7

In a large C++ project Coverity analysis reports issues in files that we won't be fixing e.g. Boost libraries, STL headers, some 3rd party libraries etc. Ideally there would be a mechanism to completely ignore these and not to increment the total count for such issues.

In Coverity Connect (v8.1) we've set up Components with file path regexp and that nicely filters the files in question when browsing but the total number of issues does not drop down. Two questions related to this:

  • is there a way to drop the number of total issues for files we don't care about? e.g. after such an issue has already been captured
  • if new code we introduce includes one of the offending boost/STL/etc headers, will this clock up the total issue counter? (clearly, that would be less than desirable)
user5972998
  • 131
  • 1
  • 9

2 Answers2

0

Mandatory disclaimer first: Your customers won’t care that bugs in your code came from a third party. That said, the main answer at the link Yannis mentioned is generally the correct one: “use a component filter.” If it’s not working correctly for you, double-check your configuration. I found it quite robust, even with a negative look-ahead regex with over a hundred disjuncts.

Flash Sheridan
  • 1,671
  • 1
  • 14
  • 14
-1

Once such issue is found, you can mark it as false positive or ignore it all the way. You have to do this only once. In future analyze, when this issue is found again, it will keep this status. And no, if you use this include to other files too, the total issue counter won't go higher as long as the issue is in the same file.

Check this: Can Synopsys Static Analysis (Coverity) automatically ignore issues in third-party or noncritical code?

Poniros
  • 131
  • 9