|
| 1 | +# QGIS Enhancement: QGIS (and dependencies) Coverity Scan Cleanup |
| 2 | + |
| 3 | +**Date** 2025-03-25 |
| 4 | + |
| 5 | +**Author** Nyall Dawson (@nyalldawson) |
| 6 | + |
| 7 | + |
| 8 | + |
| 9 | +**Version** QGIS 3.44-3.46 |
| 10 | + |
| 11 | +# Summary |
| 12 | + |
| 13 | +The [Coverity Scan](https://scan.coverity.com/) tool is a highly regarded tool for static analysis of complex |
| 14 | +c++ projects. It's able to pro-actively identify many code issues (such as potential |
| 15 | +crashes, memory leaks, and other unsafe behavior) which aren't picked up by other |
| 16 | +tools (such as clang-tidy or cppcheck). |
| 17 | + |
| 18 | +Having no open issues reported by Coverity Scan allows a project to advertise |
| 19 | +themselves as "Coverity Clean", which is a highly regarded recognition and which forms |
| 20 | +a valuable bullet point when discussing a project's stability and code quality. |
| 21 | + |
| 22 | +While Coverity Scan is a proprietary service, it offers free analysis for |
| 23 | +suitable open-source projects. It has been used sporadically for QGIS analysis |
| 24 | +over the past 10 years, and has directly lead to many fixes and optimisations. |
| 25 | + |
| 26 | +Currently, the tool reports around 1075 open issues when run on the QGIS master codebase. |
| 27 | + |
| 28 | +These issues range from false positives to trivial fixes through to serious issues |
| 29 | +which require substantial work to fix. Unfortunately, the large number of trivial |
| 30 | +issues currently reported in QGIS make the tool effectively useless for QGIS, as |
| 31 | +the critical issues are hidden amongst the many hundreds of trivial issues. |
| 32 | + |
| 33 | +This project will cleanup the Coverity Scan results by: |
| 34 | + |
| 35 | +1. Marking false-positive issues accordingly in the scan results, so that they no |
| 36 | + longer clutter the Coverity results reports |
| 37 | +2. Fix trivial issues so that the signal-to-noise ratio of the reports is improved |
| 38 | + |
| 39 | +Unfortunately the Coverity Scan results site is very slow and clunky to navigate, |
| 40 | +so even closing false-positive reports takes a non-negligable amount of time to do! |
| 41 | + |
| 42 | +**Please note that Coverity Scan results are not publicly available due to the |
| 43 | +potential of security risks being exposed, and only approved QGIS core developers |
| 44 | +have access to these reports** |
| 45 | + |
| 46 | +## External projects |
| 47 | + |
| 48 | +Since QGIS embeds a number of third party dependencies (such as MDAL, lazperf, and untwine, |
| 49 | +among others), the scan also includes issues identified in these projects. |
| 50 | + |
| 51 | +During the cleanup I will submit pull requests upstream to these projects, which will |
| 52 | +benefit both the QGIS scan results + other users of these libraries. |
| 53 | + |
| 54 | +## Deliverables |
| 55 | + |
| 56 | +- Removing all false-positive reports from the scan results |
| 57 | +- Fixing trivial issues in QGIS and embedded third party dependencies |
| 58 | + |
| 59 | +If time is available after completing the cleanup, I will investigate whether it is |
| 60 | +possible to automatically run the Coverity Scan tool on a weekly basis as a GitHub |
| 61 | +action (as is done for other projects, e.g. GDAL). **This may not be possible due to |
| 62 | +the size of QGIS and the time required for a full QGIS rebuild under the Coverity Scan |
| 63 | +tool.** |
| 64 | + |
| 65 | +All non-trivial fixes are considered to be out of scope for the project. After the |
| 66 | +cleanup these will be easy to identify and could potentially be targeted in a future |
| 67 | +QGIS bug fixing round. |
0 commit comments