Questions tagged [static-analysis]

"Static Analysis" refers to the software tools (or their use) to analyze application code for arbitrary properties, such as errors (uninitialized variables, possible SQL injection-attack, is this code-dead, can an argument be null,...) or structure (what is the call graph for this code? is there ...

1
vote
2answers
67 views

How can I follow F# Lint's suggestion to use `id`

I am comparing two lists of thangs. Since I'm more familiar with Linq than F#, I did this:let r1=(rows1.Zip (rows2, fun r1 r2 -> rowComparer r1 r2)) .All (fun f -> f)This raises two ...
0
votes
0answers
12 views

Java JTest static analysis report - Leakage of file system paths (“b”) via web page

JTest static analysis report is showing severity 1 error, for the below code in generateReport method.The issue is coming for the line os.write(b, 0, count) within the while loop. os is basically ...
0
votes
0answers
18 views

Reading data from flat text logs

I'm not sure if this question is "in scope" for StackOverflow, and if not, I'd appreciate any pointers before the question is deleted.So...My question relates to the best way to extract useful data ...
1
vote
2answers
48 views

Do IDEs compile your Java or Scala source code to offer static analysis?

IDEs offer a lot of cool features like jump to declaration and syntax highlighting. Just out of curiosity, in order to provide these features, does my IDE (IntelliJ) first have to compile my source ...
3
votes
2answers
84 views

Prevent this.state to be used with setState

The reference states:setState() does not always immediately update the component. It may batch or defer the update until later. This makes reading this.state right after calling setState() a ...
1
vote
2answers
75 views

Is there something similar to Java's checked exceptions in Ada language?

Java forces programmer to explicitly specify exceptions raised by methods or provide handlers for them. Is there something similar in Ada language?
1
vote
1answer
35 views

How to detect all buffer access by using Clang Static Checker

My target: detect all buffer access in C/C++ by using clang static checker.My idea: use CheckPosition to get all memory read/write and then filter unrelated items. My problem: However, I got ...
3
votes
3answers
128 views

How to be warned about pointers to out-of-scope local variables

Consider the following code:#include <stdio.h>void badidea(int**);int main(void) {int* p;badidea(&p);printf("%d\n", *p); /* undefined behavior happens here: ...
0
votes
2answers
19 views

Spotbugs on a single file?

I am using Spotbugs plugin within Eclipse IDE. I can run the Spotbugs over a whole project, which gives me the impression that the tool needs to build the project to present its analysis report.But ...
0
votes
2answers
73 views

Why did my static analyzer fail to find potential uninitialized read?

I am wondering why static analyzer tools I use were unable to detect the following simple error (potentially unitialized variable):S08 GPS_Nmea::handler(GPS_INF *pGps, U08 *pRcvd) {S08 ...
1
vote
0answers
31 views

Static Analyzer to find no. of times functions are called in java

I have a very big list of java files. I need a tool which will give me number of times a function is used for all the functions from all the sour code files. Is there any such tool exist? I need this ...
0
votes
0answers
12 views

If SonarQube gets fed coverage results from JaCoCo (e.g.), how it is using its metrics?

I have read that SonarQube does not execute unit tests itself but only imports coverage data obtained by tools such as JaCoCo. Well, then what the SonarQube metrics definitions are for? I mean, if ...
0
votes
0answers
9 views

Adding a github project without write permissions to coverity scan

When I attempt to create a project in coverity scan from github it is only showing me my own GitHub projects. How can I add one from GitHub for which I have no write access but for which I contribute ...
0
votes
0answers
22 views

Which is good code quality metrics between cyclomatic complexity or average fan out?

Hi all I was working on TICS code quality matrics for first time so got this question.Many suggest to break large functions into one or more functions in order to keep complexity less than 15. Doing ...
-1
votes
1answer
69 views

How to delete dead code or code of no use based on configure file/makefile file

When we compile a C/C++ project, some files and codes in the project source are not needed for compilation. For example, test folder (some testing scripts), examples folder and dead code. How can I ...
1
vote
1answer
39 views

Abstracting over type constructors in Python via type annotations

I want to statically enforce that a method of a class returns a value wrapped in some abstract type, that I know nothing about:E.g. given the abstract classF=??? class ThingF(Generic[F]):...
0
votes
1answer
40 views

Is it possible to suppress since instances of issues reported by the Xcode (clang) analyzer?

My use case is as follows. In the automated testing of one of my libraries I use the mktemp function in order to obtain a filename in order to create a temporary file. Xcode correctly complains about ...
0
votes
1answer
74 views

Haskell `hlint`, how can I add hint for wrong indentation, trailing spaces and etc?

I tried to use hlint package, but it gives no warnings or configuration for:trailing spaceslast empty linespaces between argumentsrestrict tab indentationredundant linesand other lint option ...
0
votes
1answer
34 views

How to extract the number of lines of source code in a Jenkins pipeline?

I am trying to configure the thresholds for some SCA tools in a pipeline depending on the number of lines of code per project. My questions is, what would be the best way to compute the number of LOC ...
0
votes
1answer
36 views

How to distinguish between ARM code and Thumb code with static analysis

I know that the Thumb code consists of 16 bits, and the ARM code consists of 32 bits. But is there a way to see the specific offsets in the file and tell whether the instruction is ARM code or Thumb ...
1
vote
1answer
54 views

Warning when an explicitly defaulted function declaration is deleted

Is there a diagnostic flag or tool that can warn me if I have an explicitly defaulted function declaration that the compiler deletes? If not, then why? Can a defaulted member being deleted be a ...
6
votes
1answer
76 views

Quality of Visual Studio Community code analysis with SAL annotations

I hope this question is not out of scope for SO; if it is (sorry in that case), please tell me where it belongs and I'll try to move it there.The concept of SAL annotations for static code analysis ...
0
votes
1answer
38 views

clang analyzer can't detect null dereferencing

I'm playing with clang static analyzer ( clang++ --analyze or clang-tidy, win64, v6.0.1).Clang analyzer can detect a null dereference in this case:class SomeClass {public:int a=5;};...
0
votes
1answer
32 views

How can I prevent the project from using a specific Android API?

In a project with API 16 compatibility I've been using vector drawables with ContextCompat.getDrawable() which is of course incorrect and crashes in old devices, needing to be replaced by ...
0
votes
0answers
23 views

Static analysis tool to check the code whether it has non-SDK interfaces usages in android?

Can anyone help to how to find the non-SDK interfaces usages in my project by using any static tool?
0
votes
0answers
20 views

WebStorm slow navigation to reference when using Flow as a JavaScript language

While using Flow as a project language, pressing ⌘+click to navigate to reference takes around 4 seconds. This happens only when the "Navigation, code completion and type hinting" checkbox is checked....
0
votes
1answer
42 views

Running SonarQube on TeamCity

I am running sonarqube on teamcity, I have installed the plugin and I can see the installed service, but when I add it to the build step, I get an error.I checked on the machine and the sonarqube ...
1
vote
2answers
71 views

How to fully match a dereferenced pointer with CIL module?

I'm working withhttps://people.eecs.berkeley.edu/~necula/cil/api/Cil.htmland would like to match the pointers and extract the variable name in a certain expression Example (assume this is ...
0
votes
0answers
26 views

How to inspect manually decorated function?

I have a client object Client. It has many sync functions and I have a decorator which can change them into async functions. As I cannot modify original code, I use code like client.send_request=...
0
votes
1answer
24 views

List Clang-Query Matchers

Is there a way to list all possible matchers in clang-query? The AST matcher reference list is not necessarily the most up-to-date version. Even the list in ASTMatchers.h clang header (clang-6.0.0) ...
0
votes
0answers
68 views

Covering React-Redux Connect() using Flowtype

I have the following code:const mapStateToFilterProps=(state:DataExplorerState, props)=> ({ loading: state.loading, filters: state.filters });const actionCreators: ActionCreators<string, ...
0
votes
0answers
7 views

Using clang static analyses on solution

Does anybody have some tips to let it work the clang static analyzer tool on a C++ Visual Studio Solution?I have already understood that exist clang, clang-check and scan-build, but I do not ...
2
votes
0answers
47 views

Activation rules on SonarQube

I try to do an integration between SonarQube and the Robotframework languge, so I create a plugin with java contain the class of creation Issue Related to a rule of tool nommed Rflint:@Override...
1
vote
0answers
46 views

How does Eclipse identify instance variables/fields in the source code of a method?

As shown in the picture, Eclipse automatically colors the instance variables/fields in their source code. How did Eclipse do that from an implementation perspective? I want to try to statically do ...
0
votes
0answers
51 views

How to resolve this warning: The numeric literal appears to be unnecessary

MY Java code has section as follows:private static final double EPSILON=0.0000001;private boolean equals(double a, double b) {return (Math.abs(a - b) < EPSILON);}But when I compile it ...
0
votes
1answer
28 views

fruitless type test: a value of type Option[akka.actor.ActorSystem] cannot also be a akka.actor.ActorSystem

I am using scapegoat for static code analysis i am getting a warning messagefruitless type test: a value of type Option[akka.actor.ActorSystem] cannot also be a akka.actor.ActorSystemhere is my ...
0
votes
0answers
16 views

Writing an xmldoc in Matlab that can be opened in Graphpad Prism

I am doing many calculations in Matlab and am getting tired of cut and pasting all the different tables into Graphpad Prism, which is the final format I need it in. I want to automate the generation ...
0
votes
0answers
26 views

How to automatically find mathematical relationships and statistics in a set of numbers

I have many sets of numbers, each set is ordered in a matrix. I want to automatically find mathematical formulas that explain the relations between the different numbers in the matrix, within each ...
-4
votes
1answer
47 views

How does Java handle vulnerable code coming as input arguments? [closed]

How does jvm handle vulnerable code like 'System.exit()' when passed as user inputs?
0
votes
0answers
15 views

Error in Jenkins linting

I am setting up Jenkins linting for the enteprise Jenkins instance. I am following the official documentation to use the Curl command approach. I have created a Jenkinsfile which further calls a Shell ...
0
votes
0answers
28 views

Get original namespace of class when referenced

So I currently write code analyzer with roslyn for c#, but now I'm stuck.I want to analyze extension methods. It is demanded that the namespace the extension is declared in, equals the namespace of ...
0
votes
1answer
57 views

Incorrect LLVM alias analysis

I'm asking a question similar to this post about an LLVM alias analysis that seems to give incorrect results.Since it contains considerable re-writing,I have decided to post it as a separate ...
0
votes
1answer
25 views

How long it take for coverity analysis after travis build success?

https://github.com/rajeshgopu/coverity_testIt Shows pending from long time in gihub project status.Does the travis script has issues .or i have to wait to get the result from coverity?
0
votes
0answers
36 views

Go static analysis: find read-only package-level vars

Using static analysis, it should be possible to determine which package-level variables are always read-only... that is, the value once initialised is never changed by the program. My problem will ...
0
votes
1answer
44 views

Using the results of LLVM alias analysis from an LLVM loop pass

I have an LLVM loop pass, and I need to check whethertwo values may alias to one another. If I first run an alias analysis pass, and then the loop pass, how can I query the results of the AA pass?It ...
0
votes
0answers
25 views

Does static type checking remove need for dynamic type checks in JavaScript?

Does using a static type checking tool such as Flow.js remove the need for dynamic type checks?It seems like it should, but is there any reason to use dynamic type checking even if static type ...
1
vote
0answers
20 views

Is there a static checker for JAX-RS annotations?

I just started using JAX-RS annotations for client-server communication (using Resteasy + RestyGWT). From time to time, I run into a problem at runtime that I think could be spotted at compile time. ...
5
votes
2answers
86 views

Is my in-class decorator not Pythonic enough or PyCharm not smart enough in lint warning?

I want to define a decorator within a class. I don't want to define it as a separated, independent function, for this decorator is specifically for this class and I want to keep the correlated methods ...
0
votes
2answers
188 views

How can I extract API calls from an APK file?

Using Python, I am trying to extract the API calls that an Android application makes, given it's .apk file. Is there a way to parse/extract names of the APIs used by a package through static ...
1
vote
0answers
40 views

Is there a static C analyzer which detects uninitialized static variables? [duplicate]

We have hit a problem with some C code in embedded firmware which only occurred on 1 in 200 systems, and boiled down to use of a global static variable before it had been initialized.In normal C, ...

153050per page
angop.ao, elkhabar.com, noa.al, afghanpaper.com, bbc.com, time.com, cdc.gov, nih.gov, xnxx.com, github.com,