WebKit project in Coverity

# Carlos Alberto Lopez Perez (3 years ago)

Coverity is an static analysis tool that allows to find bugs and vulnerabilities on the source code via static analysis.

For open source projects, they offer free usage of their platform.

The WebKit project is already registered there since a while. [1] To read the reports in detail or run new scans you have to be member of the WebKit project in Coverity.

I happen to be one of the admins there, and I will happily grant you access to this platform if you are a WebKit committer (listed in contributors.json).

So if you are interested in this, just send me an email requesting access.

Regards

[1] scan.coverity.com/projects/webkit

Contact us to advertise here
# David Kilzer (3 days ago)

Back on Sept 18, 2019, Semmle announced blog.semmle.com/secure-software-github-semmle that they would start scanning of projects on GitHub.com using their static analysis tool.

As of July/August 2019, the WebKit mirror on GitHub includes analysis results* on their website, likely for the GTK port being compiled on Ubuntu:

lgtm.com/projects/g/WebKit/webkit/?mode=list

  • However, the results are only for part of JavaScriptCore since (a) the build/analysis times out on DFGSpeculativeJIT.cpp, and (b) they’re using Tools/Scripts/build-webkit --jsc-only to do the build:

discuss.lgtm.com/t/looking-for-a-freelancer-to-take-on-indexing-two-massive-c-c-projects-on-lgtm-com/2221

If someone from Igalia (or another GTK port maintainer) can get the attention of the LGTM staff, maybe they can get LGTM to update their WebKit build to fix the DFGSpeculativeJIT.cpp timeout and to build all of WebKit (not just JavaScriptCore) so we get analysis of ANGLE, libwebrtc, WebCore and WebKit.

Want more features?

Request early access to our private beta of readable email premium.