1

Do generic tools exist for keeping track of warnings in code?

Some static-analysis tools generate a large number of false-positive warnings, so changing the code isn't desirable. Disabling individual warnings isn't always a practical option either *.

Do tools exist that take a list of locations in a file (which could be generated from static analysis tools), which could be run on a regular basis to detect the introduction of new warnings?

Even though diffing the outputs works on a basic level, it would be more useful if changes to line-numbers for example could be done without re-raising the warnings to the developers attention - every time the file was modified.

* While annotations can suppress these in some situations - it's not always practical if there are thousands of warnings for example or when multiple error checkers are being used. In other cases the tools that are reporting errors don't support annotations to disable individual warnings.

ideasman42
  • 42,413
  • 44
  • 197
  • 320

1 Answers1

1

Many up-to-date analysis tools can set a baseline that separates technical debt and new warnings. Here’s, for example, the article "How to introduce a static code analyzer in a legacy project and not to discourage the team", explaining such mechanism:

To quickly start using static analysis, we suggest that PVS-Studio users apply the mass warning suppression mechanism. The general idea is the following. Imagine, the user has started the analyzer and received many warnings. Since a project that has been developed for many years, is alive, still developing and bringing money, then most likely there won't be many warnings in the report indicating critical defects. In other words, critical bugs have already been fixed due to more expensive ways or with the help of feedback from customers. Thus, everything that the analyzer now finds can be considered technical debt, which is impractical to try to eliminate immediately.

You can tell PVS-Studio to consider all these warnings irrelevant so far (to postpone the technical debt for later), and not to show them any more. The analyzer creates a special file where it stores information about as-yet-uninteresting errors. From now on, PVS-Studio will issue warnings only for new or modified code. By the way, it's all implemented in a very smart way. If an empty line is added at the beginning of a file, the analyzer will size up the situation as if nothing has really changed and will remain quiet. You can put the markup file in the version control system. Even though the file is large, it's not a problem, as there's no need to upload it very often.

The tool has the feature which you are talking about. Firstly, there is a suppression mechanism for uninteresting warnings. You may make all the warnings or the selected ones uninteresting. Secondly, the tool stores, not the line numbers but hashes of lines and hashes of nearby lines. This information allows not to issue warnings on the old code while editing the file.

I’m not sure if there is a third-party tool that can do all this. But I suggest paying attention to SonarQube.

AndreyKarpov
  • 1,083
  • 6
  • 17
  • As far as I can see none of the static analysis tools on Linux support this. I would also like to use this across different languages (running command line linters for scripts for example, even my own tools that report warnings). It's interesting that it doesn't seem a general purpose solution has been written for this already. – ideasman42 Jun 15 '21 at 13:48
  • 1
    Well, as for PVS-Studio, it can do this in Linux. Speaking of a generic tool, I once again suggest considering SonarQube. It can integrate the results of various third-party utilities. – AndreyKarpov Jun 15 '21 at 14:27
  • Thanks for the info, I think what I'm after might not exist so I'll probably write something myself and add an answer here. Basically I'm looking to run something that can integrate my own checking tools, that I can run locally or on a server - SonarQube may be fine but the free version doesn't include languages I need, and rather not depend on closed/proprietary solutions for my project. – ideasman42 Jun 16 '21 at 01:05
  • Note that the problem with tools that manage this themselves is you need to use each of them separately, I would like to aggregate the output of different checking tools. – ideasman42 Jun 16 '21 at 01:18