Joel_graff wrote: ↑Sat Oct 19, 2019 3:28 pm
I could possibly try to write a Wiki enttry or something.
This also goes with my attempt at building a better workbench starterkit (which I've been neglecting)...
Falling at the first hurdle (Getting too old for this game).
Having read message from saso and this thread, decide it might be a good idea to get some of my efforts analysed. (bit wary of the wake up call it may give on the code quality).
Tried to follow the wiki, assume I am suppose to login to LGTM, which I did using my GitHub account. It lists various projects, so assume I have to create a project? Is that right? Tried on GitHub to start making a Project and a bit confused, don't want to muck up things on my Github, so bottled out and have come here for advice as I did not find the LGTM getting started very useful.
keithsloan52 wrote: ↑Sun Sep 06, 2020 9:55 am
Tried to follow the wiki, assume I am suppose to login to LGTM, which I did using my GitHub account. It lists various projects, so assume I have to create a project? Is that right? Tried on GitHub to start making a Project and a bit confused, don't want to muck up things on my Github, so bottled out and have come here for advice as I did not find the LGTM getting started very useful.
What repo do you want to have analysed? In most cases you don't have to do anything in your code or in the github. When you are logged in to LGTM, go to the "Project list" and just give it the link to the repo you want it to analyse and click "Follow". It will try to detect and run everything automatically, so just give it some time (from few minutes to few hours). If it will finish successfully you are done, it will continue to automatically analyse your repo once a day. If it will not be able to automatically detect and finish the first run, we can have a look at the logs and see if we can change some things to make it work. The problem with the cpp code from FreeCAD for example is that it is just to big to run it automatically on their servers, it would run for 10 or more hours, so I am building it manually...
I am sharing my current build recipe for the LGTM (CodeQL) build on Ubuntu 16.04. Mostly it is basically just a normal build with a few commands to set up and run the scanner. I will continue to make the builds as I did in the past, so this is mostly for the purpose if it can maybe be of some use and help for some other projects... Check also https://help.semmle.com/codeql/codeql-c ... arted.html
A small note on the commands that run the scan, CodeQL supports the analysis of both C++ and python code (and others). In above example the commands that run the scan and analysis are setup for the C++ code, since scanning of the python code we normally do automatically over the LGTM website. For running the scanner manually on the python code the last few commands from the above example would be...
As noted up-topic, running the entire C++ build through LGTM times out. But this morning a new PR was accepted that enabled LGTM for the core of our C++ codebase. No analysis of the GUI, and with many of the modules disabled:
Alas, this will probably affect our "A+" current overall ranking (kudos to all the Python devs writing such clean code!), but I imagine we'll get it back over time. I don't know how long it takes for LGTM to start displaying results from a new language, but hopefully it shows up in the next day or two.
Ok, interesting... I just hope it will not mess up everything since LGTM is so thoroughly tracking all the files and commits over time lets wait and see. As a side note, it is not that we did not have the results of the C++ analysis from LGTM (CodeQL), we have just been doing it manually.
saso wrote: ↑Fri Feb 12, 2021 11:33 am
did it hurt? Hopefully no broken bones...
During the 0.19 feature freeze several devs have turned their attention to the static analysis tools to help find bugs... nice to see that sharp drop there! Thanks for keeping up with these. I'm working on a tool to help prune the SARIF files to see how to best make use of those other results, too.
lets wait and see. As a side note, it is not that we did not have the results of the C++ analysis from LGTM (CodeQL), we have just been doing it manually.
During the 0.19 feature freeze several devs have turned their attention to the static analysis tools to help find bugs... nice to see that sharp drop there! Thanks for keeping up with these. I'm working on a tool to help prune the SARIF files to see how to best make use of those other results, too.