| Re: [jetty-dev] Static analysis scan |
Hi Jesse, Everyone
FYI to follow up, David Hyman from Checkmarx did a brief (6 minute) introduction on today's members meeting. If you're already familiar with static analysis, this will sound familiar.
David mentioned he is offering free access to their systems hosting the scan data for Jetty (& other projects that are interested). If this is OK with everyone, this works better for the Foundation in terms of vendor neutrality.
He also shared they are interested in stepping through what they found with Jetty developers.
I'm glad to make introductions.
Andrew
On 12/10/2012 11:55 AM, Jesse McConnell wrote:
ok, so if they want to push us the data, then we are interested in seeing it...sounds good to me
thanks!jesse
On Mon, Dec 10, 2012 at 10:50 AM, Andrew Ross <andrew.ross@xxxxxxxxxxx> wrote:
Nah, just my nature to be discrete as a default as things are getting started.
They are:
Checkmarx
http://www.checkmarx.com/
Good folks, and very keen to support the community.
I hear you re: vendor neutrality. It's a major pain, no question. It's also an important tenet in our governance. I believe there's good potential to help them help the community, give them the rightful good will and visibility they deserve, and yet still balance vendor neutrality.
The basic idea is they scan the code and the data is provided so that projects can easily get to it and use it to fix issues. We're figuring out where the data will be hosted, how it gets updated, and so forth.
Andrew
On 12/10/2012 11:30 AM, Jesse McConnell wrote:
Is the eclipse governance so onerous that we can't even say who the company/team/product is on a mailing list? :)
I find the hoops that we have to jump through just to use something that someone wants to give us for free shocking...you mailed this out literally moments after I pinged the issue about YourKit licensing for an update.
So anyway...yes we are interested in knowing more.
cheers,jesse
On Mon, Dec 10, 2012 at 10:21 AM, Andrew Ross <andrew.ross@xxxxxxxxxxx> wrote:
Hi Everyone,
A company has approached with interest to use their static analysis software to scan Eclipse projects and provide the data to help the community.
Our governance requirement for vendor neutrality limits our ability to run their software on Foundation hardware, even if they offer it for free. The team at this company have offered to run it on their hardware and and provide the data back for the betterment of Eclipse projects.
I wanted to check with you to see if the Jetty project might be interested in participating in this?
If there's interest, I'll provide more information and facilitate the next steps. For what it's worth, this firm is also signing up as a member to support the Foundation & community.
Regards,
Andrew
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev