On Tue, Aug 16, 2022 at 11:05:48AM +0200, Johannes Schindelin wrote: > > It sounds like Taylor is volunteering to set up the Coverity side for > > git.git, and I can help him with getting those COVERITY_* variables into > > the GitHub environment. > > Given the challenges with Coverity (false positives, lack of support on > Synopsys' side, severely limited access to the reports), and given the > renewed efforts by OSTIF that focus not on Coverity but on CodeQL, I am > in favor of abandoning the idea to integrate Coverity in our GitHub > workflow. > > Regarding CodeQL, I am still uncertain what level of integration we will > end up with, and the contacts I am working with are currently all on > vacation, but I am confident that we will have an easier time going > forward with static analysis using CodeQL instead of Coverity. OK. I haven't been that impressed with CodeQL for C so far, but it may be getting better. I certainly would be happier with a system that made it easier to display and share reports. Coverity does have a lot of false positives, but I've at least been able to pick useful fixes out of them (especially because it is good about saying "here are 5 new things to look at"). I've been continuing to build my private branch with it, so we'll see if it turns up anything useful. I do agree that inflicting it on ordinary users may be counter-productive (I often have to stare really hard to understand why its false positives are false, and that is not something I would wish on, say, a GGG user). -Peff
