Newly signed up observer in coverity scan open source project, curl scanned 23/JAN/2017, showing 0 defects. I happen to know that is wrong answer. Do I need to setup, config, init, etc, 1st time using it?
Asked
Active
Viewed 67 times
-1
-
The coverity scan of curl done on jan 23 2017 showed no new defects (and had no old defects). That's not wrong. That's what coverity said. – Daniel Stenberg Jan 31 '17 at 23:01
1 Answers
0
Resolved.
I independently ran Coverity Connect on latest curl-7.52.1. It found 28 issues.
1 looked possibly serious. I reported it to cURL org via their private email for security issues. They found it was not actually a security concern.
A 2nd issue was a tiny memory leak upon edge case. I submitted a pull request PR to fix it. My PR was not quite right, but cURL developers improved it and merged PR.
I think the other 27 issues have no concerns. Coverity False Positives and the like. In my opinion, the cURL code is in excellent condition. Thanks Daniel and team!
I believe the PR shows there was at least 1 defect, albeit a tiny 1. Coverity Scan open source project says 0 defects.
My purpose here is to follow through on a principle in 1 of my security courses, 'trust but verify'. I wanted to account for the discrepancy in the defect count.
I emailed to scan-admin@coverity.com but received no reply. On the other hand, Daniel and other cURL people were very helpful.
After some RTFM, I managed to find these 2 issues of interest in Coverity Scan. CID 1241956 is marked Intentional, Ignore. CID 1202879 is marked False Positive, Ignore.
My newbie question is resolved.