Welcome, David!!!! On Mon, May 15, 2017 at 11:05:43PM +0200, Dridi Boukelmoune wrote: > > The main ideia is to monitor repositories, and when a new package or > > a new version of an existent package is released, we download the package source code, > > and run several static analyzers on it. Each monitored distribution will be a kiskadee > > plugin, that implements an interface that we will define. The result of these > > analyses, which is parsed using the Fedora Firehose project, will be > > stored in a relational database (this idea has been discussed a while ago in the > > devel mailing lists, by the guys in the Static Analysis SIG [2]). With this > > database several analyses can be made, and by using several static analyzers we > > want to find heuristics to identify false positives (this is not part of GSoC > > though). > > Having myself recently found a bug in zlib thanks to static analysis I > was a bit surprised that such a critical library wouldn't get more > "static" eyes on it. > > > A similar tool exists in the Debian distribution, but it is way > > dependent on their infrastructure, and one of our objetives is to keep kiskadee > > simple, and extensible. > > Naive question, but wouldn't it be interesting to piggyback on > release-monitoring.org and fedmsg for the monitoring part? And start > static analysis when notified of new upstream releases? That is a great idea which we haven't considered yet. We will definitely consider doing so (the idea is to have an extensible tool which we could point to different software repositories). Thank you for the input! I Cc'd the summer-coding mailing list here :) -- Athos Ribeiro http://www.ime.usp.br/~athoscr _______________________________________________ summer-coding mailing list -- summer-coding@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to summer-coding-leave@xxxxxxxxxxxxxxxxxxxxxxx