[openstreetmap/openstreetmap-website] Use Brakeman for static code analysis (#2723)
Tom Hughes
notifications at github.com
Wed Jul 22 12:38:10 UTC 2020
So it's all very well enabling it and just turning off all the "difficult" checks but what I really want to know in order to evaluate this is what happens once we start trying to turn them back on again...
I know in the original I expressed concern about the false positive rate though I'm not sure what I was using to evaluate that because I can't see any sort of human readable report anywhere on that ticket, presumably because they had again all been suppressed, all be it in a different way.
If we accept that false positives are unavoidable and that they will need to be suppressed, presumably using the mechanism from the original pull request, then my question, how robust is that suppression mechanism? Is it tightly tied to the current state of the code so that it will keep retriggering and having to be suppressed again when the code changes? or on the flip side is it going to to continue suppressing warnings when code is changed and needs to be re-evaluated to be sure that a false positive really is still a false positive?
I mean I can see it stores a source location, and the source text, and a fingerprint. What's not clear is what feeds into the fingerprint and which attributes exactly it compares when considering whether to suppress a warning.
The alternative to suppressing false positives of course is to change the code to avoid them but it may be hard to do that in ways that aren't extremely intrusive. Is there are documentation on suggested approaches (beyond the comically trivial) to writing code that avoids triggering these warnings?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2723#issuecomment-662428475
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200722/b57aaf7f/attachment.htm>
More information about the rails-dev
mailing list