Details
Hi,
Does phabricator team do static code analysis on phabricator code base? The reason I ask if because our team ran the codebase through the CheckMarx static analysis tool and it came back with 242 possible issues. I'm sure many are false positive triggers because that number seems awful high, but i was curious if phabricator team already does any such test on your end?
Answers
We employ static analysis extensively, but it's always possible that we aren't catching everything. Static analysis is a broad technique, and two different analyzers may look for different things.
If you are able to identify reproducible bugs using a static analyzer, feel free to file a bug report.
(When running tools like security scanners and static analyzers, it's important that you read and think about the output of the tool carefully. These types of software very often emit false positives. They can provide a good starting place to look for issues, but are not useful without the application of human judgement and experience. We aren't interested in the raw output of an analyzer.)