Stack Overflow
Stack Overflow

Questions tagged [coverity]

Coverity is a static code analysis tool for C, C++ and other programming languages.

Coverity is a static code analysis tool for C, C++ and other programming languages.

Synopsys offers a free online version of Coverity called Coverity Scan available for opensource projects.

322 questions
32
votes
0 answers

Writing Coverity model: pointer in struct ALWAYS points to tainted data

I reguarly check lwIP, a free TCP/IP stack with Coverity. As a network stack, we have untrusted data coming in from the network which is stored in struct pbuf (some members omitted for clarity): struct pbuf { void *payload; u16_t len; u16_t…
Dirk Ziegelmeier
  • 321
  • 2
  • 2
13
votes
5 answers

Does C++ initialize integers to zero automatically?

I've noticed several Coverity (static-analysis tool) errors of type 'Uninitialized scalar variable' that are high impact. A lot of them are just ints that don't get initialized. Would initializing them to zero be any different than what C++ does by…
PerryC
  • 1,233
  • 2
  • 12
  • 28
9
votes
4 answers

Extracting coverity .csv file from coverity server

How to extract .csv file from Coverity server in command line. please Explain Command cov-manage-im with example. Is there any need to install Coverity in Windows, though I have access to the website and can manually download the .csv file
panchanan
  • 170
  • 1
  • 3
  • 11
9
votes
4 answers

Tainted string message from Coverity using getenv

Running Coverity on my code results in tainted string error message. I am using the "path" variable declared in the stack, so I am not sure why I am seeing errors. I can only think that using getenv() directly in the strncpy() is causing the error.…
Jay Chung
  • 175
  • 1
  • 1
  • 11
9
votes
2 answers

C++ init-list: using non-initialized members to initialize others gives no warning

Neither g++ (4.4 and 4.6) nor clang++ (3.2) nor coverity, with -Wall and -Wextra (+ some others) or -Weverything respectively gives me a warning for the following code snippet: class B { char *t2; char *t; public: B() : t2(t), t(new…
Patrick B.
  • 11,773
  • 8
  • 58
  • 101
7
votes
2 answers

Coverity analysis: ignore 3rd party libraries

In a large C++ project Coverity analysis reports issues in files that we won't be fixing e.g. Boost libraries, STL headers, some 3rd party libraries etc. Ideally there would be a mechanism to completely ignore these and not to increment the total…
user5972998
  • 131
  • 1
  • 9
7
votes
2 answers

Can't get Coverity Scan to work (Java/Kotlin/Gradle 3.3 on Windows and Travis)

UPDATE: See the solution in Caleb's answer I am trying really hard to make Coverity work for my build, but so far with little success. First the details: My project is run of the mill java library (no web or fancy containers), very few compile-only…
ddimitrov
  • 3,293
  • 3
  • 31
  • 46
7
votes
0 answers

Coverity and "Your request for analysis of Phonations/TravisTest failed"

I'm trying to add Coverity Scan static analysis to my Qt Mac project but I'm not able to submit the build using travis. Here is my coverity specific travis setup: addons: coverity_scan: project: name: Phonations/TravisTest …
Martin Delille
  • 11,360
  • 15
  • 65
  • 132
7
votes
2 answers

How to handle Coverity error TAINTED_SCALAR in fread

While reading a value from file for an integer, coverity check is giving following error Calling function "fread" taints argument "readval" //coverity note: Calling function "fread" taints argument "readval". if(fread(&readval, sizeof(int), 1, fp) <…
coder
  • 71
  • 1
  • 1
  • 2
6
votes
0 answers

Coverity Self-Build can't build a C++17 application

I'm trying to use Coverity Scan with an embedded application written in C++17 (ARM GCC Embedded v7.2). The application itself builds well and error/warning-free; however, the Coverity Scan Self-Build tool (cov-analysis-linux64-2017.07, the latest)…
Pavel Kirienko
  • 1,162
  • 1
  • 15
  • 31
6
votes
1 answer

How do I ignore JAVA tests in Coverity Connect analysis result?

I use Coverity to scan my project for security issues. What I would like to know is how to exclude any java test (NOTE: both integration and unit) from the analysis results that are available after a defect commit. I did use maven to build the…
LoreV
  • 575
  • 5
  • 25
6
votes
1 answer

How to train Coverity for "suspicious sizeof" or SIZEOF_MISMATCH finding?

I have a template function with a specialization that performs zeroization: template void SecureWipeBuffer(T *buf, size_t n) { volatile T *p = buf+n; while (n--) *((volatile T*)(--p)) = 0; } ... template <> void…
jww
  • 97,681
  • 90
  • 411
  • 885
6
votes
1 answer

What preprocessor symbols does Coverity define for a build using 'cov-build'?

We use Coverity's Scan Build service for free and open source projects. I am working through two Coverity findings on tainted parameters (TAINTED_SCALAR). The taint is a false positive, so I am trying to instrument the code with Coverity's…
jww
  • 97,681
  • 90
  • 411
  • 885
6
votes
3 answers

Tainted string in C

I'm running Coverity tool in my file operation function and getting the following error. As you can see below, I'm using an snprintf() before passing this variable in question to the line number shown in the error message. I guess that some…
Abhi V
  • 89
  • 1
  • 3
  • 10
6
votes
4 answers

Configure coverity for ndk-build

I would like to use coverity for static analysis, and I needed it for c++. Since my project uses Android NDK, I configured the compiler as: cov-configure –comptype gcc –compiler…
largotiticaca
  • 383
  • 1
  • 4
  • 13
1
2 3
21 22