checking source with pvs-studio

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

checking source with pvs-studio

Sergey Bronnikov
Hello!

openbsd source code was checked by various static analyzers (coverity,
cppcheck, clang analyzer etc). Have someone tried PVS-Studio?
It became free to use for opensource projects [1].

[1] https://www.viva64.com/en/b/0457/

Sergey Bronnikov

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Theo de Raadt-2
Sergey Bronnikov <[hidden email]> wrote:

> Hello!
>
> openbsd source code was checked by various static analyzers (coverity,
> cppcheck, clang analyzer etc). Have someone tried PVS-Studio?
> It became free to use for opensource projects [1].
>
> [1] https://www.viva64.com/en/b/0457/

which means you can roll up your sleeves and be that someone

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Aaron Mason
On Sun, Sep 30, 2018 at 3:42 AM Theo de Raadt <[hidden email]> wrote:

>
> Sergey Bronnikov <[hidden email]> wrote:
>
> > Hello!
> >
> > openbsd source code was checked by various static analyzers (coverity,
> > cppcheck, clang analyzer etc). Have someone tried PVS-Studio?
> > It became free to use for opensource projects [1].
> >
> > [1] https://www.viva64.com/en/b/0457/
>
> which means you can roll up your sleeves and be that someone
>

Apparently you've got to go through your source code and plug the
product in every single non-header file.  Basically it's either give
them free advertising or give them ~$720 for a one year license.

From https://www.viva64.com/en/b/0457/:

> Step 2
> Make edits in all the compilable files of your project. I.e. in all the
> files with the extensions c, cc, cpp, cs, and so on. You don't have to
> change header h-files.
>
> You need to write two lines of comments in the beginning of each file.
> We offer several options. This is a kind of 'fee' for using PVS-Studio
> for free.
>
> Comments for students (academic license):
>
> // This is a personal academic project. Dear PVS-Studio, please check it.
>
> // PVS-Studio Static Code Analyzer for C, C++ and C#:
> // http://www.viva64.com
>
> Comments for free open source projects:
>
> // This is an open source non-commercial project. Dear PVS-Studio,
> // please check it.
>
> // PVS-Studio Static Code Analyzer for C, C++ and C#:
> // http://www.viva64.com
>
> Comments for individual developers:
>
> // This is an independent project of an individual developer. Dear
> // PVS-Studio, please check it.
>
> // PVS-Studio Static Code Analyzer for C, C++ and C#:
> // http://www.viva64.com
>
> Of course, the options we suggest won't be suitable for everyone. But
> that's the point of such measures. If none of the variants is relevant
> to you of your product, we suggest you consider purchasing the license.

Not a very wise use of time, though you could automate it if you were
particularly determined.

--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Ingo Schwarze
Hi,

Aaron Mason wrote on Wed, Oct 03, 2018 at 09:07:40AM +1000:

> Apparently you've got to go through your source code
> and plug the product in every single non-header file.

Which is of course trivial to do - you write a script to do a
checkout, run "sed -i", run the tool, collect the the results,
and delete the checkout.  So the harassment by the author is not
even effective for his intended purpose.

If the developer is *that* stupid in such a major respect,
it's probably best to ignore the tool outright - that stupidity
gives me the prejudice that the tool is likely to be hostile
towards free software, greedy for private profit, and even
more stupid in other ways, so it's likely a waste of time
in the first place.

It's not like there aren't lots of other choices, written by
smart people for a change.

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Todd C. Miller-2
On Wed, 03 Oct 2018 10:20:45 +0200, Ingo Schwarze wrote:

> Which is of course trivial to do - you write a script to do a
> checkout, run "sed -i", run the tool, collect the the results,
> and delete the checkout.  So the harassment by the author is not
> even effective for his intended purpose.

The license explicitly prohibits this kinds of behavior, though of
course there's no way for them to tell.  If someone really wanted
to use it, a trial license does not have this kind of restriction
though it only lasts for a week IIRC.

I think it's clear that we're not going to be using pvs-studio which
is a bit of a shame since it does catch real bugs.  The way Coverity
deals with open source projects is easier for us to deal with.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Tom Smyth
...  is it just 750 for a License ?
If one were to donate a License ? would that work for the project ?

Thanks
Tom Smyth
On Wed, 3 Oct 2018 at 17:33, Todd C. Miller <[hidden email]> wrote:

>
> On Wed, 03 Oct 2018 10:20:45 +0200, Ingo Schwarze wrote:
>
> > Which is of course trivial to do - you write a script to do a
> > checkout, run "sed -i", run the tool, collect the the results,
> > and delete the checkout.  So the harassment by the author is not
> > even effective for his intended purpose.
>
> The license explicitly prohibits this kinds of behavior, though of
> course there's no way for them to tell.  If someone really wanted
> to use it, a trial license does not have this kind of restriction
> though it only lasts for a week IIRC.
>
> I think it's clear that we're not going to be using pvs-studio which
> is a bit of a shame since it does catch real bugs.  The way Coverity
> deals with open source projects is easier for us to deal with.
>
>  - todd
>


--
Kindest regards,
Tom Smyth

Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Todd C. Miller-2
On Wed, 03 Oct 2018 17:42:16 +0100, Tom Smyth wrote:

> ...  is it just 750 for a License ?
> If one were to donate a License ? would that work for the project ?

No, it would not.  Their licensing model simply won't work for us.
Even if it did, it's not like we could run it natively on OpenBSD.

 - todd

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Tom Smyth
Hi Todd,

I was thinking ... it might be possible to examine
a copy of the code out of band on a different OS system ...
and deal with the bugs that are flagged
as part of the normal OpenBSD development process,

if the license is not permissible then I suppose my suggestion
was entirely academic :/

PS awesome talk in euroBSD Con :)

Thanks anyway

Tom Smyth

On Wed, 3 Oct 2018 at 18:02, Todd C. Miller <[hidden email]> wrote:

>
> On Wed, 03 Oct 2018 17:42:16 +0100, Tom Smyth wrote:
>
> > ...  is it just 750 for a License ?
> > If one were to donate a License ? would that work for the project ?
>
> No, it would not.  Their licensing model simply won't work for us.
> Even if it did, it's not like we could run it natively on OpenBSD.
>
>  - todd



--
Kindest regards,
Tom Smyth

Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.

Reply | Threaded
Open this post in threaded view
|

Re: checking source with pvs-studio

Todd C. Miller-2
On Wed, 03 Oct 2018 18:07:00 +0100, Tom Smyth wrote:

> I was thinking ... it might be possible to examine
> a copy of the code out of band on a different OS system ...
> and deal with the bugs that are flagged
> as part of the normal OpenBSD development process,

It is possible to generate pre-processed versions of the source for
analysis on another system (Linux, macOS, etc).  It's not something
that fits in well to how OpenBSD development works but it is possible.

> if the license is not permissible then I suppose my suggestion
> was entirely academic :/

I don't see us being able to use anything that uses per-developer
seat licensing.

> PS awesome talk in euroBSD Con :)

Wrong Todd :-)

 - todd