[webkit-dev] WebKit project in Coverity

David Kilzer ddkilzer at webkit.org
Thu Jan 9 14:53:48 PST 2020


Back on Sept 18, 2019, Semmle announced <https://blog.semmle.com/secure-software-github-semmle/> that they would start scanning of projects on GitHub.com using their static analysis tool.

As of July/August 2019, the WebKit mirror on GitHub includes analysis results* on their website, likely for the GTK port being compiled on Ubuntu:


* However, the results are only for part of JavaScriptCore since (a) the build/analysis times out on DFGSpeculativeJIT.cpp, and (b) they’re using `Tools/Scripts/build-webkit --jsc-only` to do the build:


If someone from Igalia (or another GTK port maintainer) can get the attention of the LGTM staff, maybe they can get LGTM to update their WebKit build to fix the DFGSpeculativeJIT.cpp timeout and to build all of WebKit (not just JavaScriptCore) so we get analysis of ANGLE, libwebrtc, WebCore and WebKit.


On Jun 2, 2017, at 5:12 AM, Carlos Alberto Lopez Perez <clopez at igalia.com> wrote:

> Hi,
> Coverity is an static analysis tool that allows to find bugs and
> vulnerabilities on the source code via static analysis.
> For open source projects, they offer free usage of their platform.
> The WebKit project is already registered there since a while. [1]
> To read the reports in detail or run new scans you have to be
> member of the WebKit project in Coverity.
> I happen to be one of the admins there, and I will happily grant you
> access to this platform if you are a WebKit committer (listed in
> contributors.json).
> So if you are interested in this, just send me an email requesting
> access.
> Regards
> -------
> [1] https://scan.coverity.com/projects/webkit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20200109/0d4f44ea/attachment.htm>

More information about the webkit-dev mailing list