Re: [FFmpeg-devel] [WIP] False positives on Coverity

From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [WIP] False positives on Coverity
Date: Mon, 10 Jun 2024 00:02:27 +0200
Message-ID: <20240609220227.GY2821752@pb2> (raw)
In-Reply-To: <e1ab7d75-bdad-4c64-b3b7-cb4fd54183d1@rothenpieler.org>

[-- Attachment #1.1: Type: text/plain, Size: 2087 bytes --]

On Sun, Jun 09, 2024 at 12:49:57AM +0200, Timo Rothenpieler wrote:
> On 08.06.2024 21:49, Vittorio Giovara wrote:
> > On Sat, Jun 8, 2024 at 6:02 PM Michael Niedermayer <michael@niedermayer.cc>
> > wrote:
> > 
> > > On Tue, May 14, 2024 at 01:38:16AM +0200, Michael Niedermayer wrote:
> > > > Hi all
> > > > 
> > > > To keep people updated (and as this is not vissible on the ML)
> > > > heres my current list of issues marked as false positives / intentional
> > > in Mai & April 2024
> > > > (in case anyone wants to review, i presume noone wants but just in case)
> > > 
> > > updated list as of today:
> > > [...]
> > > 
> 
> Given the insane amount of them, I'm not a fan of that.

also what i noticed since i work on the issues
sometimes some issues dissappear and others appear (with no explanation and seemingly
no related changes). Some issues contain
multiple occurances, ive seen a very small number of issues where line numbers are
missing. And one that pointed to a file outside FFmpeg.

Mapping CIDs to some other tracker in a long term stable manner would likely be a
painfull experience.

Also the coverity web app shows more or less details about the detected
issue within the source of FFmpeg in an interactive way. That of course would
also change as the
source changes over time, so it would not be available in another issue tracker
that means the duplicated issues would still require one to go to coverity
if one wanted to work on it.

And last but not least coverity isnt intended to be public because it can
find security issues. security issues should be public once they are fixed
and maybe when someone is working on them. But not when the issues are ignored
amongth hundreads of minor and false positive ones for years

So, yes i share your sceptisism about making coverity issues appear in some
other issue tracker

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

It is a danger to trust the dream we wish for rather than
the science we have, -- Dr. Kenneth Brown

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".