静态代码分析的稀疏性和覆盖率工具有何不同?
[英]How sparse and coverity tool for static code analysis are different?
问题描述
I am very new to linux kernel. 
我是Linux内核的新手。 I want to know how sparse and coverity tool are different ? 我想知道稀疏性和覆盖率工具有何不同? Since both are used for static code analysis. 由于两者都用于静态代码分析。 Then how to decide which tool is better ? 那么如何决定哪种工具更好呢? Only difference I know is that: sparse is open source but for coverity we should have license to use it. 我知道的唯一区别是:稀疏是开源的,但是出于隐蔽性,我们应该拥有使用它的许可。
Is there any specific set of bugs that can only be traced by coverity/sparse ? 是否有只能通过coverage / sparse跟踪的特定错误集?
Here is the piece of code in which Coverity reports the issue, however Sparse does not: 这是Coverity报告问题的代码段,但是Sparse没有:
foo(){
int x;
scanf("%d", &x);
switch(x){
case 1: printf("CASE 1");
case 2: printf("CASE 2");
break;
default:
}
}
In the above set example; 在上面的示例中; Coverity will report the warning of missing break statement in case 1 . Coverage将在情况1中报告丢失中断声明的警告。 But,Sparse is not ? 但是,稀疏不是吗?
However, both tools are used for static code analysis of software. 但是,这两种工具都用于软件的静态代码分析。 Please, share any documentation which can highlights the plus and negatives of both the tools. 请分享所有可以突出显示这两种工具的优缺点的文档。
1 个解决方案
解决方案1
1 2014-10-14 16:59:32
Tools vary in what they detect and how well they detect them. 工具在检测到的内容以及检测到的程度方面有所不同。 As a general rule, it is always recommend running as many tools as possible on the source code. 通常,始终建议在源代码上运行尽可能多的工具。 Granted, there are a number of considerations about doing that. 当然,这样做有很多考虑。 First and foremost is the cost of owning and maintaining any one tool. 首先是拥有和维护任何一种工具的成本。
The big names (Fortify, Code sonar, Coverity, Klockwerk, etc) are all expensive to buy, and have a hefty yearly maintenance cost. 大型公司(Fortify,Code声纳,Coverity,Klockwerk等)的购买价格昂贵,而且每年的维护成本很高。 On the upside, they all tend to preform better then the open-source tools. 从好的方面来看,它们都比开放源代码工具的性能更好。
Any tool, be it open-source or proprietary will require "care and feeding", in creation of custom rules, modification of what is reported etc. This should be done by, in my opinion, a dedicated senior programmer that is well versed in the theory and practice of secure programming. 任何工具,无论是开源的还是专有的,在创建自定义规则,修改报告内容等方面都需要“照顾和喂养”。在我看来,这应该由精通于此的专门高级程序员来完成。安全编程的理论和实践。
The evaluation of the tool reports, also should be done by a programmer / analyst well versed in security. 工具报告的评估也应由精通安全性的程序员/分析师完成。 The take a way message here is that a proficient programmer is not necessarily a secure programmer. 这里的提示信息是熟练的程序员不一定是安全的程序员。 There are additional sets of knowledge and skills to be a secure programmer. 要成为一名安全的程序员,还需要其他一些知识和技能。
For a brief overview of various tools, I would suggest looking at the various SAMATE (static-analysis metrics and tool evaluation) reports located here . 对于各种工具的简要概述,我建议在寻找各种SAMATE(静态分析的指标和工具评估)报告位于这里 。 Although I do not believe that the SAMATE team ever evaluated "Sparse". 尽管我不相信SAMATE团队曾经评估过“稀疏”。
I know these are more generalities about the use of static analysis tools, but given the current state of the art, I suspect that these are probably the best you are going to get. 我知道这些在使用静态分析工具方面更具通用性,但是鉴于当前的最新水平,我怀疑这些可能是您将获得的最佳结果。 Also, you can check out this State of the Art report of software assurance. 此外,你可以检查出这个国家艺术软件保证的报告。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.