Coverity 用于 Java 静态分析

发布于 2024-07-06 09:10:51 字数 117 浏览 16 评论 0原文

我希望获得使用或评估过 Coverity 静态分析 Java 代码的人们的评论。 我知道它在 C/C++ 世界中很流行,但是值得花钱进行 Java 分析吗?或者我使用 PMD、Findbugs 和其他开源工具会更好吗?

I'd like to get comments from people who have used or evaluated Coverity for statically analysing Java-code. I know it's popular in C/C++ world, but is it worth spending the money for Java analysis or am I better off with PMD, Findbugs and other Open Source tools?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

匿名。 2024-07-13 09:10:51

如果您今天没有使用任何东西,我会从 Findbugs 和 PMD 开始。 它们易于安装和使用。 首先集中精力使用 Findbugs 检查和修复正确性错误 - 他们建议从高和中严重性正确性错误开始,因为检查器的误报率非常低,您将获得良好的时间回报。 让开发人员使用 PMD 来清理代码,并使用 Eclipse 中的 Findbugs 插件来审查新代码。 增量工作将使开发人员理解并接受这些工具的有用性。

与 C/C++ 检查器相比,Coverity 的 Java 检查器仍然较弱。 我们使用 Findbugs、PMD、Coverity 和 Klocwork,因为它们都有不同的优势,而且我们很偏执。 如果您不偏执,您可以坚持使用开源工具并获得很多价值。 或者,如果您需要安全检查:那么 Klocwork 或者尤其是 Fortify 应该为您做更彻底的工作。

If you aren't using anything today, I would start off with Findbugs and PMD. They are easy to install and use. Concentrate on reviewing and fixing correctness errors with Findbugs first - they recommend starting with High and Medium severity correctness errors as the checkers have very low false positives and you will get a good return on your time. Get developers to use PMD to cleanup the code, and the Findbugs plugin in Eclipse to review new code. Working incrementally will get the developers to understand and buy-in to the usefulness of these tools.

Coverity's Java checkers are still weak compared to their C/C++ checkers. We use Findbugs, PMD, Coverity and Klocwork because they all have different strengths and we are paranoid. If you aren't paranoid, you could stick with open source tools and get a lot of value. Or if you need security checking: then Klocwork or especially Fortify should do a more thorough job for you.

葬花如无物 2024-07-13 09:10:51

我将提供一些相关的答案。 我已将 Klocwork 用于 Java 和 C 代码。 Klocwork 是 Coverity 的紧密竞争对手……在成本方面,它们大致相同(仔细看,Klocwork 看起来更便宜,直到您真正购买所需的东西),而在功能方面,它们来来回回。

对于 C/C++ 来说,这非常棒。 对于 Java.... 嗯,它帮助发现了很多资源泄漏(#$@^#ing Java 开发人员似乎忘记了文件句柄等资源不会被垃圾收集),但它似乎并没有发现很多“严重的”错误。 这可能是因为语言本身确实有助于防止一些更基本但难以发现的错误(数组溢出、指针损坏等)。

让 Coverity 来运行演示,他们非常乐意这样做。 看看他们发现了什么样的东西。

I'll chip in with a somewhat relevant answer. I've used Klocwork for the both Java and C code. Klocwork is a close competitor of Coverity... cost-wise they are about the same ( look carefully, Klocwork looks cheaper until you actually buy what you need ), and feature-wise they fight back and forth.

For C/C++, it's great. For Java.... well, it helped find a lot of resource leaks ( #$@^#ing Java developers seem to forget that resources like file handles aren't garbage collected ), but it doesn't seem to find many "critical" bugs. It's probably because the language itself does help protect against some of the more basic but hard to find errors ( array overflows, pointer corruption, etc ).

Get Coverity in to run a demo, they are more than happy to. See what sort of things they find.

别在捏我脸啦 2024-07-13 09:10:51

我将在前面的答案中添加一个有限的模仿,这在一定程度上受到我所受的 Coverity NDA 的限制。 Coverity Prevent 在查找开源 C/C++ 代码中的错误方面拥有令人印象深刻的公开记录,但他们的 Java 产品要更新得多。 (Coverity 有一篇关于我前雇主的新闻稿,所以我可以说它确实帮助我们发现并修复了 C/C++ 代码中的大量错误,比我之前在错误搜寻职业生涯中发现的错误还要多。)FindBugs 确实Java 代码方面的工作令人印象深刻,而且价格无与伦比。 但重要的一点已经明确:在购买之前,请在的真实代码上试用它们。 现实是无可替代的,静态分析中的传统观点是,工具发现的内容几乎没有重叠。

I'll add a limited me-too to the preceding answers, somewhat restricted by the Coverity NDA I'm bound by. Coverity Prevent has an impressive public track record for finding bugs in open source C/C++ code, but their Java product is a lot newer. (Coverity has a press release on my former employer, so I can say that it did help find and fix lots of bugs in our C/C++ code, more than I'd found in all my previous career in bug hunting.) FindBugs does an impressive job on Java code, and you can't beat the price. But the big point has already been made: try out both of them on your real code before you buy. There's no substitute for reality, and the conventional wisdom in static analysis is that there's surprisingly little overlap in what the tools discover.

疧_╮線 2024-07-13 09:10:51

正如其他人所说,最好的决定方法是尝试所有这些工具。

Coverity 最近发布了一款名为 Code Spotter 的托管静态分析即服务产品 (https://code-spotter.com /),目前处于测试阶段。 它使用与 Coverity 企业产品相同的分析引擎,但封装在不同的(简化的)用户界面中。 由于这是一项托管服务,因此很容易使用它来了解 Coverity 分析功能。

在撰写本文时,Code Spotter 仅适用于 Java,但其他 Coverity 支持的语言应该很快就会推出。

As others have said, the best way to decide is to try all these tools out.

Coverity recently announced a hosted static-analysis-as-a-service product called Code Spotter (https://code-spotter.com/), currently in beta. It's using the same analysis engine as the Coverity enterprise product, but it is wrapped in a different (simplified) user interface. Since this is a hosted service, it is very easy to play with it to get a sense of the Coverity analysis capabilities.

At the time of this writing, Code Spotter is Java-only, but other Coverity supported languages should be coming soon.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文