[Libwebsockets] CII + Codacy

Andy Green andy at warmcat.com
Fri Oct 12 01:58:57 CEST 2018


Hi -

Lws now passes the Linux Foundation CII Best Practices checklist

https://bestpractices.coreinfrastructure.org/projects/2266

...and gets another "badge"... what we already do was 90% of it but the 
rest needing adding some readme.x.mds about various flows, and setting 
up a cronjob to do Coverity daily on master (which is at 0 issues).

I also added Codacy static analysis as a push hook...

https://app.codacy.com/project/lws-team/libwebsockets/dashboard

... this runs a bunch of static analysis tools and sends snooty emails 
if it thinks a patch is "not up to standard" (because it added static 
analysis violations).  Unfortunately by default, some of the tests 
Codacy applies are "not up to standard", and they seem to have taken the 
approach of quantity over quality.

For example it does static analysis on JS as well as the C, which is 
quite cool, but it complains:

  - about all [] lookups like map[key] (pattern "Prohibit instances of 
var[var]").  There is a real problem there, I was interested to learn:

https://web.archive.org/web/20150430062816/https://blog.liftsecurity.io/2015/01/15/the-dangers-of-square-bracket-notation

... but if key is coming from a 'for' loop counter, there's no security 
implication, and yet those are still flagged.

  - It tries to check if numeric constants can be expressed in floating 
point correctly.  But eg it complains "The numeric literal '0x42' will 
have at different value at runtime."... I don't believe there is any 
representation issue for 66 as a direct constant in floating point.

  - If it sees you setting innerHTML to a variable it flags it as 
unsafe, no matter the variable only has sanitized and local content.

  - It flags any time that the a variable could have been defined with 
tighter scope (because the only users are at least one block down in 
scope).  While that's true, it's not something I care about generally 
and I don't want 100 instances of it in my face like it is a problem.

  - It enforces { } around if paths even when both C and JS allow single 
statements without them.

  - "Prohibit Console messages"...

  - it lints all markdown, but according to non-github-type markdown 
rules for tables etc, generating reams of garbage

There are many more makework complaints enabled.

After disabling classes of complaint I don't consider reasonable, and 
working through the rest that were either right or arguable (or caused 
by it not having access to external defines from cmake) currently master 
passes with 0 complaints, and the badge says "Code Quality: A".  But it 
started saying that when it still had a couple of hundred complaints 
going :-) so I am not sure people should set much store by it.  I wrote 
to Codacy about the problems but they just agreed some tests are broken 
and suggested disabling them as I had done.

Codacy offers "coverage" analysis but it doesn't work for C.

-Andy


More information about the Libwebsockets mailing list