Static analysis of open source ROS2 C++ packages

Is it planned to statically analyze the ROS2 C++ core code base like done for ROS1 ros_comm and roscpp_core? Is Coverity Scan suggested for static analysis of open source ROS2 C++ packages? Or do you suggest to use other (alternative or complementary) tools out there?

ROS 2 supports various linters, e.g. also cppcheck. Those can be run on every build an therefore provide a timely and continuous feedback.

Coverity on the other can currently not be triggered automatically. A one time analysis is only of limited value. But if someone would automate the process that would be very helpful.

I’ve also been playing around with using clang static analysis locally. It should be possible to automate the scanning and integrate reporting into CI, but it will take some effort.

You mean the ament_lint integrations, right?

Absolutely, the faster the feedback loop the better. (The only thing you are missing in comparison to an IDE integration of tools is immediate feedback for effective learning how to code without introducing defects.)

Yes.

Since the linters used in ROS 2 are commonly existing tools (potentially only with a custom configuration file) you should be able to configure them in your IDE of choice. I am using e.g. the majority of the linters in Atom to get immediate feedback which is as you mentioned immensely useful.

At the moment Atom is my choice as well. I integrate it and try to find some time to write a few lines about integration into the ROS2 wiki.

Did this ever happen? That is, was or has a Static Analysis ever been run on ROS 2? If so, what are the results so far? Are folks happy with them? Is dynamic/coverage and other analysis also planned? Thanks.

1 Like