my TODO list: run the coverity scan on a recent curl build again.

Among the static analyzers, coverity does in fact stand out as the very best one I can use. We run clang-analyzer against curl every night and it hasn’t report any problems at all in a while. This time I got almost 50 new issues reported by Coverity.

To put it shortly, a little less than half of them were issues done on purpose: for example we got several reports on ignored return codes we really don’t care about and there were several reports on dead code for code that are conditionally built on other platforms than the one I used to do this with.

But there were a whole range of legitimate issues. Nothing really major popped up but a range of tiny flaws that were good to polish away and smooth out. Clearly this is an exercise worth repeating every now and then.

End result

21 new curl commits that mention Coverity. Coverity now says “defect density: 0.00” for curl and libcurl since it doesn’t report any more flaws. (That’s the number of flaws found per thousand lines of source code.)

Want to see?

I can’t seem to make all the issues publicly accessible, but if you do want to check them out in person just click over to the curl project page at coverity and “request more access” and I’ll grant you view access, no questions asked.

3 thoughts on “Coverity scan defect density: 0.00”

  1. Nice! I am a Cppcheck developer. If you are interested, Curl still has bugs that is detected by Cppcheck. For instance, in my opinion these are true positives:

    [packages/OS400/ccsidcurl.c:272]: (error) Uninitialized variable: s
    [packages/OS400/ccsidcurl.c:303]: (error) Uninitialized variable: s

    Source code:

    In my opinion the function call itself is UB since the uninitialized pointer value is read and copied.

    A full Cppcheck report for Curl can be found at:

    To locate the curl results, you can search for this:

    There are many false positives, probably because you’ve done such a good job fixing bugs. All false positives I’ve seen are bugs in Cppcheck that should be fixed.. I have added curl to my own personal cppcheck-testsuite and I hope they will be fixed.

  2. Lovely, thanks a lot Daniel, I’ll take a look at those you’ve pointed out.

    They are in OS400 specific code and I’ll admit that I’ve not run any code analyzer on that code recently (I’ve focused on code that compiles and builds on Linux).

Comments are closed.