Code quality checker
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
Be nice to others! Respect the FreeCAD code of conduct!
Code quality checker
I'm not really sure if we want to use it, but discussing it won't hurt It's an automated code quality checker linked with github. Looks like it works in a similar manner as travis-ci.
https://houndci.com/
https://houndci.com/
Re: Code quality checker
Would be worth a try!
Re: Code quality checker
python: http://help.houndci.com/configuration/flake8
I don't see anything for c++ and I'm not sure what would happen with c++ or mixed patches.
I don't see anything for c++ and I'm not sure what would happen with c++ or mixed patches.
Re: Code quality checker
maybe https://www.sonarqube.org/ https://sonarcloud.io/
I have not used sonar yet, here are some instructions how to set sonarcloud up with travis https://docs.travis-ci.com/user/sonarcloud/
I have not used sonar yet, here are some instructions how to set sonarcloud up with travis https://docs.travis-ci.com/user/sonarcloud/
Last edited by saso on Sat Jul 18, 2020 7:21 am, edited 21 times in total.
Re: Code quality checker
Looks very promising, but after I selected online analysis I hit some code that must be run locally:
"Download and unzip the Scanner for Linux
And add the bin directory to the PATH environment variable
Download
Execute the Scanner from your computer
Running a SonarCloud analysis is straighforward. You just need to execute the following commands in your project's folder."
I'm not sure if I'm doing something wrong or that's the way it's supposed to be.
"Download and unzip the Scanner for Linux
And add the bin directory to the PATH environment variable
Download
Execute the Scanner from your computer
Running a SonarCloud analysis is straighforward. You just need to execute the following commands in your project's folder."
I'm not sure if I'm doing something wrong or that's the way it's supposed to be.
Re: Code quality checker
Some of the tools we already use:
- C++ compiler (clang, gcc, msvc) warnings
- C++ compiler static code analyzers https://forum.freecadweb.org/viewtopic.php?f=10&t=53647
- Coverity (C++ and python) https://forum.freecadweb.org/viewtopic.php?f=10&t=16966
- LGTM/CodeQL (C++ and python) https://forum.freecadweb.org/viewtopic.php?t=40228
- PVS-Studio (C++) https://forum.freecadweb.org/viewtopic.php?f=10&t=34266
- Valgrind for dynamic analysis https://forum.freecadweb.org/viewtopic.php?f=10&t=14343
- Cpplint, Clang-format, Clang-tidy, Clazy and Cppcheck for C++ code
- Flake8, Pylint and Black for Python code
- OpenSSF Scorecard viewtopic.php?p=657791#p657791
And for the future, I am looking more into sanitizers and fuzzers
https://github.com/google/sanitizers
https://github.com/google/fuzzing
http://lcamtuf.coredump.cx/afl/
https://github.com/googleprojectzero/winafl
https://github.com/rohanpadhye/FuzzFactory
https://github.com/HexHive/FuZZan
https://github.com/google/honggfuzz
https://llvm.org/docs/LibFuzzer.html
https://github.com/AFLplusplus/AFLplusplus
https://github.com/google/oss-fuzz
https://github.com/microsoft/onefuzz
https://github.com/antonio-morales/Fuzzing101
https://github.com/google/clusterfuzzlite
https://github.com/Rog3rSm1th/Frelatage
https://github.com/google/atheris
What's the Use of Dynamic Analysis When You Have Static Analysis?
https://www.viva64.com/en/b/0643/
In-Depth: Static Code Analysis
https://www.gamasutra.com/view/news/128 ... alysis.php
Static Analysis at Scale: An Instagram Story
https://instagram-engineering.com/stati ... 498ab71a0c
AddressSanitizer (ASan) for Windows with MSVC
https://devblogs.microsoft.com/cppblog/ ... with-msvc/
AddressSanitizer for Windows: x64 and Debug Build Support
https://devblogs.microsoft.com/cppblog/ ... d-support/
Address Sanitizer for MSVC Now Generally Available
https://devblogs.microsoft.com/cppblog/ ... available/
https://www.youtube.com/watch?v=4YzFdiYPeVw&t=4050s
Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale
https://www.microsoft.com/security/blog ... -fix-bugs/
coverity and oss-fuzz issue solving common patterns for solving reported issues
https://ftp.belnet.be/mirror/FOSDEM/202 ... lving.webm
Fuzzing software: common challenges and potential solutions (Part 1)
https://securitylab.github.com/research ... olutions-1
Fuzzing software: advanced tricks (Part 2)
https://securitylab.github.com/research ... software-2
Code scanning is now available
https://github.blog/2020-09-30-code-sca ... available/
Announcing third-party code scanning tools: static analysis & developer security training
https://github.blog/2020-10-05-announci ... -training/
A system to flag anomalous source code expressions by learning typical expressions from training data
https://github.com/IntelLabs/control-flag
ClusterFuzzLite: Continuous fuzzing for all
https://security.googleblog.com/2021/11 ... g-for.html
How to squash bugs by enrolling in OSS-Fuzz
https://github.blog/2021-11-23-how-to-s ... -oss-fuzz/
Build reliable and secure C++ programs
https://learn.microsoft.com/en-us/cpp/c ... w=msvc-170
Automated Testing Handbook
https://appsec.guide/
Publishing Trail of Bits’ CodeQL queries
https://blog.trailofbits.com/2023/12/06 ... l-queries/
Master fuzzing with our new Testing Handbook chapter
https://blog.trailofbits.com/2024/02/09 ... k-chapter/
Continuously fuzzing Python C extensions
https://blog.trailofbits.com/2024/02/23 ... xtensions/
Read code like a pro with our weAudit VSCode extension
https://blog.trailofbits.com/2024/03/19 ... extension/
Streamline your static analysis triage with SARIF Explorer
https://blog.trailofbits.com/2024/03/20 ... -explorer/
- C++ compiler (clang, gcc, msvc) warnings
- C++ compiler static code analyzers https://forum.freecadweb.org/viewtopic.php?f=10&t=53647
- Coverity (C++ and python) https://forum.freecadweb.org/viewtopic.php?f=10&t=16966
- LGTM/CodeQL (C++ and python) https://forum.freecadweb.org/viewtopic.php?t=40228
- PVS-Studio (C++) https://forum.freecadweb.org/viewtopic.php?f=10&t=34266
- Valgrind for dynamic analysis https://forum.freecadweb.org/viewtopic.php?f=10&t=14343
- Cpplint, Clang-format, Clang-tidy, Clazy and Cppcheck for C++ code
- Flake8, Pylint and Black for Python code
- OpenSSF Scorecard viewtopic.php?p=657791#p657791
And for the future, I am looking more into sanitizers and fuzzers
https://github.com/google/sanitizers
https://github.com/google/fuzzing
http://lcamtuf.coredump.cx/afl/
https://github.com/googleprojectzero/winafl
https://github.com/rohanpadhye/FuzzFactory
https://github.com/HexHive/FuZZan
https://github.com/google/honggfuzz
https://llvm.org/docs/LibFuzzer.html
https://github.com/AFLplusplus/AFLplusplus
https://github.com/google/oss-fuzz
https://github.com/microsoft/onefuzz
https://github.com/antonio-morales/Fuzzing101
https://github.com/google/clusterfuzzlite
https://github.com/Rog3rSm1th/Frelatage
https://github.com/google/atheris
What's the Use of Dynamic Analysis When You Have Static Analysis?
https://www.viva64.com/en/b/0643/
In-Depth: Static Code Analysis
https://www.gamasutra.com/view/news/128 ... alysis.php
Static Analysis at Scale: An Instagram Story
https://instagram-engineering.com/stati ... 498ab71a0c
AddressSanitizer (ASan) for Windows with MSVC
https://devblogs.microsoft.com/cppblog/ ... with-msvc/
AddressSanitizer for Windows: x64 and Debug Build Support
https://devblogs.microsoft.com/cppblog/ ... d-support/
Address Sanitizer for MSVC Now Generally Available
https://devblogs.microsoft.com/cppblog/ ... available/
https://www.youtube.com/watch?v=4YzFdiYPeVw&t=4050s
Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale
https://www.microsoft.com/security/blog ... -fix-bugs/
coverity and oss-fuzz issue solving common patterns for solving reported issues
https://ftp.belnet.be/mirror/FOSDEM/202 ... lving.webm
Fuzzing software: common challenges and potential solutions (Part 1)
https://securitylab.github.com/research ... olutions-1
Fuzzing software: advanced tricks (Part 2)
https://securitylab.github.com/research ... software-2
Code scanning is now available
https://github.blog/2020-09-30-code-sca ... available/
Announcing third-party code scanning tools: static analysis & developer security training
https://github.blog/2020-10-05-announci ... -training/
A system to flag anomalous source code expressions by learning typical expressions from training data
https://github.com/IntelLabs/control-flag
ClusterFuzzLite: Continuous fuzzing for all
https://security.googleblog.com/2021/11 ... g-for.html
How to squash bugs by enrolling in OSS-Fuzz
https://github.blog/2021-11-23-how-to-s ... -oss-fuzz/
Build reliable and secure C++ programs
https://learn.microsoft.com/en-us/cpp/c ... w=msvc-170
Automated Testing Handbook
https://appsec.guide/
Publishing Trail of Bits’ CodeQL queries
https://blog.trailofbits.com/2023/12/06 ... l-queries/
Master fuzzing with our new Testing Handbook chapter
https://blog.trailofbits.com/2024/02/09 ... k-chapter/
Continuously fuzzing Python C extensions
https://blog.trailofbits.com/2024/02/23 ... xtensions/
Read code like a pro with our weAudit VSCode extension
https://blog.trailofbits.com/2024/03/19 ... extension/
Streamline your static analysis triage with SARIF Explorer
https://blog.trailofbits.com/2024/03/20 ... -explorer/
Last edited by saso on Thu Mar 21, 2024 12:38 pm, edited 32 times in total.
Re: Code quality checker
I have seen you have started an Coverity build for FreeCAD, but you already have access to https://scan.coverity.com/projects/saso ... ac-freecad
Check the three post here https://forum.freecadweb.org/viewtopic. ... 30#p210644 for some first steps how to use it.
Last edited by saso on Mon Jan 07, 2019 9:12 am, edited 1 time in total.
Re: Code quality checker
Control source code quality using the SonarQube platform
https://www.viva64.com/en/b/0452/
PVS-Studio as a plugin for SonarQube
https://www.viva64.com/en/b/0513/
Edit: I have moved some info about the PVS-Studio to a separate topic https://forum.freecadweb.org/viewtopic.php?f=10&t=34266
https://www.viva64.com/en/b/0452/
PVS-Studio as a plugin for SonarQube
https://www.viva64.com/en/b/0513/
Edit: I have moved some info about the PVS-Studio to a separate topic https://forum.freecadweb.org/viewtopic.php?f=10&t=34266
Last edited by saso on Sat Feb 16, 2019 8:32 pm, edited 2 times in total.
Re: Code quality checker
a thread pertaining to LGTM was split, new thread is at: https://forum.freecadweb.org/viewtopic.php?f=10&t=40228
Alone you go faster. Together we go farther
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Please mark thread [Solved]
Want to contribute back to FC? Checkout:
'good first issues' | Open TODOs and FIXMEs | How to Help FreeCAD | How to report Bugs
Re: Code quality checker
Thanks Kunda1 for moving lgtm to its own topic...
And to give a small update to this topic (related but not directly ), link to a ton of videos from this (and past) years CppCon presenting and discussing different topics, best practices and the future of developing in C++ https://www.youtube.com/user/CppCon/videos
And to give a small update to this topic (related but not directly ), link to a ton of videos from this (and past) years CppCon presenting and discussing different topics, best practices and the future of developing in C++ https://www.youtube.com/user/CppCon/videos