I was wondering if Google runs automated static analysis tools and or
vulnerability scanners on native (C/C++) code?

I assume FindBugs is run against Java code.

Does anyone know if Coverity is still scanning open source (
 http://www.coverity.com/html/press_story54_01_08_08.html )?  A few of the
projects were also external projects for Android, but I don't have a feel
for how many might have benefited the system on target devices directly.


Thanks,
Dan

--

I just learned about static code analysis in school and am interested
to hear if anyone has any details on how it is being used with the
Android OS, and how it is being used with apps before, or after, they
go to market.

Thx,

D



>

Good question. I would love to have access to a Findbugs configuration
that is suitable for scanning Android app code.



>

If you look inside the build configuration, you will see make targets
for findbugs.  All you have to do is put findbugs in the correct
directory, then do a 'make findbugs'

I was more interested in scanning tools for C and C++ as there does
not seem to be a FOSS alternative.




>>

Hi!


  ^-- Findbugs is an excellent tool for Java bytecode static analysis.
However, Java source code analysers are great addition, too. We
successfully combine findbugs and checkstyle (checkstyle.sf.net); the
JChord seems to be promissing - read "distinctive enough" - but it
seems to be far from useful deployment yet.

Btw, how findbugs is used, when Android does not have java bytecode,
only sourcecode? :-)


  ^-- Well, the root cause is that it is _much_ easier to analyse Java
code than C code - only macros and preproprocesor options [working on
textual level] make any semantic analysis impossible. Anyhow, we find
'flawfinder' tool to be useful for C code.

Please, share your experience with similar tools.

J.

--