nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpqncxka2nmkqkndk4wkuf3tz3l39z9m8xax3aen3h8tvudwgjmf5mq4uv2v2 nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpqgyhskthfz9c5yvf0nku9yurm6g77lz2...
@nprofile1q... @nprofile1q... @nprofile1q...
I did some triaging of libc reports in FreeBSD from Coverity about ten years ago. The false positive rate was very high, but lower than I’ve seen for Claude.
We use the clang analyser in CI for CHERIoT RTOS (and our clang has a growing number of CHERI-specific analyses). It isn’t as good as Coverity in general but it has found real bugs in my code prior to merging PRs.
It’s much easier to use for a new project than an established one. Each time we turn on a new analysis there is a period of checking each report and adding comments to silence it if it’s a false positive, but it’s fairly short. A project that’s already millions of lines of code, going from nothing to all of the analyses, just has a huge pile of things to wade through.
I did some triaging of libc reports in FreeBSD from Coverity about ten years ago. The false positive rate was very high, but lower than I’ve seen for Claude.
We use the clang analyser in CI for CHERIoT RTOS (and our clang has a growing number of CHERI-specific analyses). It isn’t as good as Coverity in general but it has found real bugs in my code prior to merging PRs.
It’s much easier to use for a new project than an established one. Each time we turn on a new analysis there is a period of checking each report and adding comments to silence it if it’s a false positive, but it’s fairly short. A project that’s already millions of lines of code, going from nothing to all of the analyses, just has a huge pile of things to wade through.
1