@craigmaloney define good? Personally, I just use a good IDE/Text editor for code review. Most of the scanners out there will throw so many false positives they're just not worth running for the low hanging fruit they find.
@tduehr This was more for automated checking of an existing codebase without having to edit every single file.
@craigmaloney That's depend's on how thorough you need to be.
If you're just looking for a sniff test, all I can add is cppcheck. Though, I haven't used it myself. It also seems like gcc and clang have added some analysis features.
Just remember, analysis tools will only catch flaws in the programs logic and even then they're only going to do so well. They'll never catch business logic flaws (e.g., authz/authn) and usually are limited to the most glaring of logic issues.
@tduehr Yeah, using regex to parse anything related to code or XML is a blunt instrument (and a fool's errand IMHO).
@craigmaloney again, that depends on your goals... if you have a specific string you need to find, regex can be useful for code. If you'd like to waken the Old Ones, by all means, go ahead and use regex to parse XML.
Everyone is welcome as long as you follow our code of conduct! Thank you. Mastodon.cloud is maintained by Sujitech, LLC.