Static code analysis on github

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Static code analysis on github

mmuetzel
Hi Kai,

Github seems to provide static code analysis for public repositories hosted on their platform:
https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository

I'm not particularly familiar with Github. So I can't judge if that is something that we could use to analyze the Octave repository hosted there:
https://github.com/gnu-octave/octave

Also PVS Studio, which we had a trial run with some time ago, seems to offer free licenses for OSS projects hosted on Github:
https://www.viva64.com/en/b/0600/

Do you think that could be useful for us?

Markus


Reply | Threaded
Open this post in threaded view
|

Re: Static code analysis on github

siko1056
On 10/2/20 5:04 PM, Markus Mützel wrote:

> Hi Kai,
>
> Github seems to provide static code analysis for public repositories hosted on their platform:
> https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository
>
> I'm not particularly familiar with Github. So I can't judge if that is something that we could use to analyze the Octave repository hosted there:
> https://github.com/gnu-octave/octave
>
> Also PVS Studio, which we had a trial run with some time ago, seems to offer free licenses for OSS projects hosted on Github:
> https://www.viva64.com/en/b/0600/
>
> Do you think that could be useful for us?
>
> Markus
>


Hi Markus,

Yes, I read about this feature, too.  A try with default settings seems
to be insufficient for the magic.


https://github.com/gnu-octave/octave/commit/24cc0307ab26f43ca6ea51a4c6510f413ad2204b
   https://github.com/gnu-octave/octave/runs/1197846549

Octave is very complex to build, maybe beyond the scope of what the
CodeQL project is aiming for.  If you are interested you can tune the
file as you please.  All owners of the "gnu-octave" group (you are
markuman?) can try out things in that repo (without my permission ;-)).
 If it is broken, I reset it.

If you don't want to try more with it, I have to remove the commit.
Otherwise the auto-update of the repository is broken, as it is no
official commit.

Kai


P.S.: Some observation: recently the maintainers mailing list seems to
be preferred over Discourse again.  Did problems with Discourse come up
recently?

Reply | Threaded
Open this post in threaded view
|

Re: Static code analysis on github

mmuetzel
Am 02. Oktober 2020 um 10:50 Uhr schrieb "Kai Torben Ohlhus":

> On 10/2/20 5:04 PM, Markus Mützel wrote:
> > Hi Kai,
> >
> > Github seems to provide static code analysis for public repositories hosted on their platform:
> > https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository
> >
> > I'm not particularly familiar with Github. So I can't judge if that is something that we could use to analyze the Octave repository hosted there:
> > https://github.com/gnu-octave/octave
> >
> > Also PVS Studio, which we had a trial run with some time ago, seems to offer free licenses for OSS projects hosted on Github:
> > https://www.viva64.com/en/b/0600/
> >
> > Do you think that could be useful for us?
> >
> > Markus
> >
>
>
> Hi Markus,
>
> Yes, I read about this feature, too.  A try with default settings seems
> to be insufficient for the magic.
>
>
> https://github.com/gnu-octave/octave/commit/24cc0307ab26f43ca6ea51a4c6510f413ad2204b
>    https://github.com/gnu-octave/octave/runs/1197846549
>
> Octave is very complex to build, maybe beyond the scope of what the
> CodeQL project is aiming for.  If you are interested you can tune the
> file as you please.  All owners of the "gnu-octave" group (you are
> markuman?) can try out things in that repo (without my permission ;-)).
>  If it is broken, I reset it.

My username on github is mmuetzel. Could you add me to the group?

> If you don't want to try more with it, I have to remove the commit.
> Otherwise the auto-update of the repository is broken, as it is no
> official commit.
>
> Kai
>
>
> P.S.: Some observation: recently the maintainers mailing list seems to
> be preferred over Discourse again.  Did problems with Discourse come up
> recently?

I guess that's just old habits. That was it for me now, at least.

Markus


Reply | Threaded
Open this post in threaded view
|

Re: Static code analysis on github

John W. Eaton
Administrator
On 10/2/20 7:43 AM, Markus Mützel wrote:
> Am 02. Oktober 2020 um 10:50 Uhr schrieb "Kai Torben Ohlhus":

>> P.S.: Some observation: recently the maintainers mailing list seems to
>> be preferred over Discourse again.  Did problems with Discourse come up
>> recently?
>
> I guess that's just old habits. That was it for me now, at least.

Same for me.  I'm trying to remember to start new discussions on
Discourse but if a conversation is already on the mailing list it seems
easiest to reply on the list than attempt to move the discussion to
Discourse.

jwe


Reply | Threaded
Open this post in threaded view
|

Re: Static code analysis on github

siko1056
In reply to this post by mmuetzel
On 10/2/20 8:43 PM, Markus Mützel wrote:
> Am 02. Oktober 2020 um 10:50 Uhr schrieb "Kai Torben Ohlhus":
>> On 10/2/20 5:04 PM, Markus Mützel wrote:
>> (you are markuman?)
>
> My username on github is mmuetzel. Could you add me to the group?

Sorry, makes indeed much more sense ;-)  Done.

Kai

Reply | Threaded
Open this post in threaded view
|

Re: Static code analysis on github

mmuetzel
In reply to this post by siko1056
Am 02. Oktober 2020 um 10:50 Uhr schrieb "Kai Torben Ohlhus" <[hidden email]>

>
> https://github.com/gnu-octave/octave/commit/24cc0307ab26f43ca6ea51a4c6510f413ad2204b
>    https://github.com/gnu-octave/octave/runs/1197846549
>
> Octave is very complex to build, maybe beyond the scope of what the
> CodeQL project is aiming for.  If you are interested you can tune the
> file as you please.  All owners of the "gnu-octave" group (you are
> markuman?) can try out things in that repo (without my permission ;-)).
>  If it is broken, I reset it.
>
> If you don't want to try more with it, I have to remove the commit.
> Otherwise the auto-update of the repository is broken, as it is no
> official commit.

Thanks for adding me to the group.

It's complaining about a missing `gperf` on the build machine. I don't know how to fix that. Basically, I don't know at all how all that magic is happening. :-)

From my point of view, you could remove those commits.

Markus